Integrating Keycloak with LDAP for single sign-on with LSF Web Services

The Keycloak user federation feature provides access to external databases and directories, such as Active Directory and LDAP. Follow these steps to configure user federation using an OpenLDAP service.

About this task

Tip: To configure Keycloak user federation using an Active Directory service, see Integrating Keycloak with Active Directory for single sign-on with LSF Web Services.

See the Keycloak documentation for more information about user federation: https://www.keycloak.org/docs/latest/server_admin/#_user-storage-federation

Procedure

  1. Install OpenLDAP according to OpenLDAP documentation: https://www.openldap.org/.
  2. Access the Keycloak Admin Console from a web browser: sign into the Keycloak Admin Console as an administrative user, using the hostname or IP and port:

    http://Keycloak_hostname_or_IP:port

  3. Select the realm you created (for example, realm ABCRealm).
  4. Click User federation > Add Ldap providers.
  5. Provide the following LDAP settings:
    Field name Specify
    UI display name ldap
    Vendor Other
    Connection URL The LDAP server URL you created, such as ldap://myhost.ibm.com/
    Bind type simple
    Bind DN The Bind DN you set on the LDAP server. For example: cn=admin,ou=Users,dc=ibm,dc=org.
    Bind credentials The administrator user's password.
    Edit mode WRITABLE
    Username LDAP attribute cn
    RDN LDAP attribute cn
    UUID LDAP attribute uid
    User object classes inetOrgPerson, organizationalPerson
  6. Save your LDAP settings.
  7. Click Actions > Sync all users.

    A success message displays.

  8. Click Users, and then select all users listed and verify that the LDAP provider was successfully added for the users.

Results

You can verify LDAP settings by using LSF commands.
Ensure that you can successfully log on to LSF Web Services using your OpenLDAP user. For example:
#lsf cluster logon --username user1 --password ******** --url https://lwshost.ibm.com:443
OK
Ensure that you can successfully submit an LSF job. For example: 
#lsf bsub sleep 20
 Job <664> is submitted to default queue <normal>.
Ensure that you can successfully display LSF job information. For example:
#lsf bjobs -a
JOBID USER STAT QUEUE  FROM_HOST EXEC_HOST JOB_NAME SUBMIT_TIME 
664   wt1  RUN  normal lwshost   lwsexec   sleep 20 Jun 12 00:10

What to do next

After you have integrated Keycloak with LDAP or Active Directory, your final step in the flow of enabling single sign-on for LSF Web Services is to authenticating and testing your OAuth single sign-on connection.