6:12 a.m.
We do now:
https://issues.jboss.org/browse/KEYCLOAK-3577
On 14 September 2016 at 12:11, Bruno Oliveira da Silva <bruno(a)abstractj.org>
wrote:
+1 Not arguing in favor or against it, but thinking about what you
described seems like the solution is the combination of both: Vagrant and
Docker.
Do we have a Jira for this?
On 2016-09-14, Stian Thorgersen wrote:
> To elaborate I could eventually see us having a big demo setup in the
form
> of:
>
> * Keycloak or RH-SSO box
> * Database box
> * FreeIPA box
> * Active Directory box
> * Some SAML provider
> * Some OIDC provider
> * Fedora workstation
> * Windows workstation
>
> Everything ready to go to show Keycloak as a fully capable identity
> federation platform.
>
> On 14 September 2016 at 09:32, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
>
> > I want full desktop and show user login via desktop login, not Kerberos
> > client. So full Gnome is required. Also, I think the DNS setup as well
as
> > orchestration may be simpler with Vagrant than Docker.
> >
> > We also may want to extend this to include good old Microsoft software
in
> > the form of Windows and Active Directory. In that case Docker is a show
> > stopper and Vagrant/VMs is the only option.
> >
> > On 13 September 2016 at 21:46, Marek Posolda <mposolda(a)redhat.com>
wrote:
> >
> >> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
> >> > My 2 cents on it. Unless we have any strong argument for doing this,
> >> > let's move forward with Docker. We already have a repository for
this
> >> > and I'm not sure if we have bandwidth to maintain 2 distinct
> >> repositories.
> >> >
> >> > Btw I'm curious, which real world scenario you could not
reproduce
with
> >> > Docker?
> >> I guess SPNEGO login with Firefox is the example of that scenario?
> >>
> >> If you want workstation with Kerberos + SPNEGO, you will need to
> >> configure kerberos client and your Firefox and then run FF inside
docker
> >> container and display it "locally" on your laptop. Or is it
something
> >> like the "propagation" of X from docker to your laptop possible?
If
yes,
> >> then everything is doable with docker though.
> >>
> >> Marek
> >>
> >> >
> >> > On 2016-09-13, Thomas Raehalme wrote:
> >> >> How about setting up multiple VMs with Vagrant but handling all
> >> software
> >> >> components with Docker?
> >> >>
> >> >> Best of both worlds and also a simulation of the real world
(which
> >> could
> >> >> perhaps be used as a reference).
> >> >>
> >> >> Best regards,
> >> >> Thomas
> >> >>
> >> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo"
<srossillo(a)smartling.com
>
> >> wrote:
> >> >>
> >> >>> Vagrant leaves funny taste in my mouth. Docker Compose to
orchestrate
> >> >>> things seems like a better option.
> >> >>>
> >> >>> Scott Rossillo
> >> >>> Smartling | Senior Software Engineer
> >> >>> srossillo(a)smartling.com
> >> >>>
> >> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <
> >> bruno(a)abstractj.org>
> >> >>> wrote:
> >> >>>
> >> >>> My question is: Docker or Vagrant?
> >> >>>
> >> >>> If we have plans to showcase SSSD Federation provider +
things
like
> >> >>> start/stop sssd service to demonstrate the SSSD provider
won't be
> >> >>> enabled. I would say that Vagrant is easier and we can
benefit
from
> >> >>> these boxes[1], otherwise we just stick with Marek's
work.
> >> >>>
> >> >>> I will give DBus on Docker a second try, but last time I
checked
> >> wasn't
> >> >>> fun.
> >> >>>
> >> >>> [1] - https://github.com/freeipa/freeipa-workshop
> >> >>>
> >> >>> On 2016-09-13, Stian Thorgersen wrote:
> >> >>>
> >> >>> Forgot to add two things:
> >> >>>
> >> >>> * DNS setup - we want proper DNS setup on the machines, which
would be
> >> >>> required for the Kerberos stuff to work properly
> >> >>> * HTTPS - optional, but would be great if it also had HTTPS
configured
> >> >>>
> >> >>> On 13 September 2016 at 09:24, Marek Posolda
<mposolda(a)redhat.com
>
> >> wrote:
> >> >>>
> >> >>> +1
> >> >>>
> >> >>> Few more things and tips (you may be already aware of them,
but
> >> still..
> >> >>> Hope some of them are useful :) :
> >> >>>
> >> >>> - My docker image [1] already contains FreeIPA server and
Keycloak
> >> server
> >> >>> pre-configured with LDAP+Kerberos federation provider to use
it.
> >> Thing is
> >> >>> that both Keycloak+FreeIPA are on same machine, which is
likely
not
> >> the
> >> >>> best for show production setup. The workstation setup needs to
be
> >> done on
> >> >>> your local machine (so you need KErberos client + Firefox
setup on
> >> your
> >> >>> laptop. That's sufficient for testing, but probably also
not
ideal for
> >> >>> showcase).
