1:07 a.m.
I'd like to have a simple way to demo LDAP and Kerberos support. To that
end we should add a Vagrant setup with the following:
* Keycloak server
* MySQL or Postgres
* FreeIPA
* Workstation with Kerberos authentication (needs X and Firefox installed)
The Keycloak server should already be configured to use the FreeIPA server
as a user federation provider (using LDAP and Kerberos). The workstation
can be co-located with FreeIPA server if it makes things much simpler, but
it should be possible to login to the workstation with Kerberos. Firefox
should be pre-configured for Kerberos to work both on Keycloak login and
FreeIPA admin console.
I want a proper database and a web based client for the database so it's
simple to inspect the database.
Bruno has already volunteered to look into this, but first we should make
sure this is the setup we'd like to be able to showcase.
2:24 a.m.
+1
Few more things and tips (you may be already aware of them, but still..
Hope some of them are useful :) :
- My docker image [1] already contains FreeIPA server and Keycloak
server pre-configured with LDAP+Kerberos federation provider to use it.
Thing is that both Keycloak+FreeIPA are on same machine, which is likely
not the best for show production setup. The workstation setup needs to
be done on your local machine (so you need KErberos client + Firefox
setup on your laptop. That's sufficient for testing, but probably also
not ideal for showcase).
- In addition to FreeIPA docker images for server, FreeIPA has also
docker image for client setup. See for example [2] . I am not 100% sure,
but I believe that if you run this docker image and point to the already
running "server" image, you will gain also all the things like PAM
setup, login to the workstation with Kerberos credentials, and
automatically retrieved kerberos ticket during login. Hence you just
login to workstation, open firefox and you are authenticated to
Keycloak. No need to manually run "kinit".
- If Keycloak and FreeIPA server are on different workstations, then:
-- The Keycloak server may also need FreeIPA client installed. Or at
least kerberos client installed with proper setup in /etc/krb5.conf
pointing to FreeIPA kerberos realm and proper DNS setup working with
FreeIPA.
-- Also for different servers, you will likely need to add HTTP kerberos
principal for the server where keycloak is running. For example if
FreeIPA is on "freeipa.example.org" and keycloak is on
"keycloak.example.org", you will need the principal like
HTTP/keycloak.example.org(a)KEYCLOAK.ORG . This corresponds to LDAP
principal under "cn=services,cn=accounts,dc=freeipa,dc=example,dc=org" .
Maybe FreeIPA has it documented somewhere and/or it's easily possible to
add new HTTP server principal through FreeIPA admin console. You will
also need keytab exported with the credentials of this principal.
Note this step is not needed if Keycloak and FreeIPA are on same machine
as FreeIPA server automatically has HTTP principal for it's own machine
(something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG for the example
above), to allow login to FreeIPA admin console with kerberos OOTB.
[1] https://github.com/mposolda/keycloak-freeipa-docker/
[2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
Marek
On 13/09/16 08:07, Stian Thorgersen wrote:
I'd like to have a simple way to demo LDAP and Kerberos support.
To
that end we should add a Vagrant setup with the following:
* Keycloak server
* MySQL or Postgres
* FreeIPA
* Workstation with Kerberos authentication (needs X and Firefox installed)
The Keycloak server should already be configured to use the FreeIPA
server as a user federation provider (using LDAP and Kerberos). The
workstation can be co-located with FreeIPA server if it makes things
much simpler, but it should be possible to login to the workstation
with Kerberos. Firefox should be pre-configured for Kerberos to work
both on Keycloak login and FreeIPA admin console.
I want a proper database and a web based client for the database so
it's simple to inspect the database.
Bruno has already volunteered to look into this, but first we should
make sure this is the setup we'd like to be able to showcase.
3 a.m.
Forgot to add two things:
* DNS setup - we want proper DNS setup on the machines, which would be
required for the Kerberos stuff to work properly
* HTTPS - optional, but would be great if it also had HTTPS configured
On 13 September 2016 at 09:24, Marek Posolda <mposolda(a)redhat.com> wrote:
+1
Few more things and tips (you may be already aware of them, but still..
Hope some of them are useful :) :
- My docker image [1] already contains FreeIPA server and Keycloak server
pre-configured with LDAP+Kerberos federation provider to use it. Thing is
that both Keycloak+FreeIPA are on same machine, which is likely not the
best for show production setup. The workstation setup needs to be done on
your local machine (so you need KErberos client + Firefox setup on your
laptop. That's sufficient for testing, but probably also not ideal for
showcase).
- In addition to FreeIPA docker images for server, FreeIPA has also docker
image for client setup. See for example [2] . I am not 100% sure, but I
believe that if you run this docker image and point to the already running
"server" image, you will gain also all the things like PAM setup, login to
the workstation with Kerberos credentials, and automatically retrieved
kerberos ticket during login. Hence you just login to workstation, open
firefox and you are authenticated to Keycloak. No need to manually run
"kinit".
The workstation will need to be a virtual machine rather than container to
add X support. So IMO we should just use Vagrant and have FreeIPA and
use Vagrantfile to install Fedora + FreeIPA.
- If Keycloak and FreeIPA server are on different workstations, then:
-- The Keycloak server may also need FreeIPA client installed. Or at least
kerberos client installed with proper setup in /etc/krb5.conf pointing to
FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
-- Also for different servers, you will likely need to add HTTP
kerberos
principal for the server where keycloak is running. For example if FreeIPA
is on "freeipa.example.org" and keycloak is on
"keycloak.example.org",
you will need the principal like HTTP/keycloak.example.org(a)KEYCLOAK.ORG .
This corresponds to LDAP principal under
"cn=services,cn=accounts,dc=freeipa,dc=example,dc=org"
. Maybe FreeIPA has it documented somewhere and/or it's easily possible to
add new HTTP server principal through FreeIPA admin console. You will also
need keytab exported with the credentials of this principal.
Note this step is not needed if Keycloak and FreeIPA are on same machine
as FreeIPA server automatically has HTTP principal for it's own machine
(something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG for the example
above), to allow login to FreeIPA admin console with kerberos OOTB.
We should really figure out how to do this on separate machines, so I think
going that way would be best even though it's harder to do.
[1] https://github.com/mposolda/keycloak-freeipa-docker/
[2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
Marek
On 13/09/16 08:07, Stian Thorgersen wrote:
> I'd like to have a simple way to demo LDAP and Kerberos support. To that
> end we should add a Vagrant setup with the following:
>
> * Keycloak server
> * MySQL or Postgres
> * FreeIPA
> * Workstation with Kerberos authentication (needs X and Firefox installed)
>
> The Keycloak server should already be configured to use the FreeIPA
> server as a user federation provider (using LDAP and Kerberos). The
> workstation can be co-located with FreeIPA server if it makes things much
> simpler, but it should be possible to login to the workstation with
> Kerberos. Firefox should be pre-configured for Kerberos to work both on
> Keycloak login and FreeIPA admin console.
>
> I want a proper database and a web based client for the database so it's
> simple to inspect the database.
>
> Bruno has already volunteered to look into this, but first we should make
> sure this is the setup we'd like to be able to showcase.
>
9:39 a.m.
My question is: Docker or Vagrant?
If we have plans to showcase SSSD Federation provider + things like
start/stop sssd service to demonstrate the SSSD provider won't be
enabled. I would say that Vagrant is easier and we can benefit from
these boxes[1], otherwise we just stick with Marek's work.
I will give DBus on Docker a second try, but last time I checked wasn't
fun.
[1] - https://github.com/freeipa/freeipa-workshop
On 2016-09-13, Stian Thorgersen wrote:
Forgot to add two things:
* DNS setup - we want proper DNS setup on the machines, which would be
required for the Kerberos stuff to work properly
* HTTPS - optional, but would be great if it also had HTTPS configured
On 13 September 2016 at 09:24, Marek Posolda <mposolda(a)redhat.com> wrote:
> +1
>
> Few more things and tips (you may be already aware of them, but still..
> Hope some of them are useful :) :
>
> - My docker image [1] already contains FreeIPA server and Keycloak server
> pre-configured with LDAP+Kerberos federation provider to use it. Thing is
> that both Keycloak+FreeIPA are on same machine, which is likely not the
> best for show production setup. The workstation setup needs to be done on
> your local machine (so you need KErberos client + Firefox setup on your
> laptop. That's sufficient for testing, but probably also not ideal for
> showcase).
>
> - In addition to FreeIPA docker images for server, FreeIPA has also docker
> image for client setup. See for example [2] . I am not 100% sure, but I
> believe that if you run this docker image and point to the already running
> "server" image, you will gain also all the things like PAM setup, login
to
> the workstation with Kerberos credentials, and automatically retrieved
> kerberos ticket during login. Hence you just login to workstation, open
> firefox and you are authenticated to Keycloak. No need to manually run
> "kinit".
>
The workstation will need to be a virtual machine rather than container to
add X support. So IMO we should just use Vagrant and have FreeIPA and
use Vagrantfile to install Fedora + FreeIPA.
>
> - If Keycloak and FreeIPA server are on different workstations, then:
> -- The Keycloak server may also need FreeIPA client installed. Or at least
> kerberos client installed with proper setup in /etc/krb5.conf pointing to
> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
> -- Also for different servers, you will likely need to add HTTP kerberos
> principal for the server where keycloak is running. For example if FreeIPA
> is on "freeipa.example.org" and keycloak is on
"keycloak.example.org",
> you will need the principal like HTTP/keycloak.example.org(a)KEYCLOAK.ORG .
> This corresponds to LDAP principal under
"cn=services,cn=accounts,dc=freeipa,dc=example,dc=org"
> . Maybe FreeIPA has it documented somewhere and/or it's easily possible to
> add new HTTP server principal through FreeIPA admin console. You will also
> need keytab exported with the credentials of this principal.
> Note this step is not needed if Keycloak and FreeIPA are on same machine
> as FreeIPA server automatically has HTTP principal for it's own machine
> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG for the example
> above), to allow login to FreeIPA admin console with kerberos OOTB.
>
We should really figure out how to do this on separate machines, so I think
going that way would be best even though it's harder to do.
>
>
> [1] https://github.com/mposolda/keycloak-freeipa-docker/
> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
>
> Marek
>
>
> On 13/09/16 08:07, Stian Thorgersen wrote:
>
>> I'd like to have a simple way to demo LDAP and Kerberos support. To that
>> end we should add a Vagrant setup with the following:
>>
>> * Keycloak server
>> * MySQL or Postgres
>> * FreeIPA
>> * Workstation with Kerberos authentication (needs X and Firefox installed)
>>
>> The Keycloak server should already be configured to use the FreeIPA
>> server as a user federation provider (using LDAP and Kerberos). The
>> workstation can be co-located with FreeIPA server if it makes things much
>> simpler, but it should be possible to login to the workstation with
>> Kerberos. Firefox should be pre-configured for Kerberos to work both on
>> Keycloak login and FreeIPA admin console.
>>
>> I want a proper database and a web based client for the database so it's
>> simple to inspect the database.
>>
>> Bruno has already volunteered to look into this, but first we should make
>> sure this is the setup we'd like to be able to showcase.
>>
>
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
9:46 a.m.
Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate things seems like a
better option.
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com
On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva
<bruno(a)abstractj.org> wrote:
My question is: Docker or Vagrant?
If we have plans to showcase SSSD Federation provider + things like
start/stop sssd service to demonstrate the SSSD provider won't be
enabled. I would say that Vagrant is easier and we can benefit from
these boxes[1], otherwise we just stick with Marek's work.
I will give DBus on Docker a second try, but last time I checked wasn't
fun.
[1] - https://github.com/freeipa/freeipa-workshop
On 2016-09-13, Stian Thorgersen wrote:
> Forgot to add two things:
>
> * DNS setup - we want proper DNS setup on the machines, which would be
> required for the Kerberos stuff to work properly
> * HTTPS - optional, but would be great if it also had HTTPS configured
>
> On 13 September 2016 at 09:24, Marek Posolda <mposolda(a)redhat.com> wrote:
>
>> +1
>>
>> Few more things and tips (you may be already aware of them, but still..
