3 a.m.
Forgot to add two things:
* DNS setup - we want proper DNS setup on the machines, which would be
required for the Kerberos stuff to work properly
* HTTPS - optional, but would be great if it also had HTTPS configured
On 13 September 2016 at 09:24, Marek Posolda <mposolda(a)redhat.com> wrote:
+1
Few more things and tips (you may be already aware of them, but still..
Hope some of them are useful :) :
- My docker image [1] already contains FreeIPA server and Keycloak server
pre-configured with LDAP+Kerberos federation provider to use it. Thing is
that both Keycloak+FreeIPA are on same machine, which is likely not the
best for show production setup. The workstation setup needs to be done on
your local machine (so you need KErberos client + Firefox setup on your
laptop. That's sufficient for testing, but probably also not ideal for
showcase).
- In addition to FreeIPA docker images for server, FreeIPA has also docker
image for client setup. See for example [2] . I am not 100% sure, but I
believe that if you run this docker image and point to the already running
"server" image, you will gain also all the things like PAM setup, login to
the workstation with Kerberos credentials, and automatically retrieved
kerberos ticket during login. Hence you just login to workstation, open
firefox and you are authenticated to Keycloak. No need to manually run
"kinit".
The workstation will need to be a virtual machine rather than container to
add X support. So IMO we should just use Vagrant and have FreeIPA and
use Vagrantfile to install Fedora + FreeIPA.
- If Keycloak and FreeIPA server are on different workstations, then:
-- The Keycloak server may also need FreeIPA client installed. Or at least
kerberos client installed with proper setup in /etc/krb5.conf pointing to
FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
-- Also for different servers, you will likely need to add HTTP
kerberos
principal for the server where keycloak is running. For example if FreeIPA
is on "freeipa.example.org" and keycloak is on
"keycloak.example.org",
you will need the principal like HTTP/keycloak.example.org(a)KEYCLOAK.ORG .
This corresponds to LDAP principal under
"cn=services,cn=accounts,dc=freeipa,dc=example,dc=org"
. Maybe FreeIPA has it documented somewhere and/or it's easily possible to
add new HTTP server principal through FreeIPA admin console. You will also
need keytab exported with the credentials of this principal.
Note this step is not needed if Keycloak and FreeIPA are on same machine
as FreeIPA server automatically has HTTP principal for it's own machine
(something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG for the example
above), to allow login to FreeIPA admin console with kerberos OOTB.
We should really figure out how to do this on separate machines, so I think
going that way would be best even though it's harder to do.
[1] https://github.com/mposolda/keycloak-freeipa-docker/
[2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
Marek
On 13/09/16 08:07, Stian Thorgersen wrote:
> I'd like to have a simple way to demo LDAP and Kerberos support. To that
> end we should add a Vagrant setup with the following:
>
> * Keycloak server
> * MySQL or Postgres
> * FreeIPA
> * Workstation with Kerberos authentication (needs X and Firefox installed)
>
> The Keycloak server should already be configured to use the FreeIPA
> server as a user federation provider (using LDAP and Kerberos). The
> workstation can be co-located with FreeIPA server if it makes things much
> simpler, but it should be possible to login to the workstation with
> Kerberos. Firefox should be pre-configured for Kerberos to work both on
> Keycloak login and FreeIPA admin console.
>
> I want a proper database and a web based client for the database so it's
> simple to inspect the database.
>
> Bruno has already volunteered to look into this, but first we should make
> sure this is the setup we'd like to be able to showcase.
>