<div dir="ltr">Bruno - notice the missing fix version! It's a nice to have background task and not a high priority at the moment.</div><div class="gmail_extra"><br><div class="gmail_quote">On 14 September 2016 at 13:12, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>We do now:</div><a href="https://issues.jboss.org/browse/KEYCLOAK-3577" target="_blank">https://issues.jboss.org/<wbr>browse/KEYCLOAK-3577</a></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 14 September 2016 at 12:11, Bruno Oliveira da Silva <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">+1 Not arguing in favor or against it, but thinking about what you<br>
described seems like the solution is the combination of both: Vagrant and Docker.<br>
<br>
Do we have a Jira for this?<br>
<div><div><br>
On 2016-09-14, Stian Thorgersen wrote:<br>
> To elaborate I could eventually see us having a big demo setup in the form<br>
> of:<br>
><br>
> * Keycloak or RH-SSO box<br>
> * Database box<br>
> * FreeIPA box<br>
> * Active Directory box<br>
> * Some SAML provider<br>
> * Some OIDC provider<br>
> * Fedora workstation<br>
> * Windows workstation<br>
><br>
> Everything ready to go to show Keycloak as a fully capable identity<br>
> federation platform.<br>
><br>
> On 14 September 2016 at 09:32, Stian Thorgersen <<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>> wrote:<br>
><br>
> > I want full desktop and show user login via desktop login, not Kerberos<br>
> > client. So full Gnome is required. Also, I think the DNS setup as well as<br>
> > orchestration may be simpler with Vagrant than Docker.<br>
> ><br>
> > We also may want to extend this to include good old Microsoft software in<br>
> > the form of Windows and Active Directory. In that case Docker is a show<br>
> > stopper and Vagrant/VMs is the only option.<br>
> ><br>
> > On 13 September 2016 at 21:46, Marek Posolda <<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>> wrote:<br>
> ><br>
> >> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:<br>
> >> > My 2 cents on it. Unless we have any strong argument for doing this,<br>
> >> > let's move forward with Docker. We already have a repository for this<br>
> >> > and I'm not sure if we have bandwidth to maintain 2 distinct<br>
> >> repositories.<br>
> >> ><br>
> >> > Btw I'm curious, which real world scenario you could not reproduce with<br>
> >> > Docker?<br>
> >> I guess SPNEGO login with Firefox is the example of that scenario?<br>
> >><br>
> >> If you want workstation with Kerberos + SPNEGO, you will need to<br>
> >> configure kerberos client and your Firefox and then run FF inside docker<br>
> >> container and display it "locally" on your laptop. Or is it something<br>
> >> like the "propagation" of X from docker to your laptop possible? If yes,<br>
> >> then everything is doable with docker though.<br>
> >><br>
> >> Marek<br>
> >><br>
> >> ><br>
> >> > On 2016-09-13, Thomas Raehalme wrote:<br>
> >> >> How about setting up multiple VMs with Vagrant but handling all<br>
> >> software<br>
> >> >> components with Docker?<br>
> >> >><br>
> >> >> Best of both worlds and also a simulation of the real world (which<br>
> >> could<br>
> >> >> perhaps be used as a reference).<br>
> >> >><br>
> >> >> Best regards,<br>
> >> >> Thomas<br>
> >> >><br>
> >> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo" <<a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>><br>
> >> wrote:<br>
> >> >><br>
> >> >>> Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate<br>
> >> >>> things seems like a better option.<br>
> >> >>><br>
> >> >>> Scott Rossillo<br>
> >> >>> Smartling | Senior Software Engineer<br>
> >> >>> <a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a><br>
> >> >>><br>
> >> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <<br>
> >> <a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>><br>
> >> >>> wrote:<br>
> >> >>><br>
> >> >>> My question is: Docker or Vagrant?<br>
> >> >>><br>
> >> >>> If we have plans to showcase SSSD Federation provider + things like<br>
> >> >>> start/stop sssd service to demonstrate the SSSD provider won't be<br>