>> Hope some of them are useful :) :
>>
>> - My docker image [1] already contains FreeIPA server and Keycloak server
>> pre-configured with LDAP+Kerberos federation provider to use it. Thing is
>> that both Keycloak+FreeIPA are on same machine, which is likely not the
>> best for show production setup. The workstation setup needs to be done on
>> your local machine (so you need KErberos client + Firefox setup on your
>> laptop. That's sufficient for testing, but probably also not ideal for
>> showcase).
>>
>> - In addition to FreeIPA docker images for server, FreeIPA has also docker
>> image for client setup. See for example [2] . I am not 100% sure, but I
>> believe that if you run this docker image and point to the already running
>> "server" image, you will gain also all the things like PAM setup, login
to
>> the workstation with Kerberos credentials, and automatically retrieved
>> kerberos ticket during login. Hence you just login to workstation, open
>> firefox and you are authenticated to Keycloak. No need to manually run
>> "kinit".
>>
>
> The workstation will need to be a virtual machine rather than container to
> add X support. So IMO we should just use Vagrant and have FreeIPA and
> use Vagrantfile to install Fedora + FreeIPA.
>
>
>>
>> - If Keycloak and FreeIPA server are on different workstations, then:
>> -- The Keycloak server may also need FreeIPA client installed. Or at least
>> kerberos client installed with proper setup in /etc/krb5.conf pointing to
>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
>
>
>> -- Also for different servers, you will likely need to add HTTP kerberos
>> principal for the server where keycloak is running. For example if FreeIPA
>> is on "freeipa.example.org" and keycloak is on
"keycloak.example.org",
>> you will need the principal like HTTP/keycloak.example.org(a)KEYCLOAK.ORG .
>> This corresponds to LDAP principal under
"cn=services,cn=accounts,dc=freeipa,dc=example,dc=org"
>> . Maybe FreeIPA has it documented somewhere and/or it's easily possible to
>> add new HTTP server principal through FreeIPA admin console. You will also
>> need keytab exported with the credentials of this principal.
>> Note this step is not needed if Keycloak and FreeIPA are on same machine
>> as FreeIPA server automatically has HTTP principal for it's own machine
>> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG for the example
>> above), to allow login to FreeIPA admin console with kerberos OOTB.
>>
>
> We should really figure out how to do this on separate machines, so I think
> going that way would be best even though it's harder to do.
>
>
>>
>>
>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
>> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
>>
>> Marek
>>
>>
>> On 13/09/16 08:07, Stian Thorgersen wrote:
>>
>>> I'd like to have a simple way to demo LDAP and Kerberos support. To that
>>> end we should add a Vagrant setup with the following:
>>>
>>> * Keycloak server
>>> * MySQL or Postgres
>>> * FreeIPA
>>> * Workstation with Kerberos authentication (needs X and Firefox installed)
>>>
>>> The Keycloak server should already be configured to use the FreeIPA
>>> server as a user federation provider (using LDAP and Kerberos). The
>>> workstation can be co-located with FreeIPA server if it makes things much
>>> simpler, but it should be possible to login to the workstation with
>>> Kerberos. Firefox should be pre-configured for Kerberos to work both on
>>> Keycloak login and FreeIPA admin console.
>>>
>>> I want a proper database and a web based client for the database so it's
>>> simple to inspect the database.
>>>
>>> Bruno has already volunteered to look into this, but first we should make
>>> sure this is the setup we'd like to be able to showcase.
>>>
>>
>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:58 a.m.
How about setting up multiple VMs with Vagrant but handling all software
components with Docker?
Best of both worlds and also a simulation of the real world (which could
perhaps be used as a reference).
Best regards,
Thomas
On Sep 13, 2016 5:46 PM, "Scott Rossillo" <srossillo(a)smartling.com>
wrote:
Vagrant leaves funny taste in my mouth. Docker Compose to
orchestrate
things seems like a better option.
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com
On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <bruno(a)abstractj.org>
wrote:
My question is: Docker or Vagrant?
If we have plans to showcase SSSD Federation provider + things like
start/stop sssd service to demonstrate the SSSD provider won't be
enabled. I would say that Vagrant is easier and we can benefit from
these boxes[1], otherwise we just stick with Marek's work.
I will give DBus on Docker a second try, but last time I checked wasn't
fun.
[1] - https://github.com/freeipa/freeipa-workshop
On 2016-09-13, Stian Thorgersen wrote:
Forgot to add two things:
* DNS setup - we want proper DNS setup on the machines, which would be
required for the Kerberos stuff to work properly
* HTTPS - optional, but would be great if it also had HTTPS configured
On 13 September 2016 at 09:24, Marek Posolda <mposolda(a)redhat.com> wrote:
+1
Few more things and tips (you may be already aware of them, but still..
Hope some of them are useful :) :
- My docker image [1] already contains FreeIPA server and Keycloak server
pre-configured with LDAP+Kerberos federation provider to use it. Thing is
that both Keycloak+FreeIPA are on same machine, which is likely not the
best for show production setup. The workstation setup needs to be done on
your local machine (so you need KErberos client + Firefox setup on your
laptop. That's sufficient for testing, but probably also not ideal for
showcase).
- In addition to FreeIPA docker images for server, FreeIPA has also docker
image for client setup. See for example [2] . I am not 100% sure, but I
believe that if you run this docker image and point to the already running
"server" image, you will gain also all the things like PAM setup, login to
the workstation with Kerberos credentials, and automatically retrieved
kerberos ticket during login. Hence you just login to workstation, open
firefox and you are authenticated to Keycloak. No need to manually run
"kinit".
The workstation will need to be a virtual machine rather than container to
add X support. So IMO we should just use Vagrant and have FreeIPA and
use Vagrantfile to install Fedora + FreeIPA.
- If Keycloak and FreeIPA server are on different workstations, then:
-- The Keycloak server may also need FreeIPA client installed. Or at least
kerberos client installed with proper setup in /etc/krb5.conf pointing to
FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
-- Also for different servers, you will likely need to add HTTP kerberos
principal for the server where keycloak is running. For example if FreeIPA
is on "freeipa.example.org" and keycloak is on
"keycloak.example.org",
you will need the principal like HTTP/keycloak.example.org(a)KEYCLOAK.ORG
<HTTP/keycloak.example.org(a)keycloak.org> .
This corresponds to LDAP principal under "cn=services,cn=accounts,dc=
freeipa,dc=example,dc=org"
. Maybe FreeIPA has it documented somewhere and/or it's easily possible to
add new HTTP server principal through FreeIPA admin console. You will also
need keytab exported with the credentials of this principal.
Note this step is not needed if Keycloak and FreeIPA are on same machine
as FreeIPA server automatically has HTTP principal for it's own machine
(something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG
<HTTP/freeipa.example.org(a)keycloak.org> for the example
above), to allow login to FreeIPA admin console with kerberos OOTB.
We should really figure out how to do this on separate machines, so I think
going that way would be best even though it's harder to do.
[1] https://github.com/mposolda/keycloak-freeipa-docker/
[2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
Marek
On 13/09/16 08:07, Stian Thorgersen wrote:
I'd like to have a simple way to demo LDAP and Kerberos support. To that
end we should add a Vagrant setup with the following:
* Keycloak server
* MySQL or Postgres
* FreeIPA
* Workstation with Kerberos authentication (needs X and Firefox installed)
The Keycloak server should already be configured to use the FreeIPA
server as a user federation provider (using LDAP and Kerberos). The
workstation can be co-located with FreeIPA server if it makes things much
simpler, but it should be possible to login to the workstation with
Kerberos. Firefox should be pre-configured for Kerberos to work both on
Keycloak login and FreeIPA admin console.
I want a proper database and a web based client for the database so it's
simple to inspect the database.
Bruno has already volunteered to look into this, but first we should make
sure this is the setup we'd like to be able to showcase.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:10 p.m.
My 2 cents on it. Unless we have any strong argument for doing this,
let's move forward with Docker. We already have a repository for this
and I'm not sure if we have bandwidth to maintain 2 distinct repositories.
Btw I'm curious, which real world scenario you could not reproduce with
Docker?
On 2016-09-13, Thomas Raehalme wrote:
How about setting up multiple VMs with Vagrant but handling all
software
components with Docker?
Best of both worlds and also a simulation of the real world (which could
perhaps be used as a reference).
Best regards,
Thomas
On Sep 13, 2016 5:46 PM, "Scott Rossillo" <srossillo(a)smartling.com>
wrote:
> Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate
> things seems like a better option.
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo(a)smartling.com
>
> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <bruno(a)abstractj.org>
> wrote:
>
> My question is: Docker or Vagrant?
>
> If we have plans to showcase SSSD Federation provider + things like
> start/stop sssd service to demonstrate the SSSD provider won't be
> enabled. I would say that Vagrant is easier and we can benefit from
> these boxes[1], otherwise we just stick with Marek's work.
>
> I will give DBus on Docker a second try, but last time I checked wasn't
> fun.
>
> [1] - https://github.com/freeipa/freeipa-workshop
>
> On 2016-09-13, Stian Thorgersen wrote:
>
> Forgot to add two things:
>
> * DNS setup - we want proper DNS setup on the machines, which would be
> required for the Kerberos stuff to work properly
> * HTTPS - optional, but would be great if it also had HTTPS configured
>
> On 13 September 2016 at 09:24, Marek Posolda <mposolda(a)redhat.com> wrote:
>
> +1
>
> Few more things and tips (you may be already aware of them, but still..
> Hope some of them are useful :) :
>
> - My docker image [1] already contains FreeIPA server and Keycloak server
> pre-configured with LDAP+Kerberos federation provider to use it. Thing is
> that both Keycloak+FreeIPA are on same machine, which is likely not the
> best for show production setup. The workstation setup needs to be done on
> your local machine (so you need KErberos client + Firefox setup on your
> laptop. That's sufficient for testing, but probably also not ideal for
> showcase).
>
> - In addition to FreeIPA docker images for server, FreeIPA has also docker
> image for client setup. See for example [2] . I am not 100% sure, but I
> believe that if you run this docker image and point to the already running
> "server" image, you will gain also all the things like PAM setup, login
to
> the workstation with Kerberos credentials, and automatically retrieved
> kerberos ticket during login. Hence you just login to workstation, open
> firefox and you are authenticated to Keycloak. No need to manually run
> "kinit".
>
>
> The workstation will need to be a virtual machine rather than container to
> add X support. So IMO we should just use Vagrant and have FreeIPA and
> use Vagrantfile to install Fedora + FreeIPA.
>
>
>
> - If Keycloak and FreeIPA server are on different workstations, then:
> -- The Keycloak server may also need FreeIPA client installed. Or at least
> kerberos client installed with proper setup in /etc/krb5.conf pointing to
> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
>
>
>
> -- Also for different servers, you will likely need to add HTTP kerberos
> principal for the server where keycloak is running. For example if FreeIPA
> is on "freeipa.example.org" and keycloak is on
"keycloak.example.org",
> you will need the principal like HTTP/keycloak.example.org(a)KEYCLOAK.ORG
> <HTTP/keycloak.example.org(a)keycloak.org> .
> This corresponds to LDAP principal under "cn=services,cn=accounts,dc=
> freeipa,dc=example,dc=org"
> . Maybe FreeIPA has it documented somewhere and/or it's easily possible to
> add new HTTP server principal through FreeIPA admin console. You will also
> need keytab exported with the credentials of this principal.
> Note this step is not needed if Keycloak and FreeIPA are on same machine
> as FreeIPA server automatically has HTTP principal for it's own machine
> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG
> <HTTP/freeipa.example.org(a)keycloak.org> for the example
> above), to allow login to FreeIPA admin console with kerberos OOTB.
