My question is: Docker or Vagrant?
If we have plans to showcase SSSD Federation provider + things like
start/stop sssd service to demonstrate the SSSD provider won't be
enabled. I would say that Vagrant is easier and we can benefit from
these boxes[1], otherwise we just stick with Marek's work.
I will give DBus on Docker a second try, but last time I checked wasn't
fun.
[1] -
https://github.com/freeipa/freeipa-workshopOn 2016-09-13, Stian Thorgersen wrote:
Forgot to add two things:
* DNS setup - we want proper DNS setup on the machines, which would be
required for the Kerberos stuff to work properly
* HTTPS - optional, but would be great if it also had HTTPS configured
On 13 September 2016 at 09:24, Marek Posolda <mposolda@redhat.com> wrote:
+1
Few more things and tips (you may be already aware of them, but still..
Hope some of them are useful :) :
- My docker image [1] already contains FreeIPA server and Keycloak server
pre-configured with LDAP+Kerberos federation provider to use it. Thing is
that both Keycloak+FreeIPA are on same machine, which is likely not the
best for show production setup. The workstation setup needs to be done on
your local machine (so you need KErberos client + Firefox setup on your
laptop. That's sufficient for testing, but probably also not ideal for
showcase).
- In addition to FreeIPA docker images for server, FreeIPA has also docker
image for client setup. See for example [2] . I am not 100% sure, but I
believe that if you run this docker image and point to the already running
"server" image, you will gain also all the things like PAM setup, login to
the workstation with Kerberos credentials, and automatically retrieved
kerberos ticket during login. Hence you just login to workstation, open
firefox and you are authenticated to Keycloak. No need to manually run
"kinit".
The workstation will need to be a virtual machine rather than container to
add X support. So IMO we should just use Vagrant and have FreeIPA and
use Vagrantfile to install Fedora + FreeIPA.
- If Keycloak and FreeIPA server are on different workstations, then:
-- The Keycloak server may also need FreeIPA client installed. Or at least
kerberos client installed with proper setup in /etc/krb5.conf pointing to
FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
-- Also for different servers, you will likely need to add HTTP kerberos
principal for the server where keycloak is running. For example if FreeIPA
is on "freeipa.example.org" and keycloak is on "keycloak.example.org",
you will need the principal like HTTP/keycloak.example.org@KEYCLOAK.ORG .
This corresponds to LDAP principal under "cn=services,cn=accounts,dc=freeipa,dc=example,dc=org"
. Maybe FreeIPA has it documented somewhere and/or it's easily possible to
add new HTTP server principal through FreeIPA admin console. You will also
need keytab exported with the credentials of this principal.
Note this step is not needed if Keycloak and FreeIPA are on same machine
as FreeIPA server automatically has HTTP principal for it's own machine
(something like HTTP/freeipa.example.org@KEYCLOAK.ORG for the example
above), to allow login to FreeIPA admin console with kerberos OOTB.
We should really figure out how to do this on separate machines, so I think
going that way would be best even though it's harder to do.
[1] https://github.com/mposolda/keycloak-freeipa-docker/
[2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
Marek
On 13/09/16 08:07, Stian Thorgersen wrote:
I'd like to have a simple way to demo LDAP and Kerberos support. To that
end we should add a Vagrant setup with the following:
* Keycloak server
* MySQL or Postgres
* FreeIPA
* Workstation with Kerberos authentication (needs X and Firefox installed)
The Keycloak server should already be configured to use the FreeIPA
server as a user federation provider (using LDAP and Kerberos). The
workstation can be co-located with FreeIPA server if it makes things much
simpler, but it should be possible to login to the workstation with
Kerberos. Firefox should be pre-configured for Kerberos to work both on
Keycloak login and FreeIPA admin console.
I want a proper database and a web based client for the database so it's
simple to inspect the database.
Bruno has already volunteered to look into this, but first we should make
sure this is the setup we'd like to be able to showcase.
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev