[keycloak-dev] LDAP setup for demonstration purposes

Tue Sep 13 03:24:35 EDT 2016

+1

Few more things and tips (you may be already aware of them, but still.. 
Hope some of them are useful :) :

- My docker image [1] already contains FreeIPA server and Keycloak 
server pre-configured with LDAP+Kerberos federation provider to use it. 
Thing is that both Keycloak+FreeIPA are on same machine, which is likely 
not the best for show production setup. The workstation setup needs to 
be done on your local machine (so you need KErberos client + Firefox 
setup on your laptop. That's sufficient for testing, but probably also 
not ideal for showcase).

- In addition to FreeIPA docker images for server, FreeIPA has also 
docker image for client setup. See for example [2] . I am not 100% sure, 
but I believe that if you run this docker image and point to the already 
running "server" image, you will gain also all the things like PAM 
setup, login to the workstation with Kerberos credentials, and 
automatically retrieved kerberos ticket during login. Hence you just 
login to workstation, open firefox and you are authenticated to 
Keycloak. No need to manually run "kinit".

- If Keycloak and FreeIPA server are on different workstations, then:
-- The Keycloak server may also need FreeIPA client installed. Or at 
least kerberos client installed with proper setup in /etc/krb5.conf 
pointing to FreeIPA kerberos realm and proper DNS setup working with 
FreeIPA.

-- Also for different servers, you will likely need to add HTTP kerberos 
principal for the server where keycloak is running. For example if 
FreeIPA is on "freeipa.example.org" and keycloak is on 
"keycloak.example.org", you will need the principal like 
HTTP/keycloak.example.org at KEYCLOAK.ORG . This corresponds to LDAP 
principal under "cn=services,cn=accounts,dc=freeipa,dc=example,dc=org" . 
Maybe FreeIPA has it documented somewhere and/or it's easily possible to 
add new HTTP server principal through FreeIPA admin console. You will 
also need keytab exported with the credentials of this principal.
Note this step is not needed if Keycloak and FreeIPA are on same machine 
as FreeIPA server automatically has HTTP principal for it's own machine 
(something like HTTP/freeipa.example.org at KEYCLOAK.ORG for the example 
above), to allow login to FreeIPA admin console with kerberos OOTB.

[1] https://github.com/mposolda/keycloak-freeipa-docker/
[2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client

Marek

On 13/09/16 08:07, Stian Thorgersen wrote:
> I'd like to have a simple way to demo LDAP and Kerberos support. To 
> that end we should add a Vagrant setup with the following:
>
> * Keycloak server
> * MySQL or Postgres
> * FreeIPA
> * Workstation with Kerberos authentication (needs X and Firefox installed)
>
> The Keycloak server should already be configured to use the FreeIPA 
> server as a user federation provider (using LDAP and Kerberos). The 
> workstation can be co-located with FreeIPA server if it makes things 
> much simpler, but it should be possible to login to the workstation 
> with Kerberos. Firefox should be pre-configured for Kerberos to work 
> both on Keycloak login and FreeIPA admin console.
>
> I want a proper database and a web based client for the database so 
> it's simple to inspect the database.
>
> Bruno has already volunteered to look into this, but first we should 
> make sure this is the setup we'd like to be able to showcase.