Link LDAP to existing users

Configuring the server
1

If I manually create a user on KC and then associate roles and groups with it, how can I connect it to LDAP so that LDAP can validate its password? I don’t want to import all my company’s users into KC, but only connect the manually created ones. Is there a way? My version is 22.0.5

Thanks

2

Yes, and depends.
I have never tried this, but you could disable import users and enable sync registrations. Disabling import users should stop keycloak from import existing users from your LDAP directory. Enabling sync registrations should create users in LDAP when they are created in keycloak. This would work in a situation where the account doesn’t already exist in your LDAP directory.

Another approach would be to script adding attributes directly into your keycloak database. This would be necessary if the user already exists in LDAP. That can be done by adding certain attributes to the user account in keycloak. There are four LDAP attributes that need to be added to the attributes on the Keycloak account that will link the two. Had to do this with thousands of existing accounts when it was decided to add LDAP integration after our system went live.

These are the SQL commands I used. This is not a documented or supported method. Just the way I was able to get it working in my situation. Proceed with caution.

“DELETE FROM user_attribute WHERE user_id = %s AND name IN (‘LDAP_ID’, ‘LDAP_ENTRY_DN’, ‘createTimestamp’, ‘modifyTimestamp’)”, (kc_id,)
“INSERT INTO user_attribute (name, value, user_id, id) VALUES (%s, %s, %s, %s)”, (‘LDAP_ID’, ldap_id, kc_id, str(uuid.uuid4()))
“INSERT INTO user_attribute (name, value, user_id, id) VALUES (%s, %s, %s, %s)”, (‘LDAP_ENTRY_DN’, ldap_dn, kc_id, str(uuid.uuid4()))
“INSERT INTO user_attribute (name, value, user_id, id) VALUES (%s, %s, %s, %s)”, (‘createTimestamp’, when_created, kc_id, str(uuid.uuid4()))
“INSERT INTO user_attribute (name, value, user_id, id) VALUES (%s, %s, %s, %s)”, (‘modifyTimestamp’, when_changed, kc_id, str(uuid.uuid4()))
“UPDATE user_entity SET federation_link = %s WHERE id = %s”, ([FED_ID], kc_id)

Notes:

  • createTimestamp, modifyTimestamp, ldap_id, and ldap_dn values come from the user account in your LDAP directory.
  • [FED_ID] is the ID for the federation in keycloak.
  • kc_id is the the ID for the user’s account in keycloak.
  • And the id field of the user_attribute table requires a unique UUID for each row. You will need to generate a value to use as the last parameter of the INSERT INTO user_attribute SQL statements.
  • These SQL commands are from python and use the %s string substitutions built into the psycopg module.