Bruno - notice the missing fix version! It's a nice to have background task
and not a high priority at the moment.
On 14 September 2016 at 13:12, Stian Thorgersen <sthorger(a)redhat.com> wrote:
We do now:
https://issues.jboss.org/browse/KEYCLOAK-3577
On 14 September 2016 at 12:11, Bruno Oliveira da Silva <
bruno(a)abstractj.org> wrote:
> +1 Not arguing in favor or against it, but thinking about what you
> described seems like the solution is the combination of both: Vagrant and
> Docker.
>
> Do we have a Jira for this?
>
> On 2016-09-14, Stian Thorgersen wrote:
> > To elaborate I could eventually see us having a big demo setup in the
> form
> > of:
> >
> > * Keycloak or RH-SSO box
> > * Database box
> > * FreeIPA box
> > * Active Directory box
> > * Some SAML provider
> > * Some OIDC provider
> > * Fedora workstation
> > * Windows workstation
> >
> > Everything ready to go to show Keycloak as a fully capable identity
> > federation platform.
> >
> > On 14 September 2016 at 09:32, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
> >
> > > I want full desktop and show user login via desktop login, not
> Kerberos
> > > client. So full Gnome is required. Also, I think the DNS setup as
> well as
> > > orchestration may be simpler with Vagrant than Docker.
> > >
> > > We also may want to extend this to include good old Microsoft
> software in
> > > the form of Windows and Active Directory. In that case Docker is a
> show
> > > stopper and Vagrant/VMs is the only option.
> > >
> > > On 13 September 2016 at 21:46, Marek Posolda <mposolda(a)redhat.com>
> wrote:
> > >
> > >> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
> > >> > My 2 cents on it. Unless we have any strong argument for doing
> this,
> > >> > let's move forward with Docker. We already have a repository
for
> this
> > >> > and I'm not sure if we have bandwidth to maintain 2 distinct
> > >> repositories.
> > >> >
> > >> > Btw I'm curious, which real world scenario you could not
reproduce
> with
> > >> > Docker?
> > >> I guess SPNEGO login with Firefox is the example of that scenario?
> > >>
> > >> If you want workstation with Kerberos + SPNEGO, you will need to
> > >> configure kerberos client and your Firefox and then run FF inside
> docker
> > >> container and display it "locally" on your laptop. Or is it
something
> > >> like the "propagation" of X from docker to your laptop
possible? If
> yes,
> > >> then everything is doable with docker though.
> > >>
> > >> Marek
> > >>
> > >> >
> > >> > On 2016-09-13, Thomas Raehalme wrote:
> > >> >> How about setting up multiple VMs with Vagrant but handling
all
> > >> software
> > >> >> components with Docker?
> > >> >>
> > >> >> Best of both worlds and also a simulation of the real world
(which
> > >> could
> > >> >> perhaps be used as a reference).
> > >> >>
> > >> >> Best regards,
> > >> >> Thomas
> > >> >>
> > >> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo" <
> srossillo(a)smartling.com>
> > >> wrote:
> > >> >>
> > >> >>> Vagrant leaves funny taste in my mouth. Docker Compose to
> orchestrate
> > >> >>> things seems like a better option.
> > >> >>>
> > >> >>> Scott Rossillo
> > >> >>> Smartling | Senior Software Engineer
> > >> >>> srossillo(a)smartling.com
> > >> >>>
> > >> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva
<
> > >> bruno(a)abstractj.org>
> > >> >>> wrote:
> > >> >>>
> > >> >>> My question is: Docker or Vagrant?
> > >> >>>
> > >> >>> If we have plans to showcase SSSD Federation provider +
things
> like
> > >> >>> start/stop sssd service to demonstrate the SSSD provider
won't be
> > >> >>> enabled. I would say that Vagrant is easier and we can
benefit
> from
> > >> >>> these boxes[1], otherwise we just stick with Marek's
work.
> > >> >>>
> > >> >>> I will give DBus on Docker a second try, but last time I
checked
> > >> wasn't
> > >> >>> fun.
> > >> >>>
> > >> >>> [1] -
https://github.com/freeipa/freeipa-workshop
> > >> >>>
> > >> >>> On 2016-09-13, Stian Thorgersen wrote:
> > >> >>>
> > >> >>> Forgot to add two things:
> > >> >>>
> > >> >>> * DNS setup - we want proper DNS setup on the machines,
which
> would be
> > >> >>> required for the Kerberos stuff to work properly
> > >> >>> * HTTPS - optional, but would be great if it also had
HTTPS
> configured
> > >> >>>
> > >> >>> On 13 September 2016 at 09:24, Marek Posolda <
> mposolda(a)redhat.com>
> > >> wrote:
> > >> >>>
> > >> >>> +1
> > >> >>>
> > >> >>> Few more things and tips (you may be already aware of
them, but
> > >> still..
> > >> >>> Hope some of them are useful :) :
> > >> >>>
> > >> >>> - My docker image [1] already contains FreeIPA server and
> Keycloak
> > >> server
> > >> >>> pre-configured with LDAP+Kerberos federation provider to
use it.
> > >> Thing is
> > >> >>> that both Keycloak+FreeIPA are on same machine, which is
likely
> not
> > >> the
> > >> >>> best for show production setup. The workstation setup
needs to be
> > >> done on
> > >> >>> your local machine (so you need KErberos client + Firefox
setup
> on
> > >> your
> > >> >>> laptop. That's sufficient for testing, but probably
also not
> ideal for
> > >> >>> showcase).
> > >> >>>
> > >> >>> - In addition to FreeIPA docker images for server, FreeIPA
has
> also
> > >> docker
> > >> >>> image for client setup. See for example [2] . I am not
100%
> sure, but
> > >> I
> > >> >>> believe that if you run this docker image and point to
the
> already
> > >> running
> > >> >>> "server" image, you will gain also all the
things like PAM setup,
> > >> login to
> > >> >>> the workstation with Kerberos credentials, and
automatically
> retrieved
> > >> >>> kerberos ticket during login. Hence you just login to
> workstation,
> > >> open
> > >> >>> firefox and you are authenticated to Keycloak. No need to
> manually run
> > >> >>> "kinit".
> > >> >>>
> > >> >>>
> > >> >>> The workstation will need to be a virtual machine rather
than
> > >> container to
> > >> >>> add X support. So IMO we should just use Vagrant and have
> FreeIPA and
> > >> >>> use Vagrantfile to install Fedora + FreeIPA.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> - If Keycloak and FreeIPA server are on different
workstations,
> then:
> > >> >>> -- The Keycloak server may also need FreeIPA client
installed.
> Or at
> > >> least
> > >> >>> kerberos client installed with proper setup in
/etc/krb5.conf
> > >> pointing to
> > >> >>> FreeIPA kerberos realm and proper DNS setup working with
FreeIPA.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> -- Also for different servers, you will likely need to add
HTTP
> > >> kerberos
> > >> >>> principal for the server where keycloak is running. For
example
> if
> > >> FreeIPA
> > >> >>> is on "freeipa.example.org" and keycloak is on
"
>
keycloak.example.org
> > >> ",
> > >> >>> you will need the principal like
HTTP/keycloak.example.org@KEYC
> > >>
LOAK.ORG
> > >> >>> <HTTP/keycloak.example.org(a)keycloak.org> .
> > >> >>> This corresponds to LDAP principal under
> "cn=services,cn=accounts,dc=
> > >> >>> freeipa,dc=example,dc=org"
> > >> >>> . Maybe FreeIPA has it documented somewhere and/or
it's easily
> > >> possible to
> > >> >>> add new HTTP server principal through FreeIPA admin
console. You
> will
> > >> also
> > >> >>> need keytab exported with the credentials of this
principal.
> > >> >>> Note this step is not needed if Keycloak and FreeIPA are
on same
> > >> machine
> > >> >>> as FreeIPA server automatically has HTTP principal for
it's own
> > >> machine
> > >> >>> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG
> > >> >>> <HTTP/freeipa.example.org(a)keycloak.org> for the
example
> > >> >>> above), to allow login to FreeIPA admin console with
kerberos
> OOTB.
> > >> >>>
> > >> >>>
> > >> >>> We should really figure out how to do this on separate
machines,
> so I
> > >> think
> > >> >>> going that way would be best even though it's harder
to do.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> [1]
https://github.com/mposolda/keycloak-freeipa-docker/
> > >> >>> [2]
https://github.com/adelton/docker-freeipa/tree/fedora-22-cli
> ent
> > >> >>>
> > >> >>> Marek
> > >> >>>
> > >> >>>
> > >> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
> > >> >>>
> > >> >>> I'd like to have a simple way to demo LDAP and
Kerberos support.
> To
> > >> that
> > >> >>> end we should add a Vagrant setup with the following:
> > >> >>>
> > >> >>> * Keycloak server
> > >> >>> * MySQL or Postgres
> > >> >>> * FreeIPA
> > >> >>> * Workstation with Kerberos authentication (needs X and
Firefox
> > >> installed)
> > >> >>>
> > >> >>> The Keycloak server should already be configured to use
the
> FreeIPA
> > >> >>> server as a user federation provider (using LDAP and
Kerberos).
> The
> > >> >>> workstation can be co-located with FreeIPA server if it
makes
> things
> > >> much
> > >> >>> simpler, but it should be possible to login to the
workstation
> with
> > >> >>> Kerberos. Firefox should be pre-configured for Kerberos to
work
> both
> > >> on
> > >> >>> Keycloak login and FreeIPA admin console.
> > >> >>>
> > >> >>> I want a proper database and a web based client for the
database
> so
> > >> it's
> > >> >>> simple to inspect the database.
> > >> >>>
> > >> >>> Bruno has already volunteered to look into this, but first
we
> should
> > >> make
> > >> >>> sure this is the setup we'd like to be able to
showcase.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> _______________________________________________
> > >> >>> keycloak-dev mailing list
> > >> >>> keycloak-dev(a)lists.jboss.org
> > >> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> --
> > >> >>>
> > >> >>> abstractj
> > >> >>> PGP: 0x84DC9914
> > >> >>> _______________________________________________
> > >> >>> keycloak-dev mailing list
> > >> >>> keycloak-dev(a)lists.jboss.org
> > >> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> _______________________________________________
> > >> >>> keycloak-dev mailing list
> > >> >>> keycloak-dev(a)lists.jboss.org
> > >> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >> >>>
> > >> > --
> > >> >
> > >> > abstractj
> > >> > PGP: 0x84DC9914
> > >> > _______________________________________________
> > >> > keycloak-dev mailing list
> > >> > keycloak-dev(a)lists.jboss.org
> > >> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>
> > >>
> > >> _______________________________________________
> > >> keycloak-dev mailing list
> > >> keycloak-dev(a)lists.jboss.org
> > >>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>
> > >
> > >
>
> --
>
> abstractj
> PGP: 0x84DC9914
>