<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate things seems like a better option.<div class=""><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Scott Rossillo</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Smartling | Senior Software Engineer</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:srossillo@smartling.com" class="">srossillo@smartling.com</a></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
</div>
</div></div><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <<a href="mailto:bruno@abstractj.org" class="">bruno@abstractj.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">My question is: Docker or Vagrant?<br class=""><br class="">If we have plans to showcase SSSD Federation provider + things like<br class="">start/stop sssd service to demonstrate the SSSD provider won't be<br class="">enabled. I would say that Vagrant is easier and we can benefit from<br class="">these boxes[1], otherwise we just stick with Marek's work.<br class=""><br class="">I will give DBus on Docker a second try, but last time I checked wasn't<br class="">fun.<br class=""><br class="">[1] - <a href="https://github.com/freeipa/freeipa-workshop" class="">https://github.com/freeipa/freeipa-workshop</a><br class=""><br class="">On 2016-09-13, Stian Thorgersen wrote:<br class=""><blockquote type="cite" class="">Forgot to add two things:<br class=""><br class="">* DNS setup - we want proper DNS setup on the machines, which would be<br class="">required for the Kerberos stuff to work properly<br class="">* HTTPS - optional, but would be great if it also had HTTPS configured<br class=""><br class="">On 13 September 2016 at 09:24, Marek Posolda <<a href="mailto:mposolda@redhat.com" class="">mposolda@redhat.com</a>> wrote:<br class=""><br class=""><blockquote type="cite" class="">+1<br class=""><br class="">Few more things and tips (you may be already aware of them, but still..<br class="">Hope some of them are useful :) :<br class=""><br class="">- My docker image [1] already contains FreeIPA server and Keycloak server<br class="">pre-configured with LDAP+Kerberos federation provider to use it. Thing is<br class="">that both Keycloak+FreeIPA are on same machine, which is likely not the<br class="">best for show production setup. The workstation setup needs to be done on<br class="">your local machine (so you need KErberos client + Firefox setup on your<br class="">laptop. That's sufficient for testing, but probably also not ideal for<br class="">showcase).<br class=""><br class="">- In addition to FreeIPA docker images for server, FreeIPA has also docker<br class="">image for client setup. See for example [2] . I am not 100% sure, but I<br class="">believe that if you run this docker image and point to the already running<br class="">"server" image, you will gain also all the things like PAM setup, login to<br class="">the workstation with Kerberos credentials, and automatically retrieved<br class="">kerberos ticket during login. Hence you just login to workstation, open<br class="">firefox and you are authenticated to Keycloak. No need to manually run<br class="">"kinit".<br class=""><br class=""></blockquote><br class="">The workstation will need to be a virtual machine rather than container to<br class="">add X support. So IMO we should just use Vagrant and have FreeIPA and<br class="">use Vagrantfile to install Fedora + FreeIPA.<br class=""><br class=""><br class=""><blockquote type="cite" class=""><br class="">- If Keycloak and FreeIPA server are on different workstations, then:<br class="">-- The Keycloak server may also need FreeIPA client installed. Or at least<br class="">kerberos client installed with proper setup in /etc/krb5.conf pointing to<br class="">FreeIPA kerberos realm and proper DNS setup working with FreeIPA.<br class=""></blockquote><br class=""><br class=""><blockquote type="cite" class="">-- Also for different servers, you will likely need to add HTTP kerberos<br class="">principal for the server where keycloak is running. For example if FreeIPA<br class="">is on "<a href="http://freeipa.example.org" class="">freeipa.example.org</a>" and keycloak is on "<a href="http://keycloak.example.org" class="">keycloak.example.org</a>",<br class="">you will need the principal like <a href="mailto:HTTP/keycloak.example.org@keycloak.org" class="">HTTP/keycloak.example.org@KEYCLOAK.ORG</a> .<br class="">This corresponds to LDAP principal under "cn=services,cn=accounts,dc=freeipa,dc=example,dc=org"<br class="">. Maybe FreeIPA has it documented somewhere and/or it's easily possible to<br class="">add new HTTP server principal through FreeIPA admin console. You will also<br class="">need keytab exported with the credentials of this principal.<br class="">Note this step is not needed if Keycloak and FreeIPA are on same machine<br class="">as FreeIPA server automatically has HTTP principal for it's own machine<br class="">(something like <a href="mailto:HTTP/freeipa.example.org@keycloak.org" class="">HTTP/freeipa.example.org@KEYCLOAK.ORG</a> for the example<br class="">above), to allow login to FreeIPA admin console with kerberos OOTB.<br class=""><br class=""></blockquote><br class="">We should really figure out how to do this on separate machines, so I think<br class="">going that way would be best even though it's harder to do.<br class=""><br class=""><br class=""><blockquote type="cite" class=""><br class=""><br class="">[1] <a href="https://github.com/mposolda/keycloak-freeipa-docker/" class="">https://github.com/mposolda/keycloak-freeipa-docker/</a><br class="">[2] <a href="https://github.com/adelton/docker-freeipa/tree/fedora-22-client" class="">https://github.com/adelton/docker-freeipa/tree/fedora-22-client</a><br class=""><br class="">Marek<br class=""><br class=""><br class="">On 13/09/16 08:07, Stian Thorgersen wrote:<br class=""><br class=""><blockquote type="cite" class="">I'd like to have a simple way to demo LDAP and Kerberos support. To that<br class="">end we should add a Vagrant setup with the following:<br class=""><br class="">* Keycloak server<br class="">* MySQL or Postgres<br class="">* FreeIPA<br class="">* Workstation with Kerberos authentication (needs X and Firefox installed)<br class=""><br class="">The Keycloak server should already be configured to use the FreeIPA<br class="">server as a user federation provider (using LDAP and Kerberos). The<br class="">workstation can be co-located with FreeIPA server if it makes things much<br class="">simpler, but it should be possible to login to the workstation with<br class="">Kerberos. Firefox should be pre-configured for Kerberos to work both on<br class="">Keycloak login and FreeIPA admin console.<br class=""><br class="">I want a proper database and a web based client for the database so it's<br class="">simple to inspect the database.<br class=""><br class="">Bruno has already volunteered to look into this, but first we should make<br class="">sure this is the setup we'd like to be able to showcase.<br class=""><br class=""></blockquote><br class=""><br class=""><br class=""></blockquote></blockquote><br class=""><blockquote type="cite" class="">_______________________________________________<br class="">keycloak-dev mailing list<br class=""><a href="mailto:keycloak-dev@lists.jboss.org" class="">keycloak-dev@lists.jboss.org</a><br class="">https://lists.jboss.org/mailman/listinfo/keycloak-dev<br class=""></blockquote><br class=""><br class="">--<br class=""><br class="">abstractj<br class="">PGP: 0x84DC9914<br class="">_______________________________________________<br class="">keycloak-dev mailing list<br class=""><a href="mailto:keycloak-dev@lists.jboss.org" class="">keycloak-dev@lists.jboss.org</a><br class="">https://lists.jboss.org/mailman/listinfo/keycloak-dev<br class=""></div></div></blockquote></div><br class=""></div></body></html>