> >> >>>
> >> >>> - In addition to FreeIPA docker images for server, FreeIPA
has
also
> >> docker
> >> >>> image for client setup. See for example [2] . I am not 100%
sure,
but
> >> I
> >> >>> believe that if you run this docker image and point to the
already
> >> running
> >> >>> "server" image, you will gain also all the things
like PAM setup,
> >> login to
> >> >>> the workstation with Kerberos credentials, and automatically
retrieved
> >> >>> kerberos ticket during login. Hence you just login to
workstation,
> >> open
> >> >>> firefox and you are authenticated to Keycloak. No need to
manually run
> >> >>> "kinit".
> >> >>>
> >> >>>
> >> >>> The workstation will need to be a virtual machine rather than
> >> container to
> >> >>> add X support. So IMO we should just use Vagrant and have
FreeIPA
and
> >> >>> use Vagrantfile to install Fedora + FreeIPA.
> >> >>>
> >> >>>
> >> >>>
> >> >>> - If Keycloak and FreeIPA server are on different
workstations,
then:
> >> >>> -- The Keycloak server may also need FreeIPA client installed.
Or
at
> >> least
> >> >>> kerberos client installed with proper setup in /etc/krb5.conf
> >> pointing to
> >> >>> FreeIPA kerberos realm and proper DNS setup working with
FreeIPA.
> >> >>>
> >> >>>
> >> >>>
> >> >>> -- Also for different servers, you will likely need to add
HTTP
> >> kerberos
> >> >>> principal for the server where keycloak is running. For
example if
> >> FreeIPA
> >> >>> is on "freeipa.example.org" and keycloak is on
"
keycloak.example.org
> >> ",
> >> >>> you will need the principal like
HTTP/keycloak.example.org@KEYC
> >> LOAK.ORG
> >> >>> <HTTP/keycloak.example.org(a)keycloak.org> .
> >> >>> This corresponds to LDAP principal under
"cn=services,cn=accounts,dc=
> >> >>> freeipa,dc=example,dc=org"
> >> >>> . Maybe FreeIPA has it documented somewhere and/or it's
easily
> >> possible to
> >> >>> add new HTTP server principal through FreeIPA admin console.
You
will
> >> also
> >> >>> need keytab exported with the credentials of this principal.
> >> >>> Note this step is not needed if Keycloak and FreeIPA are on
same
> >> machine
> >> >>> as FreeIPA server automatically has HTTP principal for
it's own
> >> machine
> >> >>> (something like HTTP/freeipa.example.org(a)KEYCLOAK.ORG
> >> >>> <HTTP/freeipa.example.org(a)keycloak.org> for the example
> >> >>> above), to allow login to FreeIPA admin console with kerberos
OOTB.
> >> >>>
> >> >>>
> >> >>> We should really figure out how to do this on separate
machines,
so I
> >> think
> >> >>> going that way would be best even though it's harder to
do.
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
> >> >>> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-
client
> >> >>>
> >> >>> Marek
> >> >>>
> >> >>>
> >> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
> >> >>>
> >> >>> I'd like to have a simple way to demo LDAP and Kerberos
support.
To
> >> that
> >> >>> end we should add a Vagrant setup with the following:
> >> >>>
> >> >>> * Keycloak server
> >> >>> * MySQL or Postgres
> >> >>> * FreeIPA
> >> >>> * Workstation with Kerberos authentication (needs X and
Firefox
> >> installed)
> >> >>>
> >> >>> The Keycloak server should already be configured to use the
FreeIPA
> >> >>> server as a user federation provider (using LDAP and
Kerberos).
The
> >> >>> workstation can be co-located with FreeIPA server if it makes
things
> >> much
> >> >>> simpler, but it should be possible to login to the
workstation
with
> >> >>> Kerberos. Firefox should be pre-configured for Kerberos to
work
both
> >> on
> >> >>> Keycloak login and FreeIPA admin console.
> >> >>>
> >> >>> I want a proper database and a web based client for the
database
so
> >> it's
> >> >>> simple to inspect the database.
> >> >>>
> >> >>> Bruno has already volunteered to look into this, but first we
should
> >> make
> >> >>> sure this is the setup we'd like to be able to showcase.
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> _______________________________________________
> >> >>> keycloak-dev mailing list
> >> >>> keycloak-dev(a)lists.jboss.org
> >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>>
> >> >>> abstractj
> >> >>> PGP: 0x84DC9914
> >> >>> _______________________________________________
> >> >>> keycloak-dev mailing list
> >> >>> keycloak-dev(a)lists.jboss.org
> >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> >>>
> >> >>>
> >> >>>
> >> >>> _______________________________________________
> >> >>> keycloak-dev mailing list
> >> >>> keycloak-dev(a)lists.jboss.org
> >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> >>>
> >> > --
> >> >
> >> > abstractj
> >> > PGP: 0x84DC9914
> >> > _______________________________________________
> >> > keycloak-dev mailing list
> >> > keycloak-dev(a)lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >
> >
--
abstractj
PGP: 0x84DC9914