<p dir="ltr">How about setting up multiple VMs with Vagrant but handling all software components with Docker? </p>
<p dir="ltr">Best of both worlds and also a simulation of the real world (which could perhaps be used as a reference).</p>
<p dir="ltr">Best regards,<br>
Thomas<br>
</p>
<div class="gmail_extra"><br><div class="gmail_quote">On Sep 13, 2016 5:46 PM, "Scott Rossillo" <<a href="mailto:srossillo@smartling.com">srossillo@smartling.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate things seems like a better option.<div><br><div>
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Scott Rossillo</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Smartling | Senior Software Engineer</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
</div>
</div></div><br><div><blockquote type="cite"><div>On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>> wrote:</div><br><div><div>My question is: Docker or Vagrant?<br><br>If we have plans to showcase SSSD Federation provider + things like<br>start/stop sssd service to demonstrate the SSSD provider won't be<br>enabled. I would say that Vagrant is easier and we can benefit from<br>these boxes[1], otherwise we just stick with Marek's work.<br><br>I will give DBus on Docker a second try, but last time I checked wasn't<br>fun.<br><br>[1] - <a href="https://github.com/freeipa/freeipa-workshop" target="_blank">https://github.com/freeipa/<wbr>freeipa-workshop</a><br><br>On 2016-09-13, Stian Thorgersen wrote:<br><blockquote type="cite">Forgot to add two things:<br><br>* DNS setup - we want proper DNS setup on the machines, which would be<br>required for the Kerberos stuff to work properly<br>* HTTPS - optional, but would be great if it also had HTTPS configured<br><br>On 13 September 2016 at 09:24, Marek Posolda <<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>> wrote:<br><br><blockquote type="cite">+1<br><br>Few more things and tips (you may be already aware of them, but still..<br>Hope some of them are useful :) :<br><br>- My docker image [1] already contains FreeIPA server and Keycloak server<br>pre-configured with LDAP+Kerberos federation provider to use it. Thing is<br>that both Keycloak+FreeIPA are on same machine, which is likely not the<br>best for show production setup. The workstation setup needs to be done on<br>your local machine (so you need KErberos client + Firefox setup on your<br>laptop. That's sufficient for testing, but probably also not ideal for<br>showcase).<br><br>- In addition to FreeIPA docker images for server, FreeIPA has also docker<br>image for client setup. See for example [2] . I am not 100% sure, but I<br>believe that if you run this docker image and point to the already running<br>"server" image, you will gain also all the things like PAM setup, login to<br>the workstation with Kerberos credentials, and automatically retrieved<br>kerberos ticket during login. Hence you just login to workstation, open<br>firefox and you are authenticated to Keycloak. No need to manually run<br>"kinit".<br><br></blockquote><br>The workstation will need to be a virtual machine rather than container to<br>add X support. So IMO we should just use Vagrant and have FreeIPA and<br>use Vagrantfile to install Fedora + FreeIPA.<br><br><br><blockquote type="cite"><br>- If Keycloak and FreeIPA server are on different workstations, then:<br>-- The Keycloak server may also need FreeIPA client installed. Or at least<br>kerberos client installed with proper setup in /etc/krb5.conf pointing to<br>FreeIPA kerberos realm and proper DNS setup working with FreeIPA.<br></blockquote><br><br><blockquote type="cite">-- Also for different servers, you will likely need to add HTTP kerberos<br>principal for the server where keycloak is running. For example if FreeIPA<br>is on "<a href="http://freeipa.example.org" target="_blank">freeipa.example.org</a>" and keycloak is on "<a href="http://keycloak.example.org" target="_blank">keycloak.example.org</a>",<br>you will need the principal like <a href="mailto:HTTP/keycloak.example.org@keycloak.org" target="_blank">HTTP/keycloak.example.org@<wbr>KEYCLOAK.ORG</a> .<br>This corresponds to LDAP principal under "cn=services,cn=accounts,dc=<wbr>freeipa,dc=example,dc=org"<br>. Maybe FreeIPA has it documented somewhere and/or it's easily possible to<br>add new HTTP server principal through FreeIPA admin console. You will also<br>need keytab exported with the credentials of this principal.<br>Note this step is not needed if Keycloak and FreeIPA are on same machine<br>as FreeIPA server automatically has HTTP principal for it's own machine<br>(something like <a href="mailto:HTTP/freeipa.example.org@keycloak.org" target="_blank">HTTP/freeipa.example.org@<wbr>KEYCLOAK.ORG</a> for the example<br>above), to allow login to FreeIPA admin console with kerberos OOTB.<br><br></blockquote><br>We should really figure out how to do this on separate machines, so I think<br>going that way would be best even though it's harder to do.<br><br><br><blockquote type="cite"><br><br>[1] <a href="https://github.com/mposolda/keycloak-freeipa-docker/" target="_blank">https://github.com/mposolda/<wbr>keycloak-freeipa-docker/</a><br>[2] <a href="https://github.com/adelton/docker-freeipa/tree/fedora-22-client" target="_blank">https://github.com/adelton/<wbr>docker-freeipa/tree/fedora-22-<wbr>client</a><br><br>Marek<br><br><br>On 13/09/16 08:07, Stian Thorgersen wrote:<br><br><blockquote type="cite">I'd like to have a simple way to demo LDAP and Kerberos support. To that<br>end we should add a Vagrant setup with the following:<br><br>* Keycloak server<br>* MySQL or Postgres<br>* FreeIPA<br>* Workstation with Kerberos authentication (needs X and Firefox installed)<br><br>The Keycloak server should already be configured to use the FreeIPA<br>server as a user federation provider (using LDAP and Kerberos). The<br>workstation can be co-located with FreeIPA server if it makes things much<br>simpler, but it should be possible to login to the workstation with<br>Kerberos. Firefox should be pre-configured for Kerberos to work both on<br>Keycloak login and FreeIPA admin console.<br><br>I want a proper database and a web based client for the database so it's<br>simple to inspect the database.<br><br>Bruno has already volunteered to look into this, but first we should make<br>sure this is the setup we'd like to be able to showcase.<br><br></blockquote><br><br><br></blockquote></blockquote><br><blockquote type="cite">______________________________<wbr>_________________<br>keycloak-dev mailing list<br><a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a><br></blockquote><br><br>--<br><br>abstractj<br>PGP: 0x84DC9914<br>______________________________<wbr>_________________<br>keycloak-dev mailing list<br><a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a><br></div></div></blockquote></div><br></div></div><br>______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a><br></blockquote></div></div>