> >> >>> enabled. I would say that Vagrant is easier and we can benefit from<br>
> >> >>> these boxes[1], otherwise we just stick with Marek's work.<br>
> >> >>><br>
> >> >>> I will give DBus on Docker a second try, but last time I checked<br>
> >> wasn't<br>
> >> >>> fun.<br>
> >> >>><br>
> >> >>> [1] - <a href="https://github.com/freeipa/freeipa-workshop" rel="noreferrer" target="_blank">https://github.com/freeipa/fre<wbr>eipa-workshop</a><br>
> >> >>><br>
> >> >>> On 2016-09-13, Stian Thorgersen wrote:<br>
> >> >>><br>
> >> >>> Forgot to add two things:<br>
> >> >>><br>
> >> >>> * DNS setup - we want proper DNS setup on the machines, which would be<br>
> >> >>> required for the Kerberos stuff to work properly<br>
> >> >>> * HTTPS - optional, but would be great if it also had HTTPS configured<br>
> >> >>><br>
> >> >>> On 13 September 2016 at 09:24, Marek Posolda <<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>><br>
> >> wrote:<br>
> >> >>><br>
> >> >>> +1<br>
> >> >>><br>
> >> >>> Few more things and tips (you may be already aware of them, but<br>
> >> still..<br>
> >> >>> Hope some of them are useful :) :<br>
> >> >>><br>
> >> >>> - My docker image [1] already contains FreeIPA server and Keycloak<br>
> >> server<br>
> >> >>> pre-configured with LDAP+Kerberos federation provider to use it.<br>
> >> Thing is<br>
> >> >>> that both Keycloak+FreeIPA are on same machine, which is likely not<br>
> >> the<br>
> >> >>> best for show production setup. The workstation setup needs to be<br>
> >> done on<br>
> >> >>> your local machine (so you need KErberos client + Firefox setup on<br>
> >> your<br>
> >> >>> laptop. That's sufficient for testing, but probably also not ideal for<br>
> >> >>> showcase).<br>
> >> >>><br>
> >> >>> - In addition to FreeIPA docker images for server, FreeIPA has also<br>
> >> docker<br>
> >> >>> image for client setup. See for example [2] . I am not 100% sure, but<br>
> >> I<br>
> >> >>> believe that if you run this docker image and point to the already<br>
> >> running<br>
> >> >>> "server" image, you will gain also all the things like PAM setup,<br>
> >> login to<br>
> >> >>> the workstation with Kerberos credentials, and automatically retrieved<br>
> >> >>> kerberos ticket during login. Hence you just login to workstation,<br>
> >> open<br>
> >> >>> firefox and you are authenticated to Keycloak. No need to manually run<br>
> >> >>> "kinit".<br>
> >> >>><br>
> >> >>><br>
> >> >>> The workstation will need to be a virtual machine rather than<br>
> >> container to<br>
> >> >>> add X support. So IMO we should just use Vagrant and have FreeIPA and<br>
> >> >>> use Vagrantfile to install Fedora + FreeIPA.<br>
> >> >>><br>
> >> >>><br>
> >> >>><br>
> >> >>> - If Keycloak and FreeIPA server are on different workstations, then:<br>
> >> >>> -- The Keycloak server may also need FreeIPA client installed. Or at<br>
> >> least<br>
> >> >>> kerberos client installed with proper setup in /etc/krb5.conf<br>
> >> pointing to<br>
> >> >>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.<br>
> >> >>><br>
> >> >>><br>
> >> >>><br>
> >> >>> -- Also for different servers, you will likely need to add HTTP<br>
> >> kerberos<br>
> >> >>> principal for the server where keycloak is running. For example if<br>
> >> FreeIPA<br>
> >> >>> is on "<a href="http://freeipa.example.org" rel="noreferrer" target="_blank">freeipa.example.org</a>" and keycloak is on "<a href="http://keycloak.example.org" rel="noreferrer" target="_blank">keycloak.example.org</a><br>
> >> ",<br>
> >> >>> you will need the principal like HTTP/keycloak.example.org@KEYC<br>
> >> <a href="http://LOAK.ORG" rel="noreferrer" target="_blank">LOAK.ORG</a><br>
> >> >>> <HTTP/<a href="mailto:keycloak.example.org@keycloak.org" target="_blank">keycloak.example.org@key<wbr>cloak.org</a>> .<br>
> >> >>> This corresponds to LDAP principal under "cn=services,cn=accounts,dc=<br>
> >> >>> freeipa,dc=example,dc=org"<br>
> >> >>> . Maybe FreeIPA has it documented somewhere and/or it's easily<br>
> >> possible to<br>
> >> >>> add new HTTP server principal through FreeIPA admin console. You will<br>
> >> also<br>
