Created by James Hurrell on Jan 23, 2024

Summary

Information about how to configure Keycloak to interact with your LDAP directory.

Enabling and configuring a new authentication mode will NOT disable any existing authentication modes configured in Keycloak. Therefore, CAST highly recommends that you disable all existing authentication methods before adding a new one: in most cases this will involve disabling or deleting the "local" users provided with CAST Console or any that you have created yourself:

FAQ

When configuring Keycloak, should we delete local authentication mode users?

CAST recommends that when switching to a new authentication mode that all existing modes are disabled, and in the case of local authentication, you should disable or delete the existing users (see note at the top of this page).

How should the account used to access the LDAP system from Keycloak be configured?

CAST recommends creating a dedicated LDAP "service" account to be used exclusively for configuring access between Keycloak and LDAP. This service account should be a member of an LDAP group dedicated to CAST (i.e. only users required to access CAST Imaging Console should be added to this group).

What happens when users required to use CAST Imaging Console are added to the LDAP group dedicated to CAST, does the admin need to perform a synchronization in Keycloak?

CAST recommends that users are imported into Keycloak (into its own database), otherwise some functionality is lost (typically API Key access to CAST Console because the API key needs to be stored with the user in the Keycloak database). When users are configured to be imported into the Keycloak database, this action is only performed the very first time a user logs into CAST Imaging Console. As such, CAST also recommends that a periodic synchronization is configured in Keycloak. This can be done by enabling the Peridoc Full Sync option (this performs a full synchronization every 24 hours).

What happens if a user password changed in LDAP?

All authentication is performed against the LDAP database (not the Keycloak database), therefore if the user changes his/her password in LDAP, then the change is immediate when attempting to access CAST Console via Keycloak (they will need to use the new password).

What happens if a user is deleted from LDAP?

If the user is deleted from LDAP then that user will no longer be able to login to CAST Console via Keycloak (because all authentication is performed against the LDAP database (not the Keycloak database)) - this occurs immediately. The user's details will remain in the Keycloak database until the next synchronization, after which, it will be removed automatically.

Step 1 - Configure LDAP settings

Click the User Federation option on the left then choose the LDAP provider in the dropdown :

Click to enlarge

Fill in the fields as follows (see also https://www.keycloak.org/docs/latest/server_admin/#_ldap):

FieldDescription
EnabledSet this to ON to enable the LDAP integration.
Console Display NameBy default this is set to "ldap", but you are free to choose a different name - it is simply a display name.
PriorityLeave this set to 0 - this sets the priority for user lookup when multiple authentication methods are handled by Keycloak.
Import Users

This option allows you to import your LDAP users into the Keycloak database stored on your CAST Storage Service/PostgreSQL instance. CAST recommends that this option is set to ON otherwise the following functionality will be lost:

  • if you need to generate an API Key to access CAST Console - see AIP Console - User Profile options. The API Key is stored alongside the user details in the Keycloak database and therefore, the LDAP user needs to have been imported already.
  • if you need to assign CAST Console/embedded Dashboard permissions to individual LDAP users, rather than or as well as via LDAP groups.

When set to ON, the first time a user logs in, the LDAP provider imports the LDAP user details into the Keycloak database and validates the LDAP password. This first time a user logs in is the only time that Keycloak will import the user. Therefore, if you click the Users menu option and then click the View all users button, you will only see the LDAP users that have authenticated at least once via Keycloak:

Keycloak imports users this way, so that a single user login operation does not trigger an import of the entire LDAP user database and cause performance issues.

Note that by default the user's details will only be imported once when they first login, therefore if users are updated in the LDAP database, these details are not automatically synchronized to the Keycloak database unless you either:

  • manually trigger the import of the entire LDAP database using the Synchronize all users option (located at the bottom of this panel):

  • or enable the Peridoc Full Sync option (this performs a full synchronization every 24 hours):

Edit Mode

This option determines how Keycloak will handle the remote LDAP database:

  • If you have chosen to import your LDAP users as recommended, then you must set this option to either WRITABLE or UNSYNCED. CAST recommends choosing UNSYNCED, which ensures that Keycloak will not make any changes to the remote LDAP database.
  • If you have chosen not to import your LDAP users into the Keycloak database (see option above), you should set this to READ_ONLY, which ensures that Keycloak will not make any changes to the remote LDAP database.
Sync RegistrationsThis option determines whether Keycloak will synchronize users created directly in Keycloak back to the remote LDAP database. CAST recommends that this should be set to OFF since the LDAP database should be the only reference.
Vendor

Choose the type of remote LDAP database you are using - this setting will automatically populate the following fields using the most common vendor specific settings (but these can be customized if required):

  • Username LDAP attribute
  • RDN LDAP attribute
  • UUID LDAP attribute
  • User Object Classes
Username LDAP attribute

