In a world where secure identity management is no longer optional, Keycloak stands out as a robust, open-source solution trusted by enterprises and developers alike. The ns8-keycloak module brings this power directly into the NethServer 8 ecosystem—seamlessly integrating authentication, authorization, and user federation into your infrastructure.
Yet, despite its immense value, ns8-keycloak remains absent from the official application repository. This is a missed opportunity.
By adding ns8-keycloak to the Software Center, we unlock:
Enterprise-grade security for NethServer deployments, with support for SSO, OAuth2, OpenID Connect, and LDAP.
Streamlined user management across services, reducing complexity and improving scalability.
Community empowerment, giving sysadmins and developers the tools they need without relying on manual installations or external sources.
This module is not just another add-on—it’s a gateway to modern identity architecture. Its inclusion would elevate NethServer 8 from a powerful platform to a truly comprehensive solution for secure, scalable, and professional-grade deployments.
Let’s make this happen. Let’s bring ns8-keycloak into the official fold.
Keycloak is the most practical choice for integrating OAuth 2.0 with Samba/AD because it natively supports LDAP authentication, offers mature and well-documented integration with other applications, and already has a community-maintained module for NethServer 8—making setup straightforward and reliable; unlike ZITADEL or other platforms, which require additional layers or federation to connect with Samba, Keycloak provides direct, proven compatibility with domain credentials, ensuring centralized login with minimal complexity.
It is already available as a test and can be installed according to the current instructions. It needs more testers and testing tho, before it can be announced and released.
There are almost 160 apps in various states of maturity listed here.
@jjmmbb We currently Already HAve, LemnoLdapNG with direct AD/Ldap integration.
Authentik, Which is Production ready. Zitadel V4 on dev branch that requires help with test.
Keycloack, was Built, but we have not tested it yet, if you’re interested specifically in keyclaock, We can bump up its Dev(or accept PR) if you can test the current version and report, what you notice or issues, so we can work to get it to prod status, would be great.
EDIT: currently going through release notes, to see whats changed between versions 25.02 and 26.3.5
Mostly Useability changes
I don’t have any particular preference for a specific application. I just noticed that Keycloak appeared more frequently in search results, and I happened to find a repository for it.
I have an application that doesn’t support ldap/ad authentication, but supports OAuth 2.0. I would like that users keep using the same ad username and password to authenticate on this application.
I first want the “official” apps (Nextcloud, Roundcube, SOGo, WebTop, etc.) to integrate with it. But other things I integrate with Authentik include Forgejo, Proxmox (VE and Backup Server), LubeLogger, and more recently Headscale. Once I get my Raspberry Pi-based local CA back up and running, I’ll be integrating that as well to obtain SSH user certificates.
And I’ve been using Authentik, but I’m not married to it–if Keycloak will do the job better, I don’t mind migrating. If it’s a wash, I’d just as soon stay with Authentik. But I strongly believe NS8 needs an “official,” integrated SSO solution, one that will work with all the “official” apps, and can be called by anything else the admin wants to use.