>
>
> We should really figure out how to do this on separate machines, so I think
> going that way would be best even though it's harder to do.
>
>
>
>
> [1] https://github.com/mposolda/keycloak-freeipa-docker/
> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
>
> Marek
>
>
> On 13/09/16 08:07, Stian Thorgersen wrote:
>
> I'd like to have a simple way to demo LDAP and Kerberos support. To that
> end we should add a Vagrant setup with the following:
>
> * Keycloak server
> * MySQL or Postgres
> * FreeIPA
> * Workstation with Kerberos authentication (needs X and Firefox installed)
>
> The Keycloak server should already be configured to use the FreeIPA
> server as a user federation provider (using LDAP and Kerberos). The
> workstation can be co-located with FreeIPA server if it makes things much
> simpler, but it should be possible to login to the workstation with
> Kerberos. Firefox should be pre-configured for Kerberos to work both on
> Keycloak login and FreeIPA admin console.
>
> I want a proper database and a web based client for the database so it's
> simple to inspect the database.
>
> Bruno has already volunteered to look into this, but first we should make
> sure this is the setup we'd like to be able to showcase.
>
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
abstractj
PGP: 0x84DC9914
2:46 p.m.
On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
My 2 cents on it. Unless we have any strong argument for doing this,
let's move forward with Docker. We already have a repository for this
and I'm not sure if we have bandwidth to maintain 2 distinct repositories.
Btw I'm curious, which real world scenario you could not reproduce with
Docker?
I guess SPNEGO login with Firefox is the example of that scenario?
If you want workstation with Kerberos + SPNEGO, you will need to
configure kerberos client and your Firefox and then run FF inside docker
container and display it "locally" on your laptop. Or is it something
like the "propagation" of X from docker to your laptop possible? If yes,
then everything is doable with docker though.
Marek
On 2016-09-13, Thomas Raehalme wrote:
> How about setting up multiple VMs with Vagrant but handling all software
> components with Docker?
>
> Best of both worlds and also a simulation of the real world (which could
> perhaps be used as a reference).
>
> Best regards,
> Thomas
>
> On Sep 13, 2016 5:46 PM, "Scott Rossillo" <srossillo(a)smartling.com>
wrote:
>
>> Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate
>> things seems like a better option.
>>
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>> srossillo(a)smartling.com
>>
>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva
<bruno(a)abstractj.org>
>> wrote:
>>
>> My question is: Docker or Vagrant?
>>
>> If we have plans to showcase SSSD Federation provider + things like
>> start/stop sssd service to demonstrate the SSSD provider won't be
>> enabled. I would say that Vagrant is easier and we can benefit from
>> these boxes[1], otherwise we just stick with Marek's work.
>>
>> I will give DBus on Docker a second try, but last time I checked wasn't
>> fun.
>>
>> [1] - https://github.com/freeipa/freeipa-workshop
>>
>> On 2016-09-13, Stian Thorgersen wrote:
>>
>> Forgot to add two things:
>>
>> * DNS setup - we want proper DNS setup on the machines, which would be
>> required for the Kerberos stuff to work properly
>> * HTTPS - optional, but would be great if it also had HTTPS configured
>>
>> On 13 September 2016 at 09:24, Marek Posolda <mposolda(a)redhat.com> wrote:
>>
>> +1
>>
>> Few more things and tips (you may be already aware of them, but still..
>> Hope some of them are useful :) :
>>
>> - My docker image [1] already contains FreeIPA server and Keycloak server
>> pre-configured with LDAP+Kerberos federation provider to use it. Thing is
>> that both Keycloak+FreeIPA are on same machine, which is likely not the
>> best for show production setup. The workstation setup needs to be done on
>> your local machine (so you need KErberos client + Firefox setup on your
>> laptop. That's sufficient for testing, but probably also not ideal for
>> showcase).
>>
>> - In addition to FreeIPA docker images for server, FreeIPA has also docker
>> image for client setup. See for example [2] . I am not 100% sure, but I
>> believe that if you run this docker image and point to the already running
>> "server" image, you will gain also all the things like PAM setup, login
to
>> the workstation with Kerberos credentials, and automatically retrieved
>> kerberos ticket during login. Hence you just login to workstation, open
>> firefox and you are authenticated to Keycloak. No need to manually run
>> "kinit".
>>
>>
>> The workstation will need to be a virtual machine rather than container to
>> add X support. So IMO we should just use Vagrant and have FreeIPA and
>> use Vagrantfile to install Fedora + FreeIPA.
>>
>>
>>
>> - If Keycloak and FreeIPA server are on different workstations, then:
>> -- The Keycloak server may also need FreeIPA client installed. Or at least
>> kerberos client installed with proper setup in /etc/krb5.conf pointing to
>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
>>
>>
>>
>> -- Also for different servers, you will likely need to add HTTP kerberos
>> principal for the server where keycloak is running. For example if FreeIPA
>> is on "freeipa.example.org" and keycloak is on
"keycloak.example.org",
>> you will need the principal like HTTP/keycloak.example.org(a)KEYCLOAK.ORG
>> <HTTP/keycloak.example.org(a)keycloak.org> .
>> This corresponds to LDAP principal under "cn=services,cn=accounts,dc=
>> freeipa,dc=example,dc=org"
>> . Maybe FreeIPA has it documented somewhere and/or it's easily possible to
>> add new HTTP server principal through FreeIPA admin console. You will also
>> need keytab exported with the credentials of this principal.
>> Note this step is not needed if Keycloak and FreeIPA are on same machine
>> as FreeIPA server automatically has HTTP principal for it's own machine
>> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG
>> <HTTP/freeipa.example.org(a)keycloak.org> for the example
>> above), to allow login to FreeIPA admin console with kerberos OOTB.
>>
>>
>> We should really figure out how to do this on separate machines, so I think
>> going that way would be best even though it's harder to do.
>>
>>
>>
>>
>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
>> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
>>
>> Marek
>>
>>
>> On 13/09/16 08:07, Stian Thorgersen wrote:
>>
>> I'd like to have a simple way to demo LDAP and Kerberos support. To that
>> end we should add a Vagrant setup with the following:
>>
>> * Keycloak server
>> * MySQL or Postgres
>> * FreeIPA
>> * Workstation with Kerberos authentication (needs X and Firefox installed)
>>
>> The Keycloak server should already be configured to use the FreeIPA
>> server as a user federation provider (using LDAP and Kerberos). The
>> workstation can be co-located with FreeIPA server if it makes things much
>> simpler, but it should be possible to login to the workstation with
>> Kerberos. Firefox should be pre-configured for Kerberos to work both on
>> Keycloak login and FreeIPA admin console.
>>
>> I want a proper database and a web based client for the database so it's
>> simple to inspect the database.
>>
>> Bruno has already volunteered to look into this, but first we should make
>> sure this is the setup we'd like to be able to showcase.
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
>> --
>>
>> abstractj
>> PGP: 0x84DC9914
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
abstractj
PGP: 0x84DC9914
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
12:39 a.m.
On Tue, Sep 13, 2016 at 10:46 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
> My 2 cents on it. Unless we have any strong argument for doing this,
> let's move forward with Docker. We already have a repository for this
> and I'm not sure if we have bandwidth to maintain 2 distinct
repositories.
Maybe I misunderstood, but Vagrant does not need a repository if you use
the publicly available boxes. It's just a Vagrantfile where you specify the
boxes and how to bootstrap them.
> Btw I'm curious, which real world scenario you could not
reproduce with
> Docker?
I guess SPNEGO login with Firefox is the example of that scenario?
Yes, running GUI applications is what I had in mind as well.
But besides Firefox I did not mean that you cannot do something with
Docker. It was more about that not everybody are running Docker in a
cluster such as Swarm or Kubernetes. Instead one might use separate VMs,
but run the applications with Docker. With a combination of Vagrant and
Docker here would be a great example of doing exactly that.
Best regards,
Thomas
5:08 a.m.
On 2016-09-14, Thomas Raehalme wrote:
On Tue, Sep 13, 2016 at 10:46 PM, Marek Posolda
<mposolda(a)redhat.com> wrote:
> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
>> My 2 cents on it. Unless we have any strong argument for doing this,
>> let's move forward with Docker. We already have a repository for this
>> and I'm not sure if we have bandwidth to maintain 2 distinct
repositories.
Maybe I misunderstood, but Vagrant does not need a repository if you use
the publicly available boxes. It's just a Vagrantfile where you specify the
boxes and how to bootstrap them.
By repository I meant, git repository.
>> Btw I'm curious, which real world scenario you could not reproduce with
>> Docker?
>
> I guess SPNEGO login with Firefox is the example of that scenario?
Yes, running GUI applications is what I had in mind as well.
But besides Firefox I did not mean that you cannot do something with
Docker. It was more about that not everybody are running Docker in a
cluster such as Swarm or Kubernetes. Instead one might use separate VMs,
but run the applications with Docker. With a combination of Vagrant and
Docker here would be a great example of doing exactly that.
Best regards,
Thomas
--
abstractj
PGP: 0x84DC9914
2:32 a.m.
I want full desktop and show user login via desktop login, not Kerberos
client. So full Gnome is required. Also, I think the DNS setup as well as
orchestration may be simpler with Vagrant than Docker.
We also may want to extend this to include good old Microsoft software in
the form of Windows and Active Directory. In that case Docker is a show
stopper and Vagrant/VMs is the only option.
On 13 September 2016 at 21:46, Marek Posolda <mposolda(a)redhat.com> wrote:
On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
> My 2 cents on it. Unless we have any strong argument for doing this,
> let's move forward with Docker. We already have a repository for this
> and I'm not sure if we have bandwidth to maintain 2 distinct
repositories.
>
> Btw I'm curious, which real world scenario you could not reproduce with
> Docker?
I guess SPNEGO login with Firefox is the example of that scenario?
If you want workstation with Kerberos + SPNEGO, you will need to
configure kerberos client and your Firefox and then run FF inside docker
container and display it "locally" on your laptop. Or is it something
like the "propagation" of X from docker to your laptop possible? If yes,
then everything is doable with docker though.
Marek
>
> On 2016-09-13, Thomas Raehalme wrote:
>> How about setting up multiple VMs with Vagrant but handling all software
>> components with Docker?
>>
>> Best of both worlds and also a simulation of the real world (which could
>> perhaps be used as a reference).
>>
>> Best regards,
>> Thomas
>>
>> On Sep 13, 2016 5:46 PM, "Scott Rossillo"
<srossillo(a)smartling.com>
wrote:
>>
>>> Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate
>>> things seems like a better option.
>>>
>>> Scott Rossillo
>>> Smartling | Senior Software Engineer
>>> srossillo(a)smartling.com
>>>
>>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <
bruno(a)abstractj.org>
>>> wrote:
>>>
>>> My question is: Docker or Vagrant?
>>>
>>> If we have plans to showcase SSSD Federation provider + things like
>>> start/stop sssd service to demonstrate the SSSD provider won't be
>>> enabled. I would say that Vagrant is easier and we can benefit from
>>> these boxes[1], otherwise we just stick with Marek's work.
>>>
>>> I will give DBus on Docker a second try, but last time I checked wasn't
>>> fun.
>>>
>>> [1] - https://github.com/freeipa/freeipa-workshop
>>>
>>> On 2016-09-13, Stian Thorgersen wrote:
>>>
>>> Forgot to add two things:
>>>
>>> * DNS setup - we want proper DNS setup on the machines, which would be
>>> required for the Kerberos stuff to work properly
>>> * HTTPS - optional, but would be great if it also had HTTPS configured
>>>
>>> On 13 September 2016 at 09:24, Marek Posolda <mposolda(a)redhat.com>
wrote:
>>>
>>> +1
>>>
>>> Few more things and tips (you may be already aware of them, but still..