Populated automatically based on the type of LDAP database you have selected in the Vendor field, but can be customized if required. This is the name of the LDAP database attribute, which (when users are imported) will be mapped as the username in the Keycloak database. If users are not imported into Keycloak, this is what users will use to log in to the CAST product:

  • For many LDAP server vendors this can be 'uid'.
  • For Active Directory this can be 'sAMAccountName' or 'cn'.
RDN LDAP attributePopulated automatically based on the type of LDAP database you have selected in the Vendor field, but can be customized if required. This is the name of the LDAP database attribute, which is used as the RDN (top attribute) of a typical user Distinguished Name. Usually this is the same as Username LDAP attribute, however it is not a required attribute in the LDAP database. For example for Active Directory, sometimes 'cn' is used as the RDN attribute when the username attribute might be 'sAMAccountName'.
UUID LDAP attributePopulated automatically based on the type of LDAP database you have selected in the Vendor field, but can be customized if required. This is the name of the LDAP database attribute, which is used as a unique object identifier (UUID) for objects in the LDAP database. For many LDAP server vendors, it is 'entryUUID'; however some are different. For example for Active Directory it should be 'objectGUID'. If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN'.
User Object Classes

Populated automatically based on the type of LDAP database you have selected in the Vendor field, but can be customized if required. These are all the values of the LDAP database 'objectClass' attribute for users in the LDAP database, separated with a comma. For example:

  • When you have chosen to import LDAP users into the Keycloak database as recommended, users will be imported if at least one of the values in this field is defined in the LDAP database 'objectClass' attribute for a given user.
  • If Sync Registrations is enabled (not recommended), users created directly in the Keycloak database will be written to the LDAP database with all the values entered in this field.
Connection URL

Enter the URL for your remote LDAP server. For example use a FQDN (fully qualified domain name), host name, IP address etc.:

  • ldap://<my-ldap-server>.corp.domain.com
  • ldap://<my-ldap-server>
  • ldap://<ip-address>
Users DN

This the DN (Distinguished Name) of the Organisational Unit (OU) in your LDAP database in which your users are stored. For example:

Click to enlarge

Custom User LDAP FilterAdditional LDAP Filter for filtering searched users. Leave this empty if you don't need an additional filter. If you do need to filter, make sure that the value starts with '(' and ends with ')'
Search ScopeSet the level that Keycloak should search the entry set in the Users DN field. Usually you should set this to One Level unless your users are located in multiple sub OUs in which case choose Subtree.
Bind TypeType of authentication used in the LDAP bind operation. Typically you should leave this set to simple.
Bind DNEnter the DN (Distinguished Name) of the LDAP service account that will be used for the LDAP bind operation.
Bind CredentialsEnter the password for the LDAP service account that will be used for the LDAP bind operation.

When complete, click the Save button:

Step 2 - Test connection and authentication

Use the following buttons to check that the connection to the LDAP server functions and that the service account can login - if  not you may need to revise the values you have supplied:

Step 3 - Configure LDAP group settings

If you need to grant CAST Console/embedded Dashboard permissions to LDAP groups (this is highly recommended) rather than or as well as individual LDAP users, you will need to configure a mapper specifically to synchronize your LDAP groups and make them available in Keycloak. To do so click the Mappers tab in your LDAP User Federation setting:

Then click the Create button:

In the Mapper Type field, choose the group-ldap-mapper option:

And fill in as below:

FieldDescription
NameThis is simply a display name - enter as required.
Mapper TypeMust be set to group-ldap-mapper.
LDAP Groups DN

This the DN (Distinguished Name) of the Organisational Unit (OU) in your LDAP database in which your groups are stored. For example:

Click to enlarge

Group Name LDAP Attribute

Populated automatically, but can be customized if required. This is the name of the LDAP database attribute, which is used in group objects for the name and RDN of the group. In the vast majority of cases, this will be "cn" (Common Name) - typically group objects may have a Distinguished Name such as "cn=Group1,ou=groups,dc=example,dc=org". For example:

Group Object Classes

Populated automatically, but can be customized if required. These are all the values of the LDAP database 'objectClass' attribute for your groups in the LDAP database, separated with a comma. Groups will be identified by Keycloak if at least one of the values in this field is defined in the LDAP database 'objectClass' attribute for a given group. In the following example groups will be imported into the Keycloak database if at least one of the values in this field is defined in the LDAP database 'objectClass' attribute for a given group:

Preserve Group InheritanceThis option determines whether your LDAP group inheritance organisation is mirrored in Keycloak. In other words, if you have nested groups, you should ensure this option is set to ON. If set to OFF, all groups will be mirrored in Keycloak in "flat mode", i.e. all at one level, ignoring the nested organisation.
Ignore Missing GroupsThis option should always be set to ON.
Membership LDAP Attribute

Populated automatically, but can be customized if required. This is the name of the LDAP database attribute, which is used for group membership mappings. Usually this will be "member". However if the Membership Attribute Type option (see below) is set to "UID" then Membership LDAP Attribute could be "memberUid".

Membership Attribute Type

Select either UID or DN:

  • DN means that the LDAP group has its members declared in the form of their full Distinguished Name (DN). For example "member: cn=john,ou=users,dc=example,dc=com".
  • UID means that the LDAP group has its members declared in the form of pure user uids. For example "memberUid: john".
Membership User LDAP Attribute 

Populated automatically, but can be customized if required. This option is ignored if the Membership Attribute Type option (see above) is set to DN.

This is the name of the LDAP database attribute for the user, which is used for membership mappings. Usually it will be "uid" . For example if Membership User LDAP Attribute is set to is "uid" and the LDAP group has "memberUid: john", then it is expected that that particular LDAP user will have the attribute "uid: john".

LDAP FilterAdditional LDAP Filter for filtering searched groups. Leave this empty if you don't need an additional filter. If you do need to filter, make sure that the value starts with '(' and ends with ')'
Mode

This option determines how Keycloak will handle groups:

  • LDAP_ONLY means that all group mappings are retrieved from both the LDAP database and the local Keycloak database (if any exist there). Any changes made within Keycloak will then be saved back into the LDAP database.
  • READ_ONLY is a read-only mode where group mappings are retrieved from both the LDAP database and the local Keycloak database (if any exist there). Any changes made within Keycloak will NOT be saved back into the LDAP database.
  • IMPORT (recommended setting) is a read-only mode where group mappings are retrieved from LDAP only (at the time when user is read from the LDAP database) and then the groups are saved to the local Keycloak database. 
User Groups Retrieve Strategy

This option determines how Keycloak should retrieve groups from the LDAP database:

  • LOAD_GROUPS_BY_MEMBER_ATTRIBUTE means that groups will be retrieved by sending an LDAP query to retrieve all groups where "member" is our user.
  • GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE means that groups will be retrieved via the "memberOf" attribute of our user. Or from the other attribute specified by "Member-Of LDAP Attribute".
  • LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY is applicable only in Active Directory and it means that groups will be retrieved recursively via the LDAP_MATCHING_RULE_IN_CHAIN extension. CAST recommends this option so that group membership is retrieved at the time the user first logs in to the CAST product.

Note that if a user already exists in the Keycloak database (i.e the user has already logged in before the groups mapper was setup), then the group membership details will not be updated for the given user. In this case, the user needs to be deleted from the Keycloak database (using the "Users" option in the left panel) - the group membership details will be retrieved when the user next logs in.

Member-Of LDAP Attribute

Populated automatically, but can be customized if required. This option is ignored if the User Groups Retrieve Strategy option (see above) is set to anything other than GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE. It specifies the name of the LDAP database attribute on the LDAP user, which contains the groups, which the user is member of. Usually it will be 'memberOf' and that's also the default value.

Drop non-existing groups during syncIf this option is set to ON then during retrieval of groups from the LDAP database, only those Keycloak groups (i.e. groups created directly in Keycloak) which also exist in LDAP will be retained. All others will be deleted. CAST recommends setting this option to ON if you only care about groups set in your LDAP database.
Groups Path

This is the path where the LDAP groups will be created in the Keycloak database and is set by default to "/" (i.e. the root). Root means that the groups will be created under this default entry:

When created, click Sync LDAP Groups to Keycloak and the groups will be imported into the Keycloak database:

Click to enlarge

You can check whether the groups have been successfully retrieved using the following interface:

Step 4 - Test user login

Finally you should test that an LDAP user can successfully log into CAST products and if you have set Import Users to ON, that their details are correctly stored in the Keycloak database:

That's it, the configuration is complete for LDAP and you can now log in as explained in Initial login to AIP Console - v. 2.x.

By default users/groups from LDAP will not have any roles assigned to them, so at least one LDAP user (or group) will need to be granted the admin and dashboards_admin roles (this will grant the global Console admin role and the global dashboards role (access all applications)) via the Keycloak role mappings section in the first instance:

Click to enlarge

Any additional users/groups that need to log in to Console or access CAST Dashboards will also need to be granted appropriate access roles:

  • either the admin or application_owner role to access Console (admin grants full rights to everything, application_owner grants only rights to access applications and not the Admin Center).
  • any one of the Dashboard roles as discussed here:
    • dashboards_admin
    • dashboards_exclusion_manager
    • dashboards_quality_automation_manager
    • dashboards_quality_manager
  • Note that users assigned the application_owner role will not be able to view existing applications created by other users. To allow them to do so, you will need to assign them the resource level resource owner role in Console itself, see Administration Center - Security - User Roles.