To elaborate I could eventually see us having a big demo setup in the form
of:
* Keycloak or RH-SSO box
* Database box
* FreeIPA box
* Active Directory box
* Some SAML provider
* Some OIDC provider
* Fedora workstation
* Windows workstation
Everything ready to go to show Keycloak as a fully capable identity
federation platform.
On 14 September 2016 at 09:32, Stian Thorgersen <sthorger(a)redhat.com> wrote:
I want full desktop and show user login via desktop login, not
Kerberos
client. So full Gnome is required. Also, I think the DNS setup as well as
orchestration may be simpler with Vagrant than Docker.
We also may want to extend this to include good old Microsoft software in
the form of Windows and Active Directory. In that case Docker is a show
stopper and Vagrant/VMs is the only option.
On 13 September 2016 at 21:46, Marek Posolda <mposolda(a)redhat.com> wrote:
> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
> > My 2 cents on it. Unless we have any strong argument for doing this,
> > let's move forward with Docker. We already have a repository for this
> > and I'm not sure if we have bandwidth to maintain 2 distinct
> repositories.
> >
> > Btw I'm curious, which real world scenario you could not reproduce with
> > Docker?
> I guess SPNEGO login with Firefox is the example of that scenario?
>
> If you want workstation with Kerberos + SPNEGO, you will need to
> configure kerberos client and your Firefox and then run FF inside docker
> container and display it "locally" on your laptop. Or is it something
> like the "propagation" of X from docker to your laptop possible? If yes,
> then everything is doable with docker though.
>
> Marek
>
> >
> > On 2016-09-13, Thomas Raehalme wrote:
> >> How about setting up multiple VMs with Vagrant but handling all
> software
> >> components with Docker?
> >>
> >> Best of both worlds and also a simulation of the real world (which
> could
> >> perhaps be used as a reference).
> >>
> >> Best regards,
> >> Thomas
> >>
> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo"
<srossillo(a)smartling.com>
> wrote:
> >>
> >>> Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate
> >>> things seems like a better option.
> >>>
> >>> Scott Rossillo
> >>> Smartling | Senior Software Engineer
> >>> srossillo(a)smartling.com
> >>>
> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <
> bruno(a)abstractj.org>
> >>> wrote:
> >>>
> >>> My question is: Docker or Vagrant?
> >>>
> >>> If we have plans to showcase SSSD Federation provider + things like
> >>> start/stop sssd service to demonstrate the SSSD provider won't be
> >>> enabled. I would say that Vagrant is easier and we can benefit from
> >>> these boxes[1], otherwise we just stick with Marek's work.
> >>>
> >>> I will give DBus on Docker a second try, but last time I checked
> wasn't
> >>> fun.
> >>>
> >>> [1] -
https://github.com/freeipa/freeipa-workshop
> >>>
> >>> On 2016-09-13, Stian Thorgersen wrote:
> >>>
> >>> Forgot to add two things:
> >>>
> >>> * DNS setup - we want proper DNS setup on the machines, which would be
> >>> required for the Kerberos stuff to work properly
> >>> * HTTPS - optional, but would be great if it also had HTTPS configured
> >>>
> >>> On 13 September 2016 at 09:24, Marek Posolda
<mposolda(a)redhat.com>
> wrote:
> >>>
> >>> +1
> >>>
> >>> Few more things and tips (you may be already aware of them, but
> still..
> >>> Hope some of them are useful :) :
> >>>
> >>> - My docker image [1] already contains FreeIPA server and Keycloak
> server
> >>> pre-configured with LDAP+Kerberos federation provider to use it.
> Thing is
> >>> that both Keycloak+FreeIPA are on same machine, which is likely not
> the
> >>> best for show production setup. The workstation setup needs to be
> done on
> >>> your local machine (so you need KErberos client + Firefox setup on
> your
> >>> laptop. That's sufficient for testing, but probably also not ideal
for
> >>> showcase).
> >>>
> >>> - In addition to FreeIPA docker images for server, FreeIPA has also
> docker
> >>> image for client setup. See for example [2] . I am not 100% sure, but
> I
> >>> believe that if you run this docker image and point to the already
> running
> >>> "server" image, you will gain also all the things like PAM
setup,
> login to
> >>> the workstation with Kerberos credentials, and automatically retrieved
> >>> kerberos ticket during login. Hence you just login to workstation,
> open
> >>> firefox and you are authenticated to Keycloak. No need to manually run
> >>> "kinit".
> >>>
> >>>
> >>> The workstation will need to be a virtual machine rather than
> container to
> >>> add X support. So IMO we should just use Vagrant and have FreeIPA and
> >>> use Vagrantfile to install Fedora + FreeIPA.
> >>>
> >>>
> >>>
> >>> - If Keycloak and FreeIPA server are on different workstations, then:
> >>> -- The Keycloak server may also need FreeIPA client installed. Or at
> least
> >>> kerberos client installed with proper setup in /etc/krb5.conf
> pointing to
> >>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
> >>>
> >>>
> >>>
> >>> -- Also for different servers, you will likely need to add HTTP
> kerberos
> >>> principal for the server where keycloak is running. For example if
> FreeIPA
> >>> is on "freeipa.example.org" and keycloak is on
"keycloak.example.org
> ",
> >>> you will need the principal like HTTP/keycloak.example.org@KEYC
>
LOAK.ORG
> >>> <HTTP/keycloak.example.org(a)keycloak.org> .
> >>> This corresponds to LDAP principal under
"cn=services,cn=accounts,dc=
> >>> freeipa,dc=example,dc=org"
> >>> . Maybe FreeIPA has it documented somewhere and/or it's easily
> possible to
> >>> add new HTTP server principal through FreeIPA admin console. You will
> also
> >>> need keytab exported with the credentials of this principal.
> >>> Note this step is not needed if Keycloak and FreeIPA are on same
> machine
> >>> as FreeIPA server automatically has HTTP principal for it's own
> machine
> >>> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG
> >>> <HTTP/freeipa.example.org(a)keycloak.org> for the example
> >>> above), to allow login to FreeIPA admin console with kerberos OOTB.
> >>>
> >>>
> >>> We should really figure out how to do this on separate machines, so I
> think
> >>> going that way would be best even though it's harder to do.
> >>>
> >>>
> >>>
> >>>
> >>> [1]
https://github.com/mposolda/keycloak-freeipa-docker/
> >>> [2]
https://github.com/adelton/docker-freeipa/tree/fedora-22-client
> >>>
> >>> Marek
> >>>
> >>>
> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
> >>>
> >>> I'd like to have a simple way to demo LDAP and Kerberos support. To
> that
> >>> end we should add a Vagrant setup with the following:
> >>>
> >>> * Keycloak server
> >>> * MySQL or Postgres
> >>> * FreeIPA
> >>> * Workstation with Kerberos authentication (needs X and Firefox
> installed)
> >>>
> >>> The Keycloak server should already be configured to use the FreeIPA
> >>> server as a user federation provider (using LDAP and Kerberos). The
> >>> workstation can be co-located with FreeIPA server if it makes things
> much
> >>> simpler, but it should be possible to login to the workstation with
> >>> Kerberos. Firefox should be pre-configured for Kerberos to work both
> on
> >>> Keycloak login and FreeIPA admin console.
> >>>
> >>> I want a proper database and a web based client for the database so
> it's
> >>> simple to inspect the database.
> >>>
> >>> Bruno has already volunteered to look into this, but first we should
> make
> >>> sure this is the setup we'd like to be able to showcase.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> abstractj
> >>> PGP: 0x84DC9914
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>