11. 09. 2025
NetEye, PHP, Unified Monitoring
03. 07. 2025
Alessandro Paoli
NetEye, Unified Monitoring
Configuring Keycloak with LDAP and TLS Certificate (LDAPS) in NetEye
In this article I’ll guide you step-by-step through configuring Keycloak to connect to an LDAP server using a secure LDAPS (SSL/TLS) connection, with support for certificates signed by either internal or self-signed Certificate Authorities. This is especially useful in enterprise environments using Active Directory or a centralized LDAP server.
This configuration is particularly relevant for environments using NetEye, as NetEye relies on Keycloak for centralized authentication and supports integration with LDAP directories for user federation and access control.
Requirements
- Access to an LDAP server (e.g., OpenLDAP or Microsoft AD)
- Root/intermediate certificate used by the LDAP server
- Root/sudo access on the system running Keycloak
- A working NetEye environment that uses Keycloak as its identity provider
1. Obtain the LDAP Server Certificate
Extract the LDAP server certificate (or the root CA that signed it). If you don’t already have it, you can retrieve it using openssl:
openssl s_client -connect ldap.example.com:636 -showcertsCopy the certificate (or the full chain) and save it to a file, for example ldap-ca.pem.
2. Import the Certificate into the Java Truststore
Keycloak uses Java, which verifies certificates through the default truststore. To import the certificate:
sudo keytool -importcert -trustcacerts -alias ldap-ca \
-file ldap-ca.pem -keystore /etc/pki/java/cacerts -storepass changeitVerify the import:
keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep ldap-cachangeit is the default truststore password. Ensure the truststore path matches your distribution.
Note: To change the Java keystore password, use the following command:
keytool -storepasswd -keystore /etc/pki/java/cacertsYou will be prompted to enter the old password (changeit) and the new one.
3. Restart Keycloak
Apply the changes:
sudo systemctl restart keycloak4. Configure the LDAP Provider in Keycloak
- Log in to the Keycloak admin console
- Select the desired realm (usually preconfigured in NetEye)
- Navigate to User Federation > Add provider > ldap
- Fill in the main fields:
| Field | Value |
| UI display name | Custom name |
| Vendor | Active Directory |
| Connection URL | ldaps://ldap.example.com:636 |
| Bind type | simple |
| Bind DN | cn=admin,dc=example,dc=com |
| Bind Credential | LDAP password |
| Users DN | ou=Users,dc=example,dc=com |
| Edit Mode | READ_ONLY |
| Use Truststore SPI | always |
5. Save
6. Click Synchronize all users to test the connection
Once synchronized, LDAP users will be visible in Keycloak and can authenticate into NetEye via SSO
5. Common Troubleshooting
Error: SSLHandshakeException
- The server certificate is invalid or not present in the truststore
- The certificate chain is incomplete (missing root or intermediate)
- Wrong port or protocol (e.g., ldaps:// on port 389)
Solutions:
- Verify with:
openssl s_client -connect ldap.example.com:636 -showcerts
- Check the logs:
/opt/keycloak/logs/server.logorjournalctl -fu keycloak - Ensure the certificate’s CN or SAN matches the LDAP hostname
6. Final Test
Try logging into Keycloak with an LDAP user. If everything is configured correctly, authentication should succeed.
Then log into NetEye using the same user: you should be authenticated via Keycloak and redirected successfully.
Conclusion
Connecting Keycloak to an LDAP server via LDAPS significantly enhances authentication infrastructure security. This is especially important in NetEye environments, where centralized identity and access management is critical.
These Solutions are Engineered by Humans
Did you find this article interesting? Does it match your skill set? Programming is at the heart of how we develop customized solutions. In fact, we’re currently hiring for roles just like this and others here at Würth Phoenix.
Alessandro Paoli
My name is Alessandro Paoli and I've been a Technical Consultant at Wurth Phoenix since May 2024. I've always had a great passion for IT and since 2004 it has also become my job. In 2015 I found my role in the field, monitoring. I have had the opportunity to use various monitoring products, both open source and proprietary, I have worked on numerous projects from small businesses to global companies.
I am married and have 2 wonderful daughters. My passions are travel, cinema, games (video and board) and comics, and every now and then I manage to indulge in a few days of sport (Padel and gym).
Author
Latest posts by Alessandro Paoli
07. 04. 2025
Asset Management, GLPI, NetEye
Automating GLPI Migration from System OnPrem to NetEye Cloud
12. 11. 2024
NetEye
SAP HANA Monitoring