Defining an LDAP-based user federation in Keycloak
In Keycloak, to set up an LDAP-enabled data store as a user authentication provider, you must define the relevant user federation in Keycloak.
Before you begin
The following information must be provided to define an LDAP-based user federation:
- The name of the object class in which the user records are defined.
- The name of the field that holds a unique ID for a user. (To log in, the user must enter this field value.)
- The fully distinguished name (DN) in the search tree where the user records are found.
- For the LDAP provider only, any fields that you want to use to search for a subset of users.
- The search scope that is used to find user records. The following options are currently supported:
- One Level
- Subtree
- The type of authentication that is used to interface with the LDAP-enabled data store. The
following options are currently supported:
- For the LDAP provider
-
- none
- Any ID can access information about any other ID.
- simple
- A single administrator ID can access information about all other IDs.
- For the RACF® provider
-
- none
- Any ID can access information about any other ID.
- direct
- Each ID can access only its own information. With this type of authentication, the existence of an ID in the data store is not verified until login time.
- simple
- A single administrator ID can access information about all other IDs.
About this task
After user records are defined through a user federation and are assigned to an appropriate group or role, they can be used to log into any of the applications that are managed by the IzoaKeycloak security realm. Therefore, you can log in to your IBM Z® operational analytics products with an LDAP user ID.
Procedure
To define an LDAP-based user federation for your IBM Z operational analytics products, complete the following steps.