>>> Hope some of them are useful :) :
>>>
>>> - My docker image [1] already contains FreeIPA server and Keycloak
server
>>> pre-configured with LDAP+Kerberos federation provider to use it. Thing
is
>>> that both Keycloak+FreeIPA are on same machine, which is likely not the
>>> best for show production setup. The workstation setup needs to be done
on
>>> your local machine (so you need KErberos client + Firefox setup on your
>>> laptop. That's sufficient for testing, but probably also not ideal for
>>> showcase).
>>>
>>> - In addition to FreeIPA docker images for server, FreeIPA has also
docker
>>> image for client setup. See for example [2] . I am not 100% sure, but I
>>> believe that if you run this docker image and point to the already
running
>>> "server" image, you will gain also all the things like PAM setup,
login to
>>> the workstation with Kerberos credentials, and automatically retrieved
>>> kerberos ticket during login. Hence you just login to workstation, open
>>> firefox and you are authenticated to Keycloak. No need to manually run
>>> "kinit".
>>>
>>>
>>> The workstation will need to be a virtual machine rather than
container to
>>> add X support. So IMO we should just use Vagrant and have FreeIPA and
>>> use Vagrantfile to install Fedora + FreeIPA.
>>>
>>>
>>>
>>> - If Keycloak and FreeIPA server are on different workstations, then:
>>> -- The Keycloak server may also need FreeIPA client installed. Or at
least
>>> kerberos client installed with proper setup in /etc/krb5.conf pointing
to
>>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
>>>
>>>
>>>
>>> -- Also for different servers, you will likely need to add HTTP
kerberos
>>> principal for the server where keycloak is running. For example if
FreeIPA
>>> is on "freeipa.example.org" and keycloak is on
"keycloak.example.org",
>>> you will need the principal like HTTP/keycloak.example.org@
KEYCLOAK.ORG
>>> <HTTP/keycloak.example.org(a)keycloak.org> .
>>> This corresponds to LDAP principal under "cn=services,cn=accounts,dc=
>>> freeipa,dc=example,dc=org"
>>> . Maybe FreeIPA has it documented somewhere and/or it's easily
possible to
>>> add new HTTP server principal through FreeIPA admin console. You will
also
>>> need keytab exported with the credentials of this principal.
>>> Note this step is not needed if Keycloak and FreeIPA are on same
machine
>>> as FreeIPA server automatically has HTTP principal for it's own machine
>>> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG
>>> <HTTP/freeipa.example.org(a)keycloak.org> for the example
>>> above), to allow login to FreeIPA admin console with kerberos OOTB.
>>>
>>>
>>> We should really figure out how to do this on separate machines, so I
think
>>> going that way would be best even though it's harder to do.
>>>
>>>
>>>
>>>
>>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
>>> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
>>>
>>> Marek
>>>
>>>
>>> On 13/09/16 08:07, Stian Thorgersen wrote:
>>>
>>> I'd like to have a simple way to demo LDAP and Kerberos support. To
that
>>> end we should add a Vagrant setup with the following:
>>>
>>> * Keycloak server
>>> * MySQL or Postgres
>>> * FreeIPA
>>> * Workstation with Kerberos authentication (needs X and Firefox
installed)
>>>
>>> The Keycloak server should already be configured to use the FreeIPA
>>> server as a user federation provider (using LDAP and Kerberos). The
>>> workstation can be co-located with FreeIPA server if it makes things
much
>>> simpler, but it should be possible to login to the workstation with
>>> Kerberos. Firefox should be pre-configured for Kerberos to work both on
>>> Keycloak login and FreeIPA admin console.
>>>
>>> I want a proper database and a web based client for the database so
it's
>>> simple to inspect the database.
>>>
>>> Bruno has already volunteered to look into this, but first we should
make
>>> sure this is the setup we'd like to be able to showcase.
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>>
>>> --
>>>
>>> abstractj
>>> PGP: 0x84DC9914
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:34 a.m.
To elaborate I could eventually see us having a big demo setup in the form
of:
* Keycloak or RH-SSO box
* Database box
* FreeIPA box
* Active Directory box
* Some SAML provider
* Some OIDC provider
* Fedora workstation
* Windows workstation
Everything ready to go to show Keycloak as a fully capable identity
federation platform.
On 14 September 2016 at 09:32, Stian Thorgersen <sthorger(a)redhat.com> wrote:
I want full desktop and show user login via desktop login, not
Kerberos
client. So full Gnome is required. Also, I think the DNS setup as well as
orchestration may be simpler with Vagrant than Docker.
We also may want to extend this to include good old Microsoft software in
the form of Windows and Active Directory. In that case Docker is a show
stopper and Vagrant/VMs is the only option.
On 13 September 2016 at 21:46, Marek Posolda <mposolda(a)redhat.com> wrote:
> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
> > My 2 cents on it. Unless we have any strong argument for doing this,
> > let's move forward with Docker. We already have a repository for this
> > and I'm not sure if we have bandwidth to maintain 2 distinct
> repositories.
> >
> > Btw I'm curious, which real world scenario you could not reproduce with
> > Docker?
> I guess SPNEGO login with Firefox is the example of that scenario?
>
> If you want workstation with Kerberos + SPNEGO, you will need to
> configure kerberos client and your Firefox and then run FF inside docker
> container and display it "locally" on your laptop. Or is it something
> like the "propagation" of X from docker to your laptop possible? If yes,
> then everything is doable with docker though.
>
> Marek
>
> >
> > On 2016-09-13, Thomas Raehalme wrote:
> >> How about setting up multiple VMs with Vagrant but handling all
> software
> >> components with Docker?
> >>
> >> Best of both worlds and also a simulation of the real world (which
> could
> >> perhaps be used as a reference).
> >>
> >> Best regards,
> >> Thomas
> >>
> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo"
<srossillo(a)smartling.com>
> wrote:
> >>
> >>> Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate
> >>> things seems like a better option.
> >>>
> >>> Scott Rossillo
> >>> Smartling | Senior Software Engineer
> >>> srossillo(a)smartling.com
> >>>
> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <
> bruno(a)abstractj.org>
> >>> wrote:
> >>>
> >>> My question is: Docker or Vagrant?
> >>>
> >>> If we have plans to showcase SSSD Federation provider + things like
> >>> start/stop sssd service to demonstrate the SSSD provider won't be
> >>> enabled. I would say that Vagrant is easier and we can benefit from
> >>> these boxes[1], otherwise we just stick with Marek's work.
> >>>
> >>> I will give DBus on Docker a second try, but last time I checked
> wasn't
> >>> fun.
> >>>
> >>> [1] - https://github.com/freeipa/freeipa-workshop
> >>>
> >>> On 2016-09-13, Stian Thorgersen wrote:
> >>>
> >>> Forgot to add two things:
> >>>
> >>> * DNS setup - we want proper DNS setup on the machines, which would be
> >>> required for the Kerberos stuff to work properly
> >>> * HTTPS - optional, but would be great if it also had HTTPS configured
> >>>
> >>> On 13 September 2016 at 09:24, Marek Posolda
<mposolda(a)redhat.com>
> wrote:
> >>>
> >>> +1
> >>>
> >>> Few more things and tips (you may be already aware of them, but
> still..
> >>> Hope some of them are useful :) :
> >>>
> >>> - My docker image [1] already contains FreeIPA server and Keycloak
> server
> >>> pre-configured with LDAP+Kerberos federation provider to use it.
> Thing is
> >>> that both Keycloak+FreeIPA are on same machine, which is likely not
> the
> >>> best for show production setup. The workstation setup needs to be
> done on
> >>> your local machine (so you need KErberos client + Firefox setup on
> your
> >>> laptop. That's sufficient for testing, but probably also not ideal
for
> >>> showcase).
> >>>
> >>> - In addition to FreeIPA docker images for server, FreeIPA has also
> docker
> >>> image for client setup. See for example [2] . I am not 100% sure, but
> I
> >>> believe that if you run this docker image and point to the already
> running
> >>> "server" image, you will gain also all the things like PAM
setup,
> login to
> >>> the workstation with Kerberos credentials, and automatically retrieved
> >>> kerberos ticket during login. Hence you just login to workstation,
> open
> >>> firefox and you are authenticated to Keycloak. No need to manually run
> >>> "kinit".
> >>>
> >>>
> >>> The workstation will need to be a virtual machine rather than
> container to
> >>> add X support. So IMO we should just use Vagrant and have FreeIPA and
> >>> use Vagrantfile to install Fedora + FreeIPA.
> >>>
> >>>
> >>>
> >>> - If Keycloak and FreeIPA server are on different workstations, then:
> >>> -- The Keycloak server may also need FreeIPA client installed. Or at
> least
> >>> kerberos client installed with proper setup in /etc/krb5.conf
> pointing to
> >>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
> >>>
> >>>
> >>>
> >>> -- Also for different servers, you will likely need to add HTTP
> kerberos
> >>> principal for the server where keycloak is running. For example if
> FreeIPA
> >>> is on "freeipa.example.org" and keycloak is on
"keycloak.example.org
> ",
> >>> you will need the principal like HTTP/keycloak.example.org@KEYC
> LOAK.ORG
> >>> <HTTP/keycloak.example.org(a)keycloak.org> .
> >>> This corresponds to LDAP principal under
"cn=services,cn=accounts,dc=
> >>> freeipa,dc=example,dc=org"
> >>> . Maybe FreeIPA has it documented somewhere and/or it's easily
> possible to
> >>> add new HTTP server principal through FreeIPA admin console. You will
> also
> >>> need keytab exported with the credentials of this principal.
> >>> Note this step is not needed if Keycloak and FreeIPA are on same
> machine
> >>> as FreeIPA server automatically has HTTP principal for it's own
> machine
> >>> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG
> >>> <HTTP/freeipa.example.org(a)keycloak.org> for the example
> >>> above), to allow login to FreeIPA admin console with kerberos OOTB.
> >>>
> >>>
> >>> We should really figure out how to do this on separate machines, so I
> think
> >>> going that way would be best even though it's harder to do.
> >>>
> >>>
> >>>
> >>>
> >>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
> >>> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
> >>>
> >>> Marek
> >>>
> >>>
> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
> >>>
> >>> I'd like to have a simple way to demo LDAP and Kerberos support. To
> that
> >>> end we should add a Vagrant setup with the following:
> >>>
> >>> * Keycloak server
> >>> * MySQL or Postgres
> >>> * FreeIPA
> >>> * Workstation with Kerberos authentication (needs X and Firefox
> installed)
> >>>
> >>> The Keycloak server should already be configured to use the FreeIPA
> >>> server as a user federation provider (using LDAP and Kerberos). The
> >>> workstation can be co-located with FreeIPA server if it makes things
> much
> >>> simpler, but it should be possible to login to the workstation with
> >>> Kerberos. Firefox should be pre-configured for Kerberos to work both
> on
> >>> Keycloak login and FreeIPA admin console.
> >>>
> >>> I want a proper database and a web based client for the database so
> it's
> >>> simple to inspect the database.
> >>>
> >>> Bruno has already volunteered to look into this, but first we should
> make
> >>> sure this is the setup we'd like to be able to showcase.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> abstractj
> >>> PGP: 0x84DC9914
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
5:11 a.m.
+1 Not arguing in favor or against it, but thinking about what you
described seems like the solution is the combination of both: Vagrant and Docker.
Do we have a Jira for this?
On 2016-09-14, Stian Thorgersen wrote:
To elaborate I could eventually see us having a big demo setup in the
form
of:
* Keycloak or RH-SSO box
* Database box
* FreeIPA box
* Active Directory box
* Some SAML provider
* Some OIDC provider
* Fedora workstation
* Windows workstation
Everything ready to go to show Keycloak as a fully capable identity
federation platform.
