I am using Keycloak version 19.0.0.3 and cannot log in or register while the LDAP is down. Everything works fine again as soon as the LDAP server is up and running.
I would like to have login/register working even when the LDAP server is down. What’s the recommended way to fix this?
Thanks you for your help!
Robert
When you are using federation like LDAP, it’s essentially an external “database” for your users. There is no temporary, local store that Keycloak will use while the “database” is down.
Hi @xgp, I have users from a combination of sources (LDAP / Identity Providers like Google, Microsoft etc…)
When LDAP is down, it affects the users from other sources and just wanna confirm that that’s no way around that based on what you were saying because there’s no temporary / local store?
LDAP is a user federation and is like a hard dependency on runtime, at least how it is currently implemented.
Identity Providers are a completely different thing.
If you want to be able to work with a not available user federation source, you’ll have to provide your own, custom(ized) provider. It’s not possible with just configuration out of the box.
+1 to what @dasniko said above.
It’s not entirely clear without reading the docs completely, but “User Federation” and “Identity Brokering” are totally different things, although they are used to achieve the same result in some cases.
One thing I have done in the past is to make a Keycloak realm that is dedicated to an LDAP connection, and then used that realm as an Identity Provider to the realm where I am centrally identifying the users from a variety of sources (e.g. social logins, other SAML and OIDC providers, etc.). You can call that Identity Provider something informative that the users will understand (e.g. “Acme Corp LDAP”), so that your users will see/recognize it among the other providers you have configured.