KEYCLOAK-2505 docs

This commit is contained in:
mposolda 2016-02-19 22:05:35 +01:00
parent daca6d7062
commit b8cf8fabe2

View file

@ -135,6 +135,23 @@
</variablelist> </variablelist>
</para> </para>
</section> </section>
<section>
<title>Connect to LDAP over SSL</title>
<para>
When you configure secured connection URL to LDAP (for example <literal>ldaps://myhost.com:636</literal> ) the Keycloak will
use SSL for the communication with LDAP server. The important thing is to properly configure truststore on the Keycloak server side,
because SSL won't work if Keycloak can't trust the SSL connection with LDAP (Keycloak acts as the <literal>client</literal> here, when LDAP acts as server).
</para>
<para>
The global truststore for the Keycloak can be configured with Truststore SPI in the <literal>keycloak-server.json</literal> file and it's described in the details <link linkend="truststore">here</link>.
If you don't configure truststore SPI, the truststore will fallback to the default mechanism provided by Java (either the file provided by system property <literal>javax.net.ssl.trustStore</literal> or finally
the cacerts file from JDK if even the system property is not set).
</para>
<para>There is configuration property <literal>Use Truststore SPI</literal> in the LDAP federation provider configuration, where you can choose
whether Truststore SPI is used. By default, the value is <literal>ldaps only</literal>, which is fine for most of deployments, because attempt
to use Truststore SPI is done just if connection to LDAP starts with <literal>ldaps</literal> .
</para>
</section>
</section> </section>
<section> <section>
<title>Sync of LDAP users to Keycloak</title> <title>Sync of LDAP users to Keycloak</title>