[keycloak-dev] LDAP setup for demonstration purposes

Bruno Oliveira da Silva bruno at abstractj.org
Wed Sep 14 08:07:24 EDT 2016


+1000 thank you!


On 2016-09-14, Stian Thorgersen wrote:
> Bruno - notice the missing fix version! It's a nice to have background task
> and not a high priority at the moment.
>
> On 14 September 2016 at 13:12, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> > We do now:
> > https://issues.jboss.org/browse/KEYCLOAK-3577
> >
> > On 14 September 2016 at 12:11, Bruno Oliveira da Silva <
> > bruno at abstractj.org> wrote:
> >
> >> +1 Not arguing in favor or against it, but thinking about what you
> >> described seems like the solution is the combination of both: Vagrant and
> >> Docker.
> >>
> >> Do we have a Jira for this?
> >>
> >> On 2016-09-14, Stian Thorgersen wrote:
> >> > To elaborate I could eventually see us having a big demo setup in the
> >> form
> >> > of:
> >> >
> >> > * Keycloak or RH-SSO box
> >> > * Database box
> >> > * FreeIPA box
> >> > * Active Directory box
> >> > * Some SAML provider
> >> > * Some OIDC provider
> >> > * Fedora workstation
> >> > * Windows workstation
> >> >
> >> > Everything ready to go to show Keycloak as a fully capable identity
> >> > federation platform.
> >> >
> >> > On 14 September 2016 at 09:32, Stian Thorgersen <sthorger at redhat.com>
> >> wrote:
> >> >
> >> > > I want full desktop and show user login via desktop login, not
> >> Kerberos
> >> > > client. So full Gnome is required. Also, I think the DNS setup as
> >> well as
> >> > > orchestration may be simpler with Vagrant than Docker.
> >> > >
> >> > > We also may want to extend this to include good old Microsoft
> >> software in
> >> > > the form of Windows and Active Directory. In that case Docker is a
> >> show
> >> > > stopper and Vagrant/VMs is the only option.
> >> > >
> >> > > On 13 September 2016 at 21:46, Marek Posolda <mposolda at redhat.com>
> >> wrote:
> >> > >
> >> > >> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
> >> > >> > My 2 cents on it. Unless we have any strong argument for doing
> >> this,
> >> > >> > let's move forward with Docker. We already have a repository for
> >> this
> >> > >> > and I'm not sure if we have bandwidth to maintain 2 distinct
> >> > >> repositories.
> >> > >> >
> >> > >> > Btw I'm curious, which real world scenario you could not reproduce
> >> with
> >> > >> > Docker?
> >> > >> I guess SPNEGO login with Firefox is the example of that scenario?
> >> > >>
> >> > >> If you want workstation with Kerberos + SPNEGO, you will need to
> >> > >> configure kerberos client and your Firefox and then run FF inside
> >> docker
> >> > >> container and display it "locally" on your laptop. Or is it something
> >> > >> like the "propagation" of X from docker to your laptop possible? If
> >> yes,
> >> > >> then everything is doable with docker though.
> >> > >>
> >> > >> Marek
> >> > >>
> >> > >> >
> >> > >> > On 2016-09-13, Thomas Raehalme wrote:
> >> > >> >> How about setting up multiple VMs with Vagrant but handling all
> >> > >> software
> >> > >> >> components with Docker?
> >> > >> >>
> >> > >> >> Best of both worlds and also a simulation of the real world (which
> >> > >> could
> >> > >> >> perhaps be used as a reference).
> >> > >> >>
> >> > >> >> Best regards,
> >> > >> >> Thomas
> >> > >> >>
> >> > >> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo" <
> >> srossillo at smartling.com>
> >> > >> wrote:
> >> > >> >>
> >> > >> >>> Vagrant leaves funny taste in my mouth. Docker Compose to
> >> orchestrate
> >> > >> >>> things seems like a better option.
> >> > >> >>>
> >> > >> >>> Scott Rossillo
> >> > >> >>> Smartling | Senior Software Engineer
> >> > >> >>> srossillo at smartling.com
> >> > >> >>>
> >> > >> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <
> >> > >> bruno at abstractj.org>
> >> > >> >>> wrote:
> >> > >> >>>
> >> > >> >>> My question is: Docker or Vagrant?
> >> > >> >>>