On 14 September 2016 at 09:32, Stian Thorgersen <sthorger(a)redhat.com> wrote:
> I want full desktop and show user login via desktop login, not Kerberos
> client. So full Gnome is required. Also, I think the DNS setup as well as
> orchestration may be simpler with Vagrant than Docker.
>
> We also may want to extend this to include good old Microsoft software in
> the form of Windows and Active Directory. In that case Docker is a show
> stopper and Vagrant/VMs is the only option.
>
> On 13 September 2016 at 21:46, Marek Posolda <mposolda(a)redhat.com> wrote:
>
>> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
>> > My 2 cents on it. Unless we have any strong argument for doing this,
>> > let's move forward with Docker. We already have a repository for this
>> > and I'm not sure if we have bandwidth to maintain 2 distinct
>> repositories.
>> >
>> > Btw I'm curious, which real world scenario you could not reproduce
with
>> > Docker?
>> I guess SPNEGO login with Firefox is the example of that scenario?
>>
>> If you want workstation with Kerberos + SPNEGO, you will need to
>> configure kerberos client and your Firefox and then run FF inside docker
>> container and display it "locally" on your laptop. Or is it something
>> like the "propagation" of X from docker to your laptop possible? If
yes,
>> then everything is doable with docker though.
>>
>> Marek
>>
>> >
>> > On 2016-09-13, Thomas Raehalme wrote:
>> >> How about setting up multiple VMs with Vagrant but handling all
>> software
>> >> components with Docker?
>> >>
>> >> Best of both worlds and also a simulation of the real world (which
>> could
>> >> perhaps be used as a reference).
>> >>
>> >> Best regards,
>> >> Thomas
>> >>
>> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo"
<srossillo(a)smartling.com>
>> wrote:
>> >>
>> >>> Vagrant leaves funny taste in my mouth. Docker Compose to
orchestrate
>> >>> things seems like a better option.
>> >>>
>> >>> Scott Rossillo
>> >>> Smartling | Senior Software Engineer
>> >>> srossillo(a)smartling.com
>> >>>
>> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <
>> bruno(a)abstractj.org>
>> >>> wrote:
>> >>>
>> >>> My question is: Docker or Vagrant?
>> >>>
>> >>> If we have plans to showcase SSSD Federation provider + things
like
>> >>> start/stop sssd service to demonstrate the SSSD provider won't
be
>> >>> enabled. I would say that Vagrant is easier and we can benefit
from
>> >>> these boxes[1], otherwise we just stick with Marek's work.
>> >>>
>> >>> I will give DBus on Docker a second try, but last time I checked
>> wasn't
>> >>> fun.
>> >>>
>> >>> [1] - https://github.com/freeipa/freeipa-workshop
>> >>>
>> >>> On 2016-09-13, Stian Thorgersen wrote:
>> >>>
>> >>> Forgot to add two things:
>> >>>
>> >>> * DNS setup - we want proper DNS setup on the machines, which would
be
>> >>> required for the Kerberos stuff to work properly
>> >>> * HTTPS - optional, but would be great if it also had HTTPS
configured
>> >>>
>> >>> On 13 September 2016 at 09:24, Marek Posolda
<mposolda(a)redhat.com>
>> wrote:
>> >>>
>> >>> +1
>> >>>
>> >>> Few more things and tips (you may be already aware of them, but
>> still..
>> >>> Hope some of them are useful :) :
>> >>>
>> >>> - My docker image [1] already contains FreeIPA server and Keycloak
>> server
>> >>> pre-configured with LDAP+Kerberos federation provider to use it.
>> Thing is
>> >>> that both Keycloak+FreeIPA are on same machine, which is likely
not
>> the
>> >>> best for show production setup. The workstation setup needs to be
>> done on
>> >>> your local machine (so you need KErberos client + Firefox setup on
>> your
>> >>> laptop. That's sufficient for testing, but probably also not
ideal for
>> >>> showcase).
>> >>>
>> >>> - In addition to FreeIPA docker images for server, FreeIPA has
also
>> docker
>> >>> image for client setup. See for example [2] . I am not 100% sure,
but
>> I
>> >>> believe that if you run this docker image and point to the already
>> running
>> >>> "server" image, you will gain also all the things like
PAM setup,
>> login to
>> >>> the workstation with Kerberos credentials, and automatically
retrieved
>> >>> kerberos ticket during login. Hence you just login to workstation,
>> open
>> >>> firefox and you are authenticated to Keycloak. No need to manually
run
>> >>> "kinit".
>> >>>
>> >>>
>> >>> The workstation will need to be a virtual machine rather than
>> container to
>> >>> add X support. So IMO we should just use Vagrant and have FreeIPA
and
>> >>> use Vagrantfile to install Fedora + FreeIPA.
>> >>>
>> >>>
>> >>>
>> >>> - If Keycloak and FreeIPA server are on different workstations,
then:
>> >>> -- The Keycloak server may also need FreeIPA client installed. Or
at
>> least
>> >>> kerberos client installed with proper setup in /etc/krb5.conf
>> pointing to
>> >>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
>> >>>
>> >>>
>> >>>
>> >>> -- Also for different servers, you will likely need to add HTTP
>> kerberos
>> >>> principal for the server where keycloak is running. For example if
>> FreeIPA
>> >>> is on "freeipa.example.org" and keycloak is on
"keycloak.example.org
>> ",
>> >>> you will need the principal like HTTP/keycloak.example.org@KEYC
>> LOAK.ORG
>> >>> <HTTP/keycloak.example.org(a)keycloak.org> .
>> >>> This corresponds to LDAP principal under
"cn=services,cn=accounts,dc=
>> >>> freeipa,dc=example,dc=org"
>> >>> . Maybe FreeIPA has it documented somewhere and/or it's easily
>> possible to
>> >>> add new HTTP server principal through FreeIPA admin console. You
will
>> also
>> >>> need keytab exported with the credentials of this principal.
>> >>> Note this step is not needed if Keycloak and FreeIPA are on same
>> machine
>> >>> as FreeIPA server automatically has HTTP principal for it's
own
>> machine
>> >>> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG
>> >>> <HTTP/freeipa.example.org(a)keycloak.org> for the example
>> >>> above), to allow login to FreeIPA admin console with kerberos
OOTB.
>> >>>
>> >>>
>> >>> We should really figure out how to do this on separate machines, so
I
>> think
>> >>> going that way would be best even though it's harder to do.
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
>> >>> [2]
https://github.com/adelton/docker-freeipa/tree/fedora-22-client
>> >>>
>> >>> Marek
>> >>>
>> >>>
>> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
>> >>>
>> >>> I'd like to have a simple way to demo LDAP and Kerberos
support. To
>> that
>> >>> end we should add a Vagrant setup with the following:
>> >>>
>> >>> * Keycloak server
>> >>> * MySQL or Postgres
>> >>> * FreeIPA
>> >>> * Workstation with Kerberos authentication (needs X and Firefox
>> installed)
>> >>>
>> >>> The Keycloak server should already be configured to use the
FreeIPA
>> >>> server as a user federation provider (using LDAP and Kerberos).
The
>> >>> workstation can be co-located with FreeIPA server if it makes
things
>> much
>> >>> simpler, but it should be possible to login to the workstation
with
>> >>> Kerberos. Firefox should be pre-configured for Kerberos to work
both
>> on
>> >>> Keycloak login and FreeIPA admin console.
>> >>>
>> >>> I want a proper database and a web based client for the database
so
>> it's
>> >>> simple to inspect the database.
>> >>>
>> >>> Bruno has already volunteered to look into this, but first we
should
>> make
>> >>> sure this is the setup we'd like to be able to showcase.
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> keycloak-dev mailing list
>> >>> keycloak-dev(a)lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>>
>> >>> abstractj
>> >>> PGP: 0x84DC9914
>> >>> _______________________________________________
>> >>> keycloak-dev mailing list
>> >>> keycloak-dev(a)lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> keycloak-dev mailing list
>> >>> keycloak-dev(a)lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>>
>> > --
>> >
>> > abstractj
>> > PGP: 0x84DC9914
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
--
abstractj
PGP: 0x84DC9914
6:12 a.m.
We do now:
https://issues.jboss.org/browse/KEYCLOAK-3577
On 14 September 2016 at 12:11, Bruno Oliveira da Silva <bruno(a)abstractj.org>
wrote:
+1 Not arguing in favor or against it, but thinking about what you
described seems like the solution is the combination of both: Vagrant and
Docker.
Do we have a Jira for this?
On 2016-09-14, Stian Thorgersen wrote:
> To elaborate I could eventually see us having a big demo setup in the
form
> of:
>
> * Keycloak or RH-SSO box
> * Database box
> * FreeIPA box
> * Active Directory box
> * Some SAML provider
> * Some OIDC provider
> * Fedora workstation
> * Windows workstation
>
> Everything ready to go to show Keycloak as a fully capable identity
> federation platform.
>
> On 14 September 2016 at 09:32, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
>
> > I want full desktop and show user login via desktop login, not Kerberos
> > client. So full Gnome is required. Also, I think the DNS setup as well
as
> > orchestration may be simpler with Vagrant than Docker.
> >
> > We also may want to extend this to include good old Microsoft software
in
> > the form of Windows and Active Directory. In that case Docker is a show
> > stopper and Vagrant/VMs is the only option.
> >
> > On 13 September 2016 at 21:46, Marek Posolda <mposolda(a)redhat.com>
wrote:
> >
> >> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
> >> > My 2 cents on it. Unless we have any strong argument for doing this,
> >> > let's move forward with Docker. We already have a repository for
this
> >> > and I'm not sure if we have bandwidth to maintain 2 distinct
> >> repositories.
> >> >
> >> > Btw I'm curious, which real world scenario you could not
reproduce
with
> >> > Docker?
> >> I guess SPNEGO login with Firefox is the example of that scenario?
> >>
> >> If you want workstation with Kerberos + SPNEGO, you will need to
> >> configure kerberos client and your Firefox and then run FF inside
docker
> >> container and display it "locally" on your laptop. Or is it
something
> >> like the "propagation" of X from docker to your laptop possible?
If
yes,
> >> then everything is doable with docker though.
> >>
> >> Marek
> >>
> >> >
> >> > On 2016-09-13, Thomas Raehalme wrote:
> >> >> How about setting up multiple VMs with Vagrant but handling all
> >> software
> >> >> components with Docker?
> >> >>
> >> >> Best of both worlds and also a simulation of the real world
(which
> >> could
> >> >> perhaps be used as a reference).
> >> >>
> >> >> Best regards,
> >> >> Thomas
> >> >>
> >> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo"
<srossillo(a)smartling.com
>
> >> wrote:
> >> >>
> >> >>> Vagrant leaves funny taste in my mouth. Docker Compose to
orchestrate
> >> >>> things seems like a better option.
> >> >>>
> >> >>> Scott Rossillo
> >> >>> Smartling | Senior Software Engineer
> >> >>> srossillo(a)smartling.com
> >> >>>
> >> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <
> >> bruno(a)abstractj.org>
> >> >>> wrote:
> >> >>>
> >> >>> My question is: Docker or Vagrant?
> >> >>>
> >> >>> If we have plans to showcase SSSD Federation provider +
things
like
> >> >>> start/stop sssd service to demonstrate the SSSD provider
won't be
> >> >>> enabled. I would say that Vagrant is easier and we can
benefit
from
> >> >>> these boxes[1], otherwise we just stick with Marek's
work.
> >> >>>
> >> >>> I will give DBus on Docker a second try, but last time I
checked
> >> wasn't
> >> >>> fun.
