[keycloak-dev] LDAP setup for demonstration purposes

Bruno Oliveira da Silva bruno at abstractj.org
Tue Sep 13 15:10:28 EDT 2016 

My 2 cents on it. Unless we have any strong argument for doing this,
let's move forward with Docker. We already have a repository for this
and I'm not sure if we have bandwidth to maintain 2 distinct repositories.

Btw I'm curious, which real world scenario you could not reproduce with
Docker?

On 2016-09-13, Thomas Raehalme wrote:
> How about setting up multiple VMs with Vagrant but handling all software
> components with Docker?
>
> Best of both worlds and also a simulation of the real world (which could
> perhaps be used as a reference).
>
> Best regards,
> Thomas
>
> On Sep 13, 2016 5:46 PM, "Scott Rossillo" <srossillo at smartling.com> wrote:
>
> > Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate
> > things seems like a better option.
> >
> > Scott Rossillo
> > Smartling | Senior Software Engineer
> > srossillo at smartling.com
> >
> > On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <bruno at abstractj.org>
> > wrote:
> >
> > My question is: Docker or Vagrant?
> >
> > If we have plans to showcase SSSD Federation provider + things like
> > start/stop sssd service to demonstrate the SSSD provider won't be
> > enabled. I would say that Vagrant is easier and we can benefit from
> > these boxes[1], otherwise we just stick with Marek's work.
> >
> > I will give DBus on Docker a second try, but last time I checked wasn't
> > fun.
> >
> > [1] - https://github.com/freeipa/freeipa-workshop
> >
> > On 2016-09-13, Stian Thorgersen wrote:
> >
> > Forgot to add two things:
> >
> > * DNS setup - we want proper DNS setup on the machines, which would be
> > required for the Kerberos stuff to work properly
> > * HTTPS - optional, but would be great if it also had HTTPS configured
> >
> > On 13 September 2016 at 09:24, Marek Posolda <mposolda at redhat.com> wrote:
> >
> > +1
> >
> > Few more things and tips (you may be already aware of them, but still..
> > Hope some of them are useful :) :
> >
> > - My docker image [1] already contains FreeIPA server and Keycloak server
> > pre-configured with LDAP+Kerberos federation provider to use it. Thing is
> > that both Keycloak+FreeIPA are on same machine, which is likely not the
> > best for show production setup. The workstation setup needs to be done on
> > your local machine (so you need KErberos client + Firefox setup on your
> > laptop. That's sufficient for testing, but probably also not ideal for
> > showcase).
> >
> > - In addition to FreeIPA docker images for server, FreeIPA has also docker
> > image for client setup. See for example [2] . I am not 100% sure, but I
> > believe that if you run this docker image and point to the already running
> > "server" image, you will gain also all the things like PAM setup, login to
> > the workstation with Kerberos credentials, and automatically retrieved
> > kerberos ticket during login. Hence you just login to workstation, open
> > firefox and you are authenticated to Keycloak. No need to manually run
> > "kinit".
> >
> >
> > The workstation will need to be a virtual machine rather than container to
> > add X support. So IMO we should just use Vagrant and have FreeIPA and
> > use Vagrantfile to install Fedora + FreeIPA.
> >
> >
> >
> > - If Keycloak and FreeIPA server are on different workstations, then:
> > -- The Keycloak server may also need FreeIPA client installed. Or at least
> > kerberos client installed with proper setup in /etc/krb5.conf pointing to
> > FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
> >
> >
> >
> > -- Also for different servers, you will likely need to add HTTP kerberos
> > principal for the server where keycloak is running. For example if FreeIPA
> > is on "freeipa.example.org" and keycloak is on "keycloak.example.org",
> > you will need the principal like HTTP/keycloak.example.org at KEYCLOAK.ORG
> > <HTTP/keycloak.example.org at keycloak.org> .
> > This corresponds to LDAP principal under "cn=services,cn=accounts,dc=
> > freeipa,dc=example,dc=org"
> > . Maybe FreeIPA has it documented somewhere and/or it's easily possible to
> > add new HTTP server principal through FreeIPA admin console. You will also
> > need keytab exported with the credentials of this principal.
> > Note this step is not needed if Keycloak and FreeIPA are on same machine
> > as FreeIPA server automatically has HTTP principal for it's own machine
> > (something like HTTP/freeipa.example.org at KEYCLOAK.ORG
> > <HTTP/freeipa.example.org at keycloak.org> for the example
> > above), to allow login to FreeIPA admin console with kerberos OOTB.
> >
> >
> > We should really figure out how to do this on separate machines, so I think
> > going that way would be best even though it's harder to do.
> >
> >
> >
> >
> > [1] https://github.com/mposolda/keycloak-freeipa-docker/
> > [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
> >
> > Marek
> >
> >
> > On 13/09/16 08:07, Stian Thorgersen wrote:
> >
> > I'd like to have a simple way to demo LDAP and Kerberos support. To that
> > end we should add a Vagrant setup with the following:
> >
> > * Keycloak server
> > * MySQL or Postgres
> > * FreeIPA
> > * Workstation with Kerberos authentication (needs X and Firefox installed)
> >
> > The Keycloak server should already be configured to use the FreeIPA
> > server as a user federation provider (using LDAP and Kerberos). The
> > workstation can be co-located with FreeIPA server if it makes things much
> > simpler, but it should be possible to login to the workstation with
> > Kerberos. Firefox should be pre-configured for Kerberos to work both on
> > Keycloak login and FreeIPA admin console.
> >
> > I want a proper database and a web based client for the database so it's
> > simple to inspect the database.
> >
> > Bruno has already volunteered to look into this, but first we should make
> > sure this is the setup we'd like to be able to showcase.
> >
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >

--

abstractj
PGP: 0x84DC9914

More information about the keycloak-dev mailing list