[keycloak-dev] LDAP setup for demonstration purposes

Stian Thorgersen sthorger at redhat.com
Tue Sep 13 04:00:17 EDT 2016

Forgot to add two things:

* DNS setup - we want proper DNS setup on the machines, which would be
required for the Kerberos stuff to work properly
* HTTPS - optional, but would be great if it also had HTTPS configured

On 13 September 2016 at 09:24, Marek Posolda <mposolda at redhat.com> wrote:

> +1
> Few more things and tips (you may be already aware of them, but still..
> Hope some of them are useful :) :
> - My docker image [1] already contains FreeIPA server and Keycloak server
> pre-configured with LDAP+Kerberos federation provider to use it. Thing is
> that both Keycloak+FreeIPA are on same machine, which is likely not the
> best for show production setup. The workstation setup needs to be done on
> your local machine (so you need KErberos client + Firefox setup on your
> laptop. That's sufficient for testing, but probably also not ideal for
> showcase).
> - In addition to FreeIPA docker images for server, FreeIPA has also docker
> image for client setup. See for example [2] . I am not 100% sure, but I
> believe that if you run this docker image and point to the already running
> "server" image, you will gain also all the things like PAM setup, login to
> the workstation with Kerberos credentials, and automatically retrieved
> kerberos ticket during login. Hence you just login to workstation, open
> firefox and you are authenticated to Keycloak. No need to manually run
> "kinit".

The workstation will need to be a virtual machine rather than container to
add X support. So IMO we should just use Vagrant and have FreeIPA and
use Vagrantfile to install Fedora + FreeIPA.

> - If Keycloak and FreeIPA server are on different workstations, then:
> -- The Keycloak server may also need FreeIPA client installed. Or at least
> kerberos client installed with proper setup in /etc/krb5.conf pointing to
> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.

> -- Also for different servers, you will likely need to add HTTP kerberos
> principal for the server where keycloak is running. For example if FreeIPA
> is on "freeipa.example.org" and keycloak is on "keycloak.example.org",
> you will need the principal like HTTP/keycloak.example.org at KEYCLOAK.ORG .
> This corresponds to LDAP principal under "cn=services,cn=accounts,dc=freeipa,dc=example,dc=org"
> . Maybe FreeIPA has it documented somewhere and/or it's easily possible to
> add new HTTP server principal through FreeIPA admin console. You will also
> need keytab exported with the credentials of this principal.
> Note this step is not needed if Keycloak and FreeIPA are on same machine
> as FreeIPA server automatically has HTTP principal for it's own machine
> (something like HTTP/freeipa.example.org at KEYCLOAK.ORG for the example
> above), to allow login to FreeIPA admin console with kerberos OOTB.

We should really figure out how to do this on separate machines, so I think
going that way would be best even though it's harder to do.

> [1] https://github.com/mposolda/keycloak-freeipa-docker/
> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
> Marek
> On 13/09/16 08:07, Stian Thorgersen wrote:
>> I'd like to have a simple way to demo LDAP and Kerberos support. To that
>> end we should add a Vagrant setup with the following:
>> * Keycloak server
>> * MySQL or Postgres
>> * FreeIPA
>> * Workstation with Kerberos authentication (needs X and Firefox installed)
>> The Keycloak server should already be configured to use the FreeIPA
>> server as a user federation provider (using LDAP and Kerberos). The
>> workstation can be co-located with FreeIPA server if it makes things much
>> simpler, but it should be possible to login to the workstation with
>> Kerberos. Firefox should be pre-configured for Kerberos to work both on
>> Keycloak login and FreeIPA admin console.
>> I want a proper database and a web based client for the database so it's
>> simple to inspect the database.
>> Bruno has already volunteered to look into this, but first we should make
>> sure this is the setup we'd like to be able to showcase.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160913/bdd1f5a8/attachment-0001.html 

More information about the keycloak-dev mailing list