[keycloak-dev] LDAP setup for demonstration purposes

Tue Sep 13 10:46:07 EDT 2016

Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate things seems like a better option.

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <bruno at abstractj.org> wrote:
> 
> My question is: Docker or Vagrant?
> 
> If we have plans to showcase SSSD Federation provider + things like
> start/stop sssd service to demonstrate the SSSD provider won't be
> enabled. I would say that Vagrant is easier and we can benefit from
> these boxes[1], otherwise we just stick with Marek's work.
> 
> I will give DBus on Docker a second try, but last time I checked wasn't
> fun.
> 
> [1] - https://github.com/freeipa/freeipa-workshop
> 
> On 2016-09-13, Stian Thorgersen wrote:
>> Forgot to add two things:
>> 
>> * DNS setup - we want proper DNS setup on the machines, which would be
>> required for the Kerberos stuff to work properly
>> * HTTPS - optional, but would be great if it also had HTTPS configured
>> 
>> On 13 September 2016 at 09:24, Marek Posolda <mposolda at redhat.com> wrote:
>> 
>>> +1
>>> 
>>> Few more things and tips (you may be already aware of them, but still..
>>> Hope some of them are useful :) :
>>> 
>>> - My docker image [1] already contains FreeIPA server and Keycloak server
>>> pre-configured with LDAP+Kerberos federation provider to use it. Thing is
>>> that both Keycloak+FreeIPA are on same machine, which is likely not the
>>> best for show production setup. The workstation setup needs to be done on
>>> your local machine (so you need KErberos client + Firefox setup on your
>>> laptop. That's sufficient for testing, but probably also not ideal for
>>> showcase).
>>> 
>>> - In addition to FreeIPA docker images for server, FreeIPA has also docker
>>> image for client setup. See for example [2] . I am not 100% sure, but I
>>> believe that if you run this docker image and point to the already running
>>> "server" image, you will gain also all the things like PAM setup, login to
>>> the workstation with Kerberos credentials, and automatically retrieved
>>> kerberos ticket during login. Hence you just login to workstation, open
>>> firefox and you are authenticated to Keycloak. No need to manually run
>>> "kinit".
>>> 
>> 
>> The workstation will need to be a virtual machine rather than container to
>> add X support. So IMO we should just use Vagrant and have FreeIPA and
>> use Vagrantfile to install Fedora + FreeIPA.
>> 
>> 
>>> 
>>> - If Keycloak and FreeIPA server are on different workstations, then:
>>> -- The Keycloak server may also need FreeIPA client installed. Or at least
>>> kerberos client installed with proper setup in /etc/krb5.conf pointing to
>>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
>> 
>> 
>>> -- Also for different servers, you will likely need to add HTTP kerberos
>>> principal for the server where keycloak is running. For example if FreeIPA
>>> is on "freeipa.example.org" and keycloak is on "keycloak.example.org",
>>> you will need the principal like HTTP/keycloak.example.org at KEYCLOAK.ORG .
>>> This corresponds to LDAP principal under "cn=services,cn=accounts,dc=freeipa,dc=example,dc=org"
>>> . Maybe FreeIPA has it documented somewhere and/or it's easily possible to
>>> add new HTTP server principal through FreeIPA admin console. You will also
>>> need keytab exported with the credentials of this principal.
>>> Note this step is not needed if Keycloak and FreeIPA are on same machine
>>> as FreeIPA server automatically has HTTP principal for it's own machine
>>> (something like HTTP/freeipa.example.org at KEYCLOAK.ORG for the example
>>> above), to allow login to FreeIPA admin console with kerberos OOTB.
>>> 
>> 
>> We should really figure out how to do this on separate machines, so I think
>> going that way would be best even though it's harder to do.
>> 
>> 
>>> 
>>> 
>>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
>>> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
>>> 
>>> Marek
>>> 
>>> 
>>> On 13/09/16 08:07, Stian Thorgersen wrote:
>>> 
>>>> I'd like to have a simple way to demo LDAP and Kerberos support. To that
>>>> end we should add a Vagrant setup with the following:
>>>> 
>>>> * Keycloak server
>>>> * MySQL or Postgres
>>>> * FreeIPA
>>>> * Workstation with Kerberos authentication (needs X and Firefox installed)
>>>> 
>>>> The Keycloak server should already be configured to use the FreeIPA
>>>> server as a user federation provider (using LDAP and Kerberos). The
>>>> workstation can be co-located with FreeIPA server if it makes things much
>>>> simpler, but it should be possible to login to the workstation with
>>>> Kerberos. Firefox should be pre-configured for Kerberos to work both on
>>>> Keycloak login and FreeIPA admin console.
>>>> 
>>>> I want a proper database and a web based client for the database so it's
>>>> simple to inspect the database.
>>>> 
>>>> Bruno has already volunteered to look into this, but first we should make
>>>> sure this is the setup we'd like to be able to showcase.
>>>> 
>>> 
>>> 
>>> 
> 
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> 
> --
> 
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160913/73aeb3ff/attachment.html 