Offline LDAP authentication

rul-hydro · June 2, 2021, 7:31am

LDAP user federation works a treat, as long as the KeyCloak server can connect to the AD server. However, my KeyCloak servers will be off-site with an unreliable VPN connection to AD. Now, I’m looking for a credentials caching mechanism to allow user authentication while AD is off line.
Is there a way to cache the last successful login credentials for each federated user, like the way a Windows client will authenticate any user it has previously seen?

I’ve already looked into using OpenLDAP as a proxy, but it seems over-complicated and I couldn’t get it to work anyway.
Can anyone point me in the right direction?

Thank you!

rul-hydro · June 11, 2021, 1:56pm

In my research, I have come across SSSD and FreeIPA. It seems that SSSD is able to store LDAP credentials, and there is also a way to federate SSSD into KeyCloak.

Have any of you tried such a setup?

Active Directory > SSSD > KeyCloak

Any hints for best practice would be appreciated!

Topic		Replies	Views
Not possible to have user credentials in keycloak while federating to LDAP? Configuring the server authentication , user-federation , ldap	0	549	November 25, 2022
SSSD User Federation and Google LDAP Configuring the server ldap	0	1433	April 6, 2020
LDAP as an identity provider	0	293	April 11, 2023
Keycloak single-sign-on Getting advice	2	460	July 30, 2020
Keycloak with Active Directory Lookup Configuring the server user-federation	0	560	December 17, 2019

Offline LDAP authentication

Related Topics