> >> > >> >>> If we have plans to showcase SSSD Federation provider + things
> >> like
> >> > >> >>> start/stop sssd service to demonstrate the SSSD provider won't be
> >> > >> >>> enabled. I would say that Vagrant is easier and we can benefit
> >> from
> >> > >> >>> these boxes[1], otherwise we just stick with Marek's work.
> >> > >> >>>
> >> > >> >>> I will give DBus on Docker a second try, but last time I checked
> >> > >> wasn't
> >> > >> >>> fun.
> >> > >> >>>
> >> > >> >>> [1] - https://github.com/freeipa/freeipa-workshop
> >> > >> >>>
> >> > >> >>> On 2016-09-13, Stian Thorgersen wrote:
> >> > >> >>>
> >> > >> >>> Forgot to add two things:
> >> > >> >>>
> >> > >> >>> * DNS setup - we want proper DNS setup on the machines, which
> >> would be
> >> > >> >>> required for the Kerberos stuff to work properly
> >> > >> >>> * HTTPS - optional, but would be great if it also had HTTPS
> >> configured
> >> > >> >>>
> >> > >> >>> On 13 September 2016 at 09:24, Marek Posolda <
> >> mposolda at redhat.com>
> >> > >> wrote:
> >> > >> >>>
> >> > >> >>> +1
> >> > >> >>>
> >> > >> >>> Few more things and tips (you may be already aware of them, but
> >> > >> still..
> >> > >> >>> Hope some of them are useful :) :
> >> > >> >>>
> >> > >> >>> - My docker image [1] already contains FreeIPA server and
> >> Keycloak
> >> > >> server
> >> > >> >>> pre-configured with LDAP+Kerberos federation provider to use it.
> >> > >> Thing is
> >> > >> >>> that both Keycloak+FreeIPA are on same machine, which is likely
> >> not
> >> > >> the
> >> > >> >>> best for show production setup. The workstation setup needs to be
> >> > >> done on
> >> > >> >>> your local machine (so you need KErberos client + Firefox setup
> >> on
> >> > >> your
> >> > >> >>> laptop. That's sufficient for testing, but probably also not
> >> ideal for
> >> > >> >>> showcase).
> >> > >> >>>
> >> > >> >>> - In addition to FreeIPA docker images for server, FreeIPA has
> >> also
> >> > >> docker
> >> > >> >>> image for client setup. See for example [2] . I am not 100%
> >> sure, but
> >> > >> I
> >> > >> >>> believe that if you run this docker image and point to the
> >> already
> >> > >> running
> >> > >> >>> "server" image, you will gain also all the things like PAM setup,
> >> > >> login to
> >> > >> >>> the workstation with Kerberos credentials, and automatically
> >> retrieved
> >> > >> >>> kerberos ticket during login. Hence you just login to
> >> workstation,
> >> > >> open
> >> > >> >>> firefox and you are authenticated to Keycloak. No need to
> >> manually run
> >> > >> >>> "kinit".
> >> > >> >>>
> >> > >> >>>
> >> > >> >>> The workstation will need to be a virtual machine rather than
> >> > >> container to
> >> > >> >>> add X support. So IMO we should just use Vagrant and have
> >> FreeIPA and
> >> > >> >>> use Vagrantfile to install Fedora + FreeIPA.
> >> > >> >>>
> >> > >> >>>
> >> > >> >>>
> >> > >> >>> - If Keycloak and FreeIPA server are on different workstations,
> >> then:
> >> > >> >>> -- The Keycloak server may also need FreeIPA client installed.
> >> Or at
> >> > >> least
> >> > >> >>> kerberos client installed with proper setup in /etc/krb5.conf
> >> > >> pointing to
> >> > >> >>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
> >> > >> >>>
> >> > >> >>>
> >> > >> >>>
> >> > >> >>> -- Also for different servers, you will likely need to add HTTP
> >> > >> kerberos
> >> > >> >>> principal for the server where keycloak is running. For example
> >> if
> >> > >> FreeIPA
> >> > >> >>> is on "freeipa.example.org" and keycloak is on "
> >> keycloak.example.org
> >> > >> ",
> >> > >> >>> you will need the principal like HTTP/keycloak.example.org at KEYC
> >> > >> LOAK.ORG
> >> > >> >>> <HTTP/keycloak.example.org at keycloak.org> .
> >> > >> >>> This corresponds to LDAP principal under
> >> "cn=services,cn=accounts,dc=
> >> > >> >>> freeipa,dc=example,dc=org"
> >> > >> >>> . Maybe FreeIPA has it documented somewhere and/or it's easily