> >> >>>
> >> >>> [1] - https://github.com/freeipa/freeipa-workshop
> >> >>>
> >> >>> On 2016-09-13, Stian Thorgersen wrote:
> >> >>>
> >> >>> Forgot to add two things:
> >> >>>
> >> >>> * DNS setup - we want proper DNS setup on the machines, which
would be
> >> >>> required for the Kerberos stuff to work properly
> >> >>> * HTTPS - optional, but would be great if it also had HTTPS
configured
> >> >>>
> >> >>> On 13 September 2016 at 09:24, Marek Posolda
<mposolda(a)redhat.com
>
> >> wrote:
> >> >>>
> >> >>> +1
> >> >>>
> >> >>> Few more things and tips (you may be already aware of them,
but
> >> still..
> >> >>> Hope some of them are useful :) :
> >> >>>
> >> >>> - My docker image [1] already contains FreeIPA server and
Keycloak
> >> server
> >> >>> pre-configured with LDAP+Kerberos federation provider to use
it.
> >> Thing is
> >> >>> that both Keycloak+FreeIPA are on same machine, which is
likely
not
> >> the
> >> >>> best for show production setup. The workstation setup needs to
be
> >> done on
> >> >>> your local machine (so you need KErberos client + Firefox
setup on
> >> your
> >> >>> laptop. That's sufficient for testing, but probably also
not
ideal for
> >> >>> showcase).
> >> >>>
> >> >>> - In addition to FreeIPA docker images for server, FreeIPA
has
also
> >> docker
> >> >>> image for client setup. See for example [2] . I am not 100%
sure,
but
> >> I
> >> >>> believe that if you run this docker image and point to the
already
> >> running
> >> >>> "server" image, you will gain also all the things
like PAM setup,
> >> login to
> >> >>> the workstation with Kerberos credentials, and automatically
retrieved
> >> >>> kerberos ticket during login. Hence you just login to
workstation,
> >> open
> >> >>> firefox and you are authenticated to Keycloak. No need to
manually run
> >> >>> "kinit".
> >> >>>
> >> >>>
> >> >>> The workstation will need to be a virtual machine rather than
> >> container to
> >> >>> add X support. So IMO we should just use Vagrant and have
FreeIPA
and
> >> >>> use Vagrantfile to install Fedora + FreeIPA.
> >> >>>
> >> >>>
> >> >>>
> >> >>> - If Keycloak and FreeIPA server are on different
workstations,
then:
> >> >>> -- The Keycloak server may also need FreeIPA client installed.
Or
at
> >> least
> >> >>> kerberos client installed with proper setup in /etc/krb5.conf
> >> pointing to
> >> >>> FreeIPA kerberos realm and proper DNS setup working with
FreeIPA.
> >> >>>
> >> >>>
> >> >>>
> >> >>> -- Also for different servers, you will likely need to add
HTTP
> >> kerberos
> >> >>> principal for the server where keycloak is running. For
example if
> >> FreeIPA
> >> >>> is on "freeipa.example.org" and keycloak is on
"
keycloak.example.org
> >> ",
> >> >>> you will need the principal like
HTTP/keycloak.example.org@KEYC
> >> LOAK.ORG
> >> >>> <HTTP/keycloak.example.org(a)keycloak.org> .
> >> >>> This corresponds to LDAP principal under
"cn=services,cn=accounts,dc=
> >> >>> freeipa,dc=example,dc=org"
> >> >>> . Maybe FreeIPA has it documented somewhere and/or it's
easily
> >> possible to
> >> >>> add new HTTP server principal through FreeIPA admin console.
You
will
> >> also
> >> >>> need keytab exported with the credentials of this principal.
> >> >>> Note this step is not needed if Keycloak and FreeIPA are on
same
> >> machine
> >> >>> as FreeIPA server automatically has HTTP principal for
it's own
> >> machine
> >> >>> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG
> >> >>> <HTTP/freeipa.example.org(a)keycloak.org> for the example
> >> >>> above), to allow login to FreeIPA admin console with kerberos
OOTB.
> >> >>>
> >> >>>
> >> >>> We should really figure out how to do this on separate
machines,
so I
> >> think
> >> >>> going that way would be best even though it's harder to
do.
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
> >> >>> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-
client
> >> >>>
> >> >>> Marek
> >> >>>
> >> >>>
> >> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
> >> >>>
> >> >>> I'd like to have a simple way to demo LDAP and Kerberos
support.
To
> >> that
> >> >>> end we should add a Vagrant setup with the following:
> >> >>>
> >> >>> * Keycloak server
> >> >>> * MySQL or Postgres
> >> >>> * FreeIPA
> >> >>> * Workstation with Kerberos authentication (needs X and
Firefox
> >> installed)
> >> >>>
> >> >>> The Keycloak server should already be configured to use the
FreeIPA
> >> >>> server as a user federation provider (using LDAP and
Kerberos).
The
> >> >>> workstation can be co-located with FreeIPA server if it makes
things
> >> much
> >> >>> simpler, but it should be possible to login to the
workstation
with
> >> >>> Kerberos. Firefox should be pre-configured for Kerberos to
work
both
> >> on
> >> >>> Keycloak login and FreeIPA admin console.
> >> >>>
> >> >>> I want a proper database and a web based client for the
database
so
> >> it's
> >> >>> simple to inspect the database.
> >> >>>
> >> >>> Bruno has already volunteered to look into this, but first we
should
> >> make
> >> >>> sure this is the setup we'd like to be able to showcase.
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> _______________________________________________
> >> >>> keycloak-dev mailing list
> >> >>> keycloak-dev(a)lists.jboss.org
> >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>>
> >> >>> abstractj
> >> >>> PGP: 0x84DC9914
> >> >>> _______________________________________________
> >> >>> keycloak-dev mailing list
> >> >>> keycloak-dev(a)lists.jboss.org
> >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> >>>
> >> >>>
> >> >>>
> >> >>> _______________________________________________
> >> >>> keycloak-dev mailing list
> >> >>> keycloak-dev(a)lists.jboss.org
> >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> >>>
> >> > --
> >> >
> >> > abstractj
> >> > PGP: 0x84DC9914
> >> > _______________________________________________
> >> > keycloak-dev mailing list
> >> > keycloak-dev(a)lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >
> >
--
abstractj
PGP: 0x84DC9914
6:13 a.m.
Bruno - notice the missing fix version! It's a nice to have background task
and not a high priority at the moment.
On 14 September 2016 at 13:12, Stian Thorgersen <sthorger(a)redhat.com> wrote:
We do now:
https://issues.jboss.org/browse/KEYCLOAK-3577
On 14 September 2016 at 12:11, Bruno Oliveira da Silva <
bruno(a)abstractj.org> wrote:
> +1 Not arguing in favor or against it, but thinking about what you
> described seems like the solution is the combination of both: Vagrant and
> Docker.
>
> Do we have a Jira for this?
>
> On 2016-09-14, Stian Thorgersen wrote:
> > To elaborate I could eventually see us having a big demo setup in the
> form
> > of:
> >
> > * Keycloak or RH-SSO box
> > * Database box
> > * FreeIPA box
> > * Active Directory box
> > * Some SAML provider
> > * Some OIDC provider
> > * Fedora workstation
> > * Windows workstation
> >
> > Everything ready to go to show Keycloak as a fully capable identity
> > federation platform.
> >
> > On 14 September 2016 at 09:32, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
> >
> > > I want full desktop and show user login via desktop login, not
> Kerberos
> > > client. So full Gnome is required. Also, I think the DNS setup as
> well as
> > > orchestration may be simpler with Vagrant than Docker.
> > >
> > > We also may want to extend this to include good old Microsoft
> software in
> > > the form of Windows and Active Directory. In that case Docker is a
> show
> > > stopper and Vagrant/VMs is the only option.
> > >
> > > On 13 September 2016 at 21:46, Marek Posolda <mposolda(a)redhat.com>
> wrote:
> > >
> > >> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
> > >> > My 2 cents on it. Unless we have any strong argument for doing
> this,
> > >> > let's move forward with Docker. We already have a repository
for
> this
> > >> > and I'm not sure if we have bandwidth to maintain 2 distinct
> > >> repositories.
> > >> >
> > >> > Btw I'm curious, which real world scenario you could not
reproduce
> with
> > >> > Docker?
> > >> I guess SPNEGO login with Firefox is the example of that scenario?
> > >>
> > >> If you want workstation with Kerberos + SPNEGO, you will need to
> > >> configure kerberos client and your Firefox and then run FF inside
> docker
> > >> container and display it "locally" on your laptop. Or is it
something
> > >> like the "propagation" of X from docker to your laptop
possible? If
> yes,
> > >> then everything is doable with docker though.
> > >>
> > >> Marek
> > >>
> > >> >
> > >> > On 2016-09-13, Thomas Raehalme wrote:
> > >> >> How about setting up multiple VMs with Vagrant but handling
all
> > >> software
> > >> >> components with Docker?
> > >> >>
> > >> >> Best of both worlds and also a simulation of the real world
(which
> > >> could
> > >> >> perhaps be used as a reference).
> > >> >>
> > >> >> Best regards,
> > >> >> Thomas
> > >> >>
> > >> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo" <
> srossillo(a)smartling.com>
> > >> wrote:
> > >> >>
> > >> >>> Vagrant leaves funny taste in my mouth. Docker Compose to
> orchestrate
> > >> >>> things seems like a better option.
> > >> >>>
> > >> >>> Scott Rossillo
> > >> >>> Smartling | Senior Software Engineer
> > >> >>> srossillo(a)smartling.com
> > >> >>>
> > >> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva
<
> > >> bruno(a)abstractj.org>
> > >> >>> wrote:
> > >> >>>
> > >> >>> My question is: Docker or Vagrant?
> > >> >>>
> > >> >>> If we have plans to showcase SSSD Federation provider +
things
> like
> > >> >>> start/stop sssd service to demonstrate the SSSD provider
won't be
> > >> >>> enabled. I would say that Vagrant is easier and we can
benefit
> from
> > >> >>> these boxes[1], otherwise we just stick with Marek's
work.
> > >> >>>
> > >> >>> I will give DBus on Docker a second try, but last time I
checked
> > >> wasn't
> > >> >>> fun.
> > >> >>>
> > >> >>> [1] - https://github.com/freeipa/freeipa-workshop
> > >> >>>
> > >> >>> On 2016-09-13, Stian Thorgersen wrote:
> > >> >>>
> > >> >>> Forgot to add two things:
> > >> >>>
> > >> >>> * DNS setup - we want proper DNS setup on the machines,
which
> would be
> > >> >>> required for the Kerberos stuff to work properly
> > >> >>> * HTTPS - optional, but would be great if it also had
HTTPS
> configured
> > >> >>>
> > >> >>> On 13 September 2016 at 09:24, Marek Posolda <
> mposolda(a)redhat.com>
> > >> wrote:
> > >> >>>
> > >> >>> +1
> > >> >>>
> > >> >>> Few more things and tips (you may be already aware of
them, but
> > >> still..
> > >> >>> Hope some of them are useful :) :
> > >> >>>
> > >> >>> - My docker image [1] already contains FreeIPA server and
> Keycloak
> > >> server
> > >> >>> pre-configured with LDAP+Kerberos federation provider to
use it.
> > >> Thing is
> > >> >>> that both Keycloak+FreeIPA are on same machine, which is
likely
> not
> > >> the
> > >> >>> best for show production setup. The workstation setup
needs to be
> > >> done on
> > >> >>> your local machine (so you need KErberos client + Firefox
setup
> on
> > >> your
> > >> >>> laptop. That's sufficient for testing, but probably
also not
> ideal for
> > >> >>> showcase).
> > >> >>>
> > >> >>> - In addition to FreeIPA docker images for server, FreeIPA
has
> also
> > >> docker
> > >> >>> image for client setup. See for example [2] . I am not
100%
> sure, but
> > >> I
> > >> >>> believe that if you run this docker image and point to
the
> already
> > >> running
> > >> >>> "server" image, you will gain also all the
things like PAM setup,
> > >> login to
> > >> >>> the workstation with Kerberos credentials, and
automatically
> retrieved
> > >> >>> kerberos ticket during login. Hence you just login to
> workstation,
> > >> open
> > >> >>> firefox and you are authenticated to Keycloak. No need to
> manually run
> > >> >>> "kinit".
