[keycloak-dev] LDAP setup for demonstration purposes
mposolda at redhat.com
Tue Sep 13 03:24:35 EDT 2016
Few more things and tips (you may be already aware of them, but still..
Hope some of them are useful :) :
- My docker image  already contains FreeIPA server and Keycloak
server pre-configured with LDAP+Kerberos federation provider to use it.
Thing is that both Keycloak+FreeIPA are on same machine, which is likely
not the best for show production setup. The workstation setup needs to
be done on your local machine (so you need KErberos client + Firefox
setup on your laptop. That's sufficient for testing, but probably also
not ideal for showcase).
- In addition to FreeIPA docker images for server, FreeIPA has also
docker image for client setup. See for example  . I am not 100% sure,
but I believe that if you run this docker image and point to the already
running "server" image, you will gain also all the things like PAM
setup, login to the workstation with Kerberos credentials, and
automatically retrieved kerberos ticket during login. Hence you just
login to workstation, open firefox and you are authenticated to
Keycloak. No need to manually run "kinit".
- If Keycloak and FreeIPA server are on different workstations, then:
-- The Keycloak server may also need FreeIPA client installed. Or at
least kerberos client installed with proper setup in /etc/krb5.conf
pointing to FreeIPA kerberos realm and proper DNS setup working with
-- Also for different servers, you will likely need to add HTTP kerberos
principal for the server where keycloak is running. For example if
FreeIPA is on "freeipa.example.org" and keycloak is on
"keycloak.example.org", you will need the principal like
HTTP/keycloak.example.org at KEYCLOAK.ORG . This corresponds to LDAP
principal under "cn=services,cn=accounts,dc=freeipa,dc=example,dc=org" .
Maybe FreeIPA has it documented somewhere and/or it's easily possible to
add new HTTP server principal through FreeIPA admin console. You will
also need keytab exported with the credentials of this principal.
Note this step is not needed if Keycloak and FreeIPA are on same machine
as FreeIPA server automatically has HTTP principal for it's own machine
(something like HTTP/freeipa.example.org at KEYCLOAK.ORG for the example
above), to allow login to FreeIPA admin console with kerberos OOTB.
On 13/09/16 08:07, Stian Thorgersen wrote:
> I'd like to have a simple way to demo LDAP and Kerberos support. To
> that end we should add a Vagrant setup with the following:
> * Keycloak server
> * MySQL or Postgres
> * FreeIPA
> * Workstation with Kerberos authentication (needs X and Firefox installed)
> The Keycloak server should already be configured to use the FreeIPA
> server as a user federation provider (using LDAP and Kerberos). The
> workstation can be co-located with FreeIPA server if it makes things
> much simpler, but it should be possible to login to the workstation
> with Kerberos. Firefox should be pre-configured for Kerberos to work
> both on Keycloak login and FreeIPA admin console.
> I want a proper database and a web based client for the database so
> it's simple to inspect the database.
> Bruno has already volunteered to look into this, but first we should
> make sure this is the setup we'd like to be able to showcase.
More information about the keycloak-dev