> >> > >> possible to
> >> > >> >>> add new HTTP server principal through FreeIPA admin console. You
> >> will
> >> > >> also
> >> > >> >>> need keytab exported with the credentials of this principal.
> >> > >> >>> Note this step is not needed if Keycloak and FreeIPA are on same
> >> > >> machine
> >> > >> >>> as FreeIPA server automatically has HTTP principal for it's own
> >> > >> machine
> >> > >> >>> (something like HTTP/freeipa.example.org at KEYCLOAK.ORG
> >> > >> >>> <HTTP/freeipa.example.org at keycloak.org> for the example
> >> > >> >>> above), to allow login to FreeIPA admin console with kerberos
> >> OOTB.
> >> > >> >>>
> >> > >> >>>
> >> > >> >>> We should really figure out how to do this on separate machines,
> >> so I
> >> > >> think
> >> > >> >>> going that way would be best even though it's harder to do.
> >> > >> >>>
> >> > >> >>>
> >> > >> >>>
> >> > >> >>>
> >> > >> >>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
> >> > >> >>> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-cli
> >> ent
> >> > >> >>>
> >> > >> >>> Marek
> >> > >> >>>
> >> > >> >>>
> >> > >> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
> >> > >> >>>
> >> > >> >>> I'd like to have a simple way to demo LDAP and Kerberos support.
> >> To
> >> > >> that
> >> > >> >>> end we should add a Vagrant setup with the following:
> >> > >> >>>
> >> > >> >>> * Keycloak server
> >> > >> >>> * MySQL or Postgres
> >> > >> >>> * FreeIPA
> >> > >> >>> * Workstation with Kerberos authentication (needs X and Firefox
> >> > >> installed)
> >> > >> >>>
> >> > >> >>> The Keycloak server should already be configured to use the
> >> FreeIPA
> >> > >> >>> server as a user federation provider (using LDAP and Kerberos).
> >> The
> >> > >> >>> workstation can be co-located with FreeIPA server if it makes
> >> things
> >> > >> much
> >> > >> >>> simpler, but it should be possible to login to the workstation
> >> with
> >> > >> >>> Kerberos. Firefox should be pre-configured for Kerberos to work
> >> both
> >> > >> on
> >> > >> >>> Keycloak login and FreeIPA admin console.
> >> > >> >>>
> >> > >> >>> I want a proper database and a web based client for the database
> >> so
> >> > >> it's
> >> > >> >>> simple to inspect the database.
> >> > >> >>>
> >> > >> >>> Bruno has already volunteered to look into this, but first we
> >> should
> >> > >> make
> >> > >> >>> sure this is the setup we'd like to be able to showcase.
> >> > >> >>>
> >> > >> >>>
> >> > >> >>>
> >> > >> >>>
> >> > >> >>>
> >> > >> >>> _______________________________________________
> >> > >> >>> keycloak-dev mailing list
> >> > >> >>> keycloak-dev at lists.jboss.org
> >> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> > >> >>>
> >> > >> >>>
> >> > >> >>>
> >> > >> >>> --
> >> > >> >>>
> >> > >> >>> abstractj
> >> > >> >>> PGP: 0x84DC9914
> >> > >> >>> _______________________________________________
> >> > >> >>> keycloak-dev mailing list
> >> > >> >>> keycloak-dev at lists.jboss.org
> >> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> > >> >>>
> >> > >> >>>
> >> > >> >>>
> >> > >> >>> _______________________________________________
> >> > >> >>> keycloak-dev mailing list
> >> > >> >>> keycloak-dev at lists.jboss.org
> >> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> > >> >>>
> >> > >> > --
> >> > >> >
> >> > >> > abstractj
> >> > >> > PGP: 0x84DC9914
> >> > >> > _______________________________________________
> >> > >> > keycloak-dev mailing list
> >> > >> > keycloak-dev at lists.jboss.org
> >> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> > >>
> >> > >>
> >> > >> _______________________________________________
> >> > >> keycloak-dev mailing list
> >> > >> keycloak-dev at lists.jboss.org
> >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> > >>
> >> > >
> >> > >
> >>
> >> --
> >>
> >> abstractj
> >> PGP: 0x84DC9914
> >>
> >
> >

--

abstractj
PGP: 0x84DC9914


More information about the keycloak-dev mailing list