> >> >>> need keytab exported with the credentials of this principal.<br>
> >> >>> Note this step is not needed if Keycloak and FreeIPA are on same<br>
> >> machine<br>
> >> >>> as FreeIPA server automatically has HTTP principal for it's own<br>
> >> machine<br>
> >> >>> (something like HTTP/<a href="mailto:freeipa.example.org@KEYCLOAK.ORG" target="_blank">freeipa.example.org@KEYCL<wbr>OAK.ORG</a><br>
> >> >>> <HTTP/<a href="mailto:freeipa.example.org@keycloak.org" target="_blank">freeipa.example.org@keyc<wbr>loak.org</a>> for the example<br>
> >> >>> above), to allow login to FreeIPA admin console with kerberos OOTB.<br>
> >> >>><br>
> >> >>><br>
> >> >>> We should really figure out how to do this on separate machines, so I<br>
> >> think<br>
> >> >>> going that way would be best even though it's harder to do.<br>
> >> >>><br>
> >> >>><br>
> >> >>><br>
> >> >>><br>
> >> >>> [1] <a href="https://github.com/mposolda/keycloak-freeipa-docker/" rel="noreferrer" target="_blank">https://github.com/mposolda/ke<wbr>ycloak-freeipa-docker/</a><br>
> >> >>> [2] <a href="https://github.com/adelton/docker-freeipa/tree/fedora-22-client" rel="noreferrer" target="_blank">https://github.com/adelton/doc<wbr>ker-freeipa/tree/fedora-22-cli<wbr>ent</a><br>
> >> >>><br>
> >> >>> Marek<br>
> >> >>><br>
> >> >>><br>
> >> >>> On 13/09/16 08:07, Stian Thorgersen wrote:<br>
> >> >>><br>
> >> >>> I'd like to have a simple way to demo LDAP and Kerberos support. To<br>
> >> that<br>
> >> >>> end we should add a Vagrant setup with the following:<br>
> >> >>><br>
> >> >>> * Keycloak server<br>
> >> >>> * MySQL or Postgres<br>
> >> >>> * FreeIPA<br>
> >> >>> * Workstation with Kerberos authentication (needs X and Firefox<br>
> >> installed)<br>
> >> >>><br>
> >> >>> The Keycloak server should already be configured to use the FreeIPA<br>
> >> >>> server as a user federation provider (using LDAP and Kerberos). The<br>
> >> >>> workstation can be co-located with FreeIPA server if it makes things<br>
> >> much<br>
> >> >>> simpler, but it should be possible to login to the workstation with<br>
> >> >>> Kerberos. Firefox should be pre-configured for Kerberos to work both<br>
> >> on<br>
> >> >>> Keycloak login and FreeIPA admin console.<br>
> >> >>><br>
> >> >>> I want a proper database and a web based client for the database so<br>
> >> it's<br>
> >> >>> simple to inspect the database.<br>
> >> >>><br>
> >> >>> Bruno has already volunteered to look into this, but first we should<br>
> >> make<br>
> >> >>> sure this is the setup we'd like to be able to showcase.<br>
> >> >>><br>
> >> >>><br>
> >> >>><br>
> >> >>><br>
> >> >>><br>
> >> >>> ______________________________<wbr>_________________<br>
> >> >>> keycloak-dev mailing list<br>
> >> >>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
> >> >>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
> >> >>><br>
> >> >>><br>
> >> >>><br>
> >> >>> --<br>
> >> >>><br>
> >> >>> abstractj<br>
> >> >>> PGP: 0x84DC9914<br>
> >> >>> ______________________________<wbr>_________________<br>
> >> >>> keycloak-dev mailing list<br>
> >> >>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
> >> >>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
> >> >>><br>
> >> >>><br>
> >> >>><br>
> >> >>> ______________________________<wbr>_________________<br>
> >> >>> keycloak-dev mailing list<br>
> >> >>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
> >> >>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
> >> >>><br>
> >> > --<br>
> >> ><br>
> >> > abstractj<br>
> >> > PGP: 0x84DC9914<br>
> >> > ______________________________<wbr>_________________<br>
> >> > keycloak-dev mailing list<br>
> >> > <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
> >> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
> >><br>
> >><br>
> >> ______________________________<wbr>_________________<br>
> >> keycloak-dev mailing list<br>
> >> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
> >> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
> >><br>
> ><br>
> ><br>
<br>
</div></div>--<br>
<br>
abstractj<br>
PGP: 0x84DC9914<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>