Defining an LDAP-based user federation in Keycloak

In Keycloak, to set up an LDAP-enabled data store as a user authentication provider, you must define the relevant user federation in Keycloak.

Before you begin

The following information must be provided to define an LDAP-based user federation:
  • The name of the object class in which the user records are defined.
  • The name of the field that holds a unique ID for a user. (To log in, the user must enter this field value.)
  • The fully distinguished name (DN) in the search tree where the user records are found.
  • For the LDAP provider only, any fields that you want to use to search for a subset of users.
  • The search scope that is used to find user records. The following options are currently supported:
    • One Level
    • Subtree
  • The type of authentication that is used to interface with the LDAP-enabled data store. The following options are currently supported:
    For the LDAP provider
    none
    Any ID can access information about any other ID.
    simple
    A single administrator ID can access information about all other IDs.
    For the RACF® provider
    none
    Any ID can access information about any other ID.
    direct
    Each ID can access only its own information. With this type of authentication, the existence of an ID in the data store is not verified until login time.
    simple
    A single administrator ID can access information about all other IDs.

About this task

After user records are defined through a user federation and are assigned to an appropriate group or role, they can be used to log into any of the applications that are managed by the IzoaKeycloak security realm. Therefore, you can log in to your IBM Z® operational analytics products with an LDAP user ID.

Procedure

To define an LDAP-based user federation for your IBM Z operational analytics products, complete the following steps.

  1. Log in to Keycloak as an administrator.
  2. Go to the IzoaKeycloak security realm.
  3. Under the Configure section, click User Federation.
  4. On the User Federation page, click either Add LDAP providers or Add RACF providers, depending on the type of user data store that you plan to connect to.
    LDAP provider
    For user data stores that provide full support for LDAP search capabilities, select LDAP. LDAP user federation describes the fields that you must fill in if you select LDAP.
    RACF provider
    For access to RACF via the SDBM backend of IBM® Tivoli® Directory Server for z/OS®, select RACF. RACF user federation describes the fields that you must fill in if you select RACF.