> > >> >>>
> > >> >>>
> > >> >>> The workstation will need to be a virtual machine rather
than
> > >> container to
> > >> >>> add X support. So IMO we should just use Vagrant and have
> FreeIPA and
> > >> >>> use Vagrantfile to install Fedora + FreeIPA.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> - If Keycloak and FreeIPA server are on different
workstations,
> then:
> > >> >>> -- The Keycloak server may also need FreeIPA client
installed.
> Or at
> > >> least
> > >> >>> kerberos client installed with proper setup in
/etc/krb5.conf
> > >> pointing to
> > >> >>> FreeIPA kerberos realm and proper DNS setup working with
FreeIPA.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> -- Also for different servers, you will likely need to add
HTTP
> > >> kerberos
> > >> >>> principal for the server where keycloak is running. For
example
> if
> > >> FreeIPA
> > >> >>> is on "freeipa.example.org" and keycloak is on
"
> keycloak.example.org
> > >> ",
> > >> >>> you will need the principal like
HTTP/keycloak.example.org@KEYC
> > >> LOAK.ORG
> > >> >>> <HTTP/keycloak.example.org(a)keycloak.org> .
> > >> >>> This corresponds to LDAP principal under
> "cn=services,cn=accounts,dc=
> > >> >>> freeipa,dc=example,dc=org"
> > >> >>> . Maybe FreeIPA has it documented somewhere and/or
it's easily
> > >> possible to
> > >> >>> add new HTTP server principal through FreeIPA admin
console. You
> will
> > >> also
> > >> >>> need keytab exported with the credentials of this
principal.
> > >> >>> Note this step is not needed if Keycloak and FreeIPA are
on same
> > >> machine
> > >> >>> as FreeIPA server automatically has HTTP principal for
it's own
> > >> machine
> > >> >>> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG
> > >> >>> <HTTP/freeipa.example.org(a)keycloak.org> for the
example
> > >> >>> above), to allow login to FreeIPA admin console with
kerberos
> OOTB.
> > >> >>>
> > >> >>>
> > >> >>> We should really figure out how to do this on separate
machines,
> so I
> > >> think
> > >> >>> going that way would be best even though it's harder
to do.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
> > >> >>> [2]
https://github.com/adelton/docker-freeipa/tree/fedora-22-cli
> ent
> > >> >>>
> > >> >>> Marek
> > >> >>>
> > >> >>>
> > >> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
> > >> >>>
> > >> >>> I'd like to have a simple way to demo LDAP and
Kerberos support.
> To
> > >> that
> > >> >>> end we should add a Vagrant setup with the following:
> > >> >>>
> > >> >>> * Keycloak server
> > >> >>> * MySQL or Postgres
> > >> >>> * FreeIPA
> > >> >>> * Workstation with Kerberos authentication (needs X and
Firefox
> > >> installed)
> > >> >>>
> > >> >>> The Keycloak server should already be configured to use
the
> FreeIPA
> > >> >>> server as a user federation provider (using LDAP and
Kerberos).
> The
> > >> >>> workstation can be co-located with FreeIPA server if it
makes
> things
> > >> much
> > >> >>> simpler, but it should be possible to login to the
workstation
> with
> > >> >>> Kerberos. Firefox should be pre-configured for Kerberos to
work
> both
> > >> on
> > >> >>> Keycloak login and FreeIPA admin console.
> > >> >>>
> > >> >>> I want a proper database and a web based client for the
database
> so
> > >> it's
> > >> >>> simple to inspect the database.
> > >> >>>
> > >> >>> Bruno has already volunteered to look into this, but first
we
> should
> > >> make
> > >> >>> sure this is the setup we'd like to be able to
showcase.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> _______________________________________________
> > >> >>> keycloak-dev mailing list
> > >> >>> keycloak-dev(a)lists.jboss.org
> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> --
> > >> >>>
> > >> >>> abstractj
> > >> >>> PGP: 0x84DC9914
> > >> >>> _______________________________________________
> > >> >>> keycloak-dev mailing list
> > >> >>> keycloak-dev(a)lists.jboss.org
> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> _______________________________________________
> > >> >>> keycloak-dev mailing list
> > >> >>> keycloak-dev(a)lists.jboss.org
> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >> >>>
> > >> > --
> > >> >
> > >> > abstractj
> > >> > PGP: 0x84DC9914
> > >> > _______________________________________________
> > >> > keycloak-dev mailing list
> > >> > keycloak-dev(a)lists.jboss.org
> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>
> > >>
> > >> _______________________________________________
> > >> keycloak-dev mailing list
> > >> keycloak-dev(a)lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>
> > >
> > >
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
7:07 a.m.
+1000 thank you!
On 2016-09-14, Stian Thorgersen wrote:
Bruno - notice the missing fix version! It's a nice to have
background task
and not a high priority at the moment.
On 14 September 2016 at 13:12, Stian Thorgersen <sthorger(a)redhat.com> wrote:
> We do now:
> https://issues.jboss.org/browse/KEYCLOAK-3577
>
> On 14 September 2016 at 12:11, Bruno Oliveira da Silva <
> bruno(a)abstractj.org> wrote:
>
>> +1 Not arguing in favor or against it, but thinking about what you
>> described seems like the solution is the combination of both: Vagrant and
>> Docker.
>>
>> Do we have a Jira for this?
>>
>> On 2016-09-14, Stian Thorgersen wrote:
>> > To elaborate I could eventually see us having a big demo setup in the
>> form
>> > of:
>> >
>> > * Keycloak or RH-SSO box
>> > * Database box
>> > * FreeIPA box
>> > * Active Directory box
>> > * Some SAML provider
>> > * Some OIDC provider
>> > * Fedora workstation
>> > * Windows workstation
>> >
>> > Everything ready to go to show Keycloak as a fully capable identity
>> > federation platform.
>> >
>> > On 14 September 2016 at 09:32, Stian Thorgersen
<sthorger(a)redhat.com>
>> wrote:
>> >
>> > > I want full desktop and show user login via desktop login, not
>> Kerberos
>> > > client. So full Gnome is required. Also, I think the DNS setup as
>> well as
>> > > orchestration may be simpler with Vagrant than Docker.
>> > >
>> > > We also may want to extend this to include good old Microsoft
>> software in
>> > > the form of Windows and Active Directory. In that case Docker is a
>> show
>> > > stopper and Vagrant/VMs is the only option.
>> > >
>> > > On 13 September 2016 at 21:46, Marek Posolda
<mposolda(a)redhat.com>
>> wrote:
>> > >
>> > >> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
>> > >> > My 2 cents on it. Unless we have any strong argument for
doing
>> this,
>> > >> > let's move forward with Docker. We already have a
repository for
>> this
>> > >> > and I'm not sure if we have bandwidth to maintain 2
distinct
>> > >> repositories.
>> > >> >
>> > >> > Btw I'm curious, which real world scenario you could not
reproduce
>> with
>> > >> > Docker?
>> > >> I guess SPNEGO login with Firefox is the example of that
scenario?
>> > >>
>> > >> If you want workstation with Kerberos + SPNEGO, you will need to
>> > >> configure kerberos client and your Firefox and then run FF inside
>> docker
>> > >> container and display it "locally" on your laptop. Or is
it something
>> > >> like the "propagation" of X from docker to your laptop
possible? If
>> yes,
>> > >> then everything is doable with docker though.
>> > >>
>> > >> Marek
>> > >>
>> > >> >
>> > >> > On 2016-09-13, Thomas Raehalme wrote:
>> > >> >> How about setting up multiple VMs with Vagrant but
handling all
>> > >> software
>> > >> >> components with Docker?
>> > >> >>
>> > >> >> Best of both worlds and also a simulation of the real
world (which
>> > >> could
>> > >> >> perhaps be used as a reference).
>> > >> >>
>> > >> >> Best regards,
>> > >> >> Thomas
>> > >> >>
>> > >> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo" <
>> srossillo(a)smartling.com>
>> > >> wrote:
>> > >> >>
>> > >> >>> Vagrant leaves funny taste in my mouth. Docker
Compose to
>> orchestrate
>> > >> >>> things seems like a better option.
>> > >> >>>
>> > >> >>> Scott Rossillo
>> > >> >>> Smartling | Senior Software Engineer
>> > >> >>> srossillo(a)smartling.com
>> > >> >>>
>> > >> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva
<
>> > >> bruno(a)abstractj.org>
>> > >> >>> wrote:
>> > >> >>>
>> > >> >>> My question is: Docker or Vagrant?
>> > >> >>>
>> > >> >>> If we have plans to showcase SSSD Federation provider
+ things
>> like
>> > >> >>> start/stop sssd service to demonstrate the SSSD
provider won't be
>> > >> >>> enabled. I would say that Vagrant is easier and we
can benefit
>> from
>> > >> >>> these boxes[1], otherwise we just stick with
Marek's work.
>> > >> >>>
>> > >> >>> I will give DBus on Docker a second try, but last
time I checked
>> > >> wasn't
>> > >> >>> fun.
>> > >> >>>
>> > >> >>> [1] - https://github.com/freeipa/freeipa-workshop
>> > >> >>>
>> > >> >>> On 2016-09-13, Stian Thorgersen wrote:
>> > >> >>>
>> > >> >>> Forgot to add two things:
>> > >> >>>
>> > >> >>> * DNS setup - we want proper DNS setup on the
machines, which
>> would be
>> > >> >>> required for the Kerberos stuff to work properly
>> > >> >>> * HTTPS - optional, but would be great if it also had
HTTPS
>> configured
>> > >> >>>
>> > >> >>> On 13 September 2016 at 09:24, Marek Posolda <
>> mposolda(a)redhat.com>
>> > >> wrote:
>> > >> >>>
>> > >> >>> +1
>> > >> >>>
>> > >> >>> Few more things and tips (you may be already aware of
them, but
>> > >> still..
>> > >> >>> Hope some of them are useful :) :
>> > >> >>>
>> > >> >>> - My docker image [1] already contains FreeIPA server
and
>> Keycloak
>> > >> server
>> > >> >>> pre-configured with LDAP+Kerberos federation provider
to use it.
>> > >> Thing is
>> > >> >>> that both Keycloak+FreeIPA are on same machine, which
is likely
>> not
>> > >> the
>> > >> >>> best for show production setup. The workstation setup
needs to be
>> > >> done on
>> > >> >>> your local machine (so you need KErberos client +
Firefox setup
>> on
>> > >> your
>> > >> >>> laptop. That's sufficient for testing, but
probably also not
>> ideal for
>> > >> >>> showcase).
>> > >> >>>
>> > >> >>> - In addition to FreeIPA docker images for server,
FreeIPA has
>> also
>> > >> docker
>> > >> >>> image for client setup. See for example [2] . I am
not 100%
>> sure, but
>> > >> I
>> > >> >>> believe that if you run this docker image and point
to the
>> already
>> > >> running
>> > >> >>> "server" image, you will gain also all the
things like PAM setup,
>> > >> login to
>> > >> >>> the workstation with Kerberos credentials, and
automatically
>> retrieved
>> > >> >>> kerberos ticket during login. Hence you just login
to
>> workstation,
>> > >> open
>> > >> >>> firefox and you are authenticated to Keycloak. No
need to
>> manually run
>> > >> >>> "kinit".
>> > >> >>>
>> > >> >>>
>> > >> >>> The workstation will need to be a virtual machine
rather than
>> > >> container to
>> > >> >>> add X support. So IMO we should just use Vagrant and
have
>> FreeIPA and
>> > >> >>> use Vagrantfile to install Fedora + FreeIPA.
