[keycloak-dev] LDAP setup for demonstration purposes

Bruno Oliveira da Silva bruno at abstractj.org
Tue Sep 13 10:33:50 EDT 2016


+1

IMO if we stick with Docker, we can just benefit of what you already
did. And like you mentioned, make use of the FreeIPA client docker
image.

On 2016-09-13, Marek Posolda wrote:
> +1
>
> Few more things and tips (you may be already aware of them, but still..
> Hope some of them are useful :) :
>
> - My docker image [1] already contains FreeIPA server and Keycloak
> server pre-configured with LDAP+Kerberos federation provider to use it.
> Thing is that both Keycloak+FreeIPA are on same machine, which is likely
> not the best for show production setup. The workstation setup needs to
> be done on your local machine (so you need KErberos client + Firefox
> setup on your laptop. That's sufficient for testing, but probably also
> not ideal for showcase).
>
> - In addition to FreeIPA docker images for server, FreeIPA has also
> docker image for client setup. See for example [2] . I am not 100% sure,
> but I believe that if you run this docker image and point to the already
> running "server" image, you will gain also all the things like PAM
> setup, login to the workstation with Kerberos credentials, and
> automatically retrieved kerberos ticket during login. Hence you just
> login to workstation, open firefox and you are authenticated to
> Keycloak. No need to manually run "kinit".
>
> - If Keycloak and FreeIPA server are on different workstations, then:
> -- The Keycloak server may also need FreeIPA client installed. Or at
> least kerberos client installed with proper setup in /etc/krb5.conf
> pointing to FreeIPA kerberos realm and proper DNS setup working with
> FreeIPA.
>
> -- Also for different servers, you will likely need to add HTTP kerberos
> principal for the server where keycloak is running. For example if
> FreeIPA is on "freeipa.example.org" and keycloak is on
> "keycloak.example.org", you will need the principal like
> HTTP/keycloak.example.org at KEYCLOAK.ORG . This corresponds to LDAP
> principal under "cn=services,cn=accounts,dc=freeipa,dc=example,dc=org" .
> Maybe FreeIPA has it documented somewhere and/or it's easily possible to
> add new HTTP server principal through FreeIPA admin console. You will
> also need keytab exported with the credentials of this principal.
> Note this step is not needed if Keycloak and FreeIPA are on same machine
> as FreeIPA server automatically has HTTP principal for it's own machine
> (something like HTTP/freeipa.example.org at KEYCLOAK.ORG for the example
> above), to allow login to FreeIPA admin console with kerberos OOTB.
>
>
> [1] https://github.com/mposolda/keycloak-freeipa-docker/
> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
>
> Marek
>
> On 13/09/16 08:07, Stian Thorgersen wrote:
> > I'd like to have a simple way to demo LDAP and Kerberos support. To
> > that end we should add a Vagrant setup with the following:
> >
> > * Keycloak server
> > * MySQL or Postgres
> > * FreeIPA
> > * Workstation with Kerberos authentication (needs X and Firefox installed)
> >
> > The Keycloak server should already be configured to use the FreeIPA
> > server as a user federation provider (using LDAP and Kerberos). The
> > workstation can be co-located with FreeIPA server if it makes things
> > much simpler, but it should be possible to login to the workstation
> > with Kerberos. Firefox should be pre-configured for Kerberos to work
> > both on Keycloak login and FreeIPA admin console.
> >
> > I want a proper database and a web based client for the database so
> > it's simple to inspect the database.
> >
> > Bruno has already volunteered to look into this, but first we should
> > make sure this is the setup we'd like to be able to showcase.
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

--

abstractj
PGP: 0x84DC9914


More information about the keycloak-dev mailing list