KEYCLOAK-2505 docs
This commit is contained in:
parent
daca6d7062
commit
b8cf8fabe2
1 changed files with 17 additions and 0 deletions
|
@ -135,6 +135,23 @@
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
|
<section>
|
||||||
|
<title>Connect to LDAP over SSL</title>
|
||||||
|
<para>
|
||||||
|
When you configure secured connection URL to LDAP (for example <literal>ldaps://myhost.com:636</literal> ) the Keycloak will
|
||||||
|
use SSL for the communication with LDAP server. The important thing is to properly configure truststore on the Keycloak server side,
|
||||||
|
because SSL won't work if Keycloak can't trust the SSL connection with LDAP (Keycloak acts as the <literal>client</literal> here, when LDAP acts as server).
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
The global truststore for the Keycloak can be configured with Truststore SPI in the <literal>keycloak-server.json</literal> file and it's described in the details <link linkend="truststore">here</link>.
|
||||||
|
If you don't configure truststore SPI, the truststore will fallback to the default mechanism provided by Java (either the file provided by system property <literal>javax.net.ssl.trustStore</literal> or finally
|
||||||
|
the cacerts file from JDK if even the system property is not set).
|
||||||
|
</para>
|
||||||
|
<para>There is configuration property <literal>Use Truststore SPI</literal> in the LDAP federation provider configuration, where you can choose
|
||||||
|
whether Truststore SPI is used. By default, the value is <literal>ldaps only</literal>, which is fine for most of deployments, because attempt
|
||||||
|
to use Truststore SPI is done just if connection to LDAP starts with <literal>ldaps</literal> .
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
<title>Sync of LDAP users to Keycloak</title>
|
<title>Sync of LDAP users to Keycloak</title>
|
||||||
|
|
Loading…
Reference in a new issue