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> - If Keycloak and FreeIPA server are on different
workstations,
>> then:
>> > >> >>> -- The Keycloak server may also need FreeIPA client
installed.
>> Or at
>> > >> least
>> > >> >>> kerberos client installed with proper setup in
/etc/krb5.conf
>> > >> pointing to
>> > >> >>> FreeIPA kerberos realm and proper DNS setup working
with FreeIPA.
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> -- Also for different servers, you will likely need
to add HTTP
>> > >> kerberos
>> > >> >>> principal for the server where keycloak is running.
For example
>> if
>> > >> FreeIPA
>> > >> >>> is on "freeipa.example.org" and keycloak is
on "
>> keycloak.example.org
>> > >> ",
>> > >> >>> you will need the principal like
HTTP/keycloak.example.org@KEYC
>> > >> LOAK.ORG
>> > >> >>> <HTTP/keycloak.example.org(a)keycloak.org> .
>> > >> >>> This corresponds to LDAP principal under
>> "cn=services,cn=accounts,dc=
>> > >> >>> freeipa,dc=example,dc=org"
>> > >> >>> . Maybe FreeIPA has it documented somewhere and/or
it's easily
>> > >> possible to
>> > >> >>> add new HTTP server principal through FreeIPA admin
console. You
>> will
>> > >> also
>> > >> >>> need keytab exported with the credentials of this
principal.
>> > >> >>> Note this step is not needed if Keycloak and FreeIPA
are on same
>> > >> machine
>> > >> >>> as FreeIPA server automatically has HTTP principal
for it's own
>> > >> machine
>> > >> >>> (something like
HTTP/freeipa.example.org(a)KEYCLOAK.ORG
>> > >> >>> <HTTP/freeipa.example.org(a)keycloak.org> for the
example
>> > >> >>> above), to allow login to FreeIPA admin console with
kerberos
>> OOTB.
>> > >> >>>
>> > >> >>>
>> > >> >>> We should really figure out how to do this on
separate machines,
>> so I
>> > >> think
>> > >> >>> going that way would be best even though it's
harder to do.
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> [1]
https://github.com/mposolda/keycloak-freeipa-docker/
>> > >> >>> [2]
https://github.com/adelton/docker-freeipa/tree/fedora-22-cli
>> ent
>> > >> >>>
>> > >> >>> Marek
>> > >> >>>
>> > >> >>>
>> > >> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
>> > >> >>>
>> > >> >>> I'd like to have a simple way to demo LDAP and
Kerberos support.
>> To
>> > >> that
>> > >> >>> end we should add a Vagrant setup with the
following:
>> > >> >>>
>> > >> >>> * Keycloak server
>> > >> >>> * MySQL or Postgres
>> > >> >>> * FreeIPA
>> > >> >>> * Workstation with Kerberos authentication (needs X
and Firefox
>> > >> installed)
>> > >> >>>
>> > >> >>> The Keycloak server should already be configured to
use the
>> FreeIPA
>> > >> >>> server as a user federation provider (using LDAP and
Kerberos).
>> The
>> > >> >>> workstation can be co-located with FreeIPA server if
it makes
>> things
>> > >> much
>> > >> >>> simpler, but it should be possible to login to the
workstation
>> with
>> > >> >>> Kerberos. Firefox should be pre-configured for
Kerberos to work
>> both
>> > >> on
>> > >> >>> Keycloak login and FreeIPA admin console.
>> > >> >>>
>> > >> >>> I want a proper database and a web based client for
the database
>> so
>> > >> it's
>> > >> >>> simple to inspect the database.
>> > >> >>>
>> > >> >>> Bruno has already volunteered to look into this, but
first we
>> should
>> > >> make
>> > >> >>> sure this is the setup we'd like to be able to
showcase.
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> _______________________________________________
>> > >> >>> keycloak-dev mailing list
>> > >> >>> keycloak-dev(a)lists.jboss.org
>> > >> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> --
>> > >> >>>
>> > >> >>> abstractj
>> > >> >>> PGP: 0x84DC9914
>> > >> >>> _______________________________________________
>> > >> >>> keycloak-dev mailing list
>> > >> >>> keycloak-dev(a)lists.jboss.org
>> > >> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> _______________________________________________
>> > >> >>> keycloak-dev mailing list
>> > >> >>> keycloak-dev(a)lists.jboss.org
>> > >> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > >> >>>
>> > >> > --
>> > >> >
>> > >> > abstractj
>> > >> > PGP: 0x84DC9914
>> > >> > _______________________________________________
>> > >> > keycloak-dev mailing list
>> > >> > keycloak-dev(a)lists.jboss.org
>> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> keycloak-dev mailing list
>> > >> keycloak-dev(a)lists.jboss.org
>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > >>
>> > >
>> > >
>>
>> --
>>
>> abstractj
>> PGP: 0x84DC9914
>>
>
>
--
abstractj
PGP: 0x84DC9914
2:11 p.m.
FYI I just tested DBus and SSSD on Docker. This is no longer a blocker.
On 2016-09-13, Stian Thorgersen wrote:
Forgot to add two things:
* DNS setup - we want proper DNS setup on the machines, which would be
required for the Kerberos stuff to work properly
* HTTPS - optional, but would be great if it also had HTTPS configured
On 13 September 2016 at 09:24, Marek Posolda <mposolda(a)redhat.com> wrote:
> +1
>
> Few more things and tips (you may be already aware of them, but still..
> Hope some of them are useful :) :
>
> - My docker image [1] already contains FreeIPA server and Keycloak server
> pre-configured with LDAP+Kerberos federation provider to use it. Thing is
> that both Keycloak+FreeIPA are on same machine, which is likely not the
> best for show production setup. The workstation setup needs to be done on
> your local machine (so you need KErberos client + Firefox setup on your
> laptop. That's sufficient for testing, but probably also not ideal for
> showcase).
>
> - In addition to FreeIPA docker images for server, FreeIPA has also docker
> image for client setup. See for example [2] . I am not 100% sure, but I
> believe that if you run this docker image and point to the already running
> "server" image, you will gain also all the things like PAM setup, login
to
> the workstation with Kerberos credentials, and automatically retrieved
> kerberos ticket during login. Hence you just login to workstation, open
> firefox and you are authenticated to Keycloak. No need to manually run
> "kinit".
>
The workstation will need to be a virtual machine rather than container to
add X support. So IMO we should just use Vagrant and have FreeIPA and
use Vagrantfile to install Fedora + FreeIPA.
>
> - If Keycloak and FreeIPA server are on different workstations, then:
> -- The Keycloak server may also need FreeIPA client installed. Or at least
> kerberos client installed with proper setup in /etc/krb5.conf pointing to
> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
> -- Also for different servers, you will likely need to add HTTP kerberos
> principal for the server where keycloak is running. For example if FreeIPA
> is on "freeipa.example.org" and keycloak is on
"keycloak.example.org",
> you will need the principal like HTTP/keycloak.example.org(a)KEYCLOAK.ORG .
> This corresponds to LDAP principal under
"cn=services,cn=accounts,dc=freeipa,dc=example,dc=org"
> . Maybe FreeIPA has it documented somewhere and/or it's easily possible to
> add new HTTP server principal through FreeIPA admin console. You will also
> need keytab exported with the credentials of this principal.
> Note this step is not needed if Keycloak and FreeIPA are on same machine
> as FreeIPA server automatically has HTTP principal for it's own machine
> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG for the example
> above), to allow login to FreeIPA admin console with kerberos OOTB.
>
We should really figure out how to do this on separate machines, so I think
going that way would be best even though it's harder to do.
>
>
> [1] https://github.com/mposolda/keycloak-freeipa-docker/
> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
>
> Marek
>
>
> On 13/09/16 08:07, Stian Thorgersen wrote:
>
>> I'd like to have a simple way to demo LDAP and Kerberos support. To that
>> end we should add a Vagrant setup with the following:
>>
>> * Keycloak server
>> * MySQL or Postgres
>> * FreeIPA
>> * Workstation with Kerberos authentication (needs X and Firefox installed)
>>
>> The Keycloak server should already be configured to use the FreeIPA
>> server as a user federation provider (using LDAP and Kerberos). The
>> workstation can be co-located with FreeIPA server if it makes things much
>> simpler, but it should be possible to login to the workstation with
>> Kerberos. Firefox should be pre-configured for Kerberos to work both on
>> Keycloak login and FreeIPA admin console.
>>
>> I want a proper database and a web based client for the database so it's
>> simple to inspect the database.
>>
>> Bruno has already volunteered to look into this, but first we should make
>> sure this is the setup we'd like to be able to showcase.
>>
>
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
9:33 a.m.
+1
IMO if we stick with Docker, we can just benefit of what you already
did. And like you mentioned, make use of the FreeIPA client docker
image.
On 2016-09-13, Marek Posolda wrote:
+1
Few more things and tips (you may be already aware of them, but still..
Hope some of them are useful :) :
- My docker image [1] already contains FreeIPA server and Keycloak
server pre-configured with LDAP+Kerberos federation provider to use it.
Thing is that both Keycloak+FreeIPA are on same machine, which is likely
not the best for show production setup. The workstation setup needs to
be done on your local machine (so you need KErberos client + Firefox
setup on your laptop. That's sufficient for testing, but probably also
not ideal for showcase).
- In addition to FreeIPA docker images for server, FreeIPA has also
docker image for client setup. See for example [2] . I am not 100% sure,
but I believe that if you run this docker image and point to the already
running "server" image, you will gain also all the things like PAM
setup, login to the workstation with Kerberos credentials, and
automatically retrieved kerberos ticket during login. Hence you just
login to workstation, open firefox and you are authenticated to
Keycloak. No need to manually run "kinit".
- If Keycloak and FreeIPA server are on different workstations, then:
-- The Keycloak server may also need FreeIPA client installed. Or at
least kerberos client installed with proper setup in /etc/krb5.conf
pointing to FreeIPA kerberos realm and proper DNS setup working with
FreeIPA.
-- Also for different servers, you will likely need to add HTTP kerberos
principal for the server where keycloak is running. For example if
FreeIPA is on "freeipa.example.org" and keycloak is on
"keycloak.example.org", you will need the principal like
HTTP/keycloak.example.org(a)KEYCLOAK.ORG . This corresponds to LDAP
principal under "cn=services,cn=accounts,dc=freeipa,dc=example,dc=org" .
Maybe FreeIPA has it documented somewhere and/or it's easily possible to
add new HTTP server principal through FreeIPA admin console. You will
also need keytab exported with the credentials of this principal.
Note this step is not needed if Keycloak and FreeIPA are on same machine
as FreeIPA server automatically has HTTP principal for it's own machine
(something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG for the example
above), to allow login to FreeIPA admin console with kerberos OOTB.
[1] https://github.com/mposolda/keycloak-freeipa-docker/
[2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
Marek
On 13/09/16 08:07, Stian Thorgersen wrote:
> I'd like to have a simple way to demo LDAP and Kerberos support. To
> that end we should add a Vagrant setup with the following:
>
> * Keycloak server
> * MySQL or Postgres
> * FreeIPA
> * Workstation with Kerberos authentication (needs X and Firefox installed)
>
> The Keycloak server should already be configured to use the FreeIPA
> server as a user federation provider (using LDAP and Kerberos). The
> workstation can be co-located with FreeIPA server if it makes things
> much simpler, but it should be possible to login to the workstation
> with Kerberos. Firefox should be pre-configured for Kerberos to work
> both on Keycloak login and FreeIPA admin console.
>
> I want a proper database and a web based client for the database so
> it's simple to inspect the database.
>
> Bruno has already volunteered to look into this, but first we should
> make sure this is the setup we'd like to be able to showcase.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
3044
days inactive
3045
days old
17 comments
5 participants
participants (5)
-
Bruno Oliveira da Silva -
Marek Posolda -
Scott Rossillo -
Stian Thorgersen -
Thomas Raehalme