[keycloak-dev] LDAP setup for demonstration purposes

Stian Thorgersen sthorger at redhat.com
Wed Sep 14 03:34:48 EDT 2016


To elaborate I could eventually see us having a big demo setup in the form
of:

* Keycloak or RH-SSO box
* Database box
* FreeIPA box
* Active Directory box
* Some SAML provider
* Some OIDC provider
* Fedora workstation
* Windows workstation

Everything ready to go to show Keycloak as a fully capable identity
federation platform.

On 14 September 2016 at 09:32, Stian Thorgersen <sthorger at redhat.com> wrote:

> I want full desktop and show user login via desktop login, not Kerberos
> client. So full Gnome is required. Also, I think the DNS setup as well as
> orchestration may be simpler with Vagrant than Docker.
>
> We also may want to extend this to include good old Microsoft software in
> the form of Windows and Active Directory. In that case Docker is a show
> stopper and Vagrant/VMs is the only option.
>
> On 13 September 2016 at 21:46, Marek Posolda <mposolda at redhat.com> wrote:
>
>> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
>> > My 2 cents on it. Unless we have any strong argument for doing this,
>> > let's move forward with Docker. We already have a repository for this
>> > and I'm not sure if we have bandwidth to maintain 2 distinct
>> repositories.
>> >
>> > Btw I'm curious, which real world scenario you could not reproduce with
>> > Docker?
>> I guess SPNEGO login with Firefox is the example of that scenario?
>>
>> If you want workstation with Kerberos + SPNEGO, you will need to
>> configure kerberos client and your Firefox and then run FF inside docker
>> container and display it "locally" on your laptop. Or is it something
>> like the "propagation" of X from docker to your laptop possible? If yes,
>> then everything is doable with docker though.
>>
>> Marek
>>
>> >
>> > On 2016-09-13, Thomas Raehalme wrote:
>> >> How about setting up multiple VMs with Vagrant but handling all
>> software
>> >> components with Docker?
>> >>
>> >> Best of both worlds and also a simulation of the real world (which
>> could
>> >> perhaps be used as a reference).
>> >>
>> >> Best regards,
>> >> Thomas
>> >>
>> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo" <srossillo at smartling.com>
>> wrote:
>> >>
>> >>> Vagrant leaves funny taste in my mouth. Docker Compose to orchestrate
>> >>> things seems like a better option.
>> >>>
>> >>> Scott Rossillo
>> >>> Smartling | Senior Software Engineer
>> >>> srossillo at smartling.com
>> >>>
>> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <
>> bruno at abstractj.org>
>> >>> wrote:
>> >>>
>> >>> My question is: Docker or Vagrant?
>> >>>
>> >>> If we have plans to showcase SSSD Federation provider + things like
>> >>> start/stop sssd service to demonstrate the SSSD provider won't be
>> >>> enabled. I would say that Vagrant is easier and we can benefit from
>> >>> these boxes[1], otherwise we just stick with Marek's work.
>> >>>
>> >>> I will give DBus on Docker a second try, but last time I checked
>> wasn't
>> >>> fun.
>> >>>
>> >>> [1] - https://github.com/freeipa/freeipa-workshop
>> >>>
>> >>> On 2016-09-13, Stian Thorgersen wrote:
>> >>>
>> >>> Forgot to add two things:
>> >>>
>> >>> * DNS setup - we want proper DNS setup on the machines, which would be
>> >>> required for the Kerberos stuff to work properly
>> >>> * HTTPS - optional, but would be great if it also had HTTPS configured
>> >>>
>> >>> On 13 September 2016 at 09:24, Marek Posolda <mposolda at redhat.com>
>> wrote:
>> >>>
>> >>> +1
>> >>>
>> >>> Few more things and tips (you may be already aware of them, but
>> still..
>> >>> Hope some of them are useful :) :
>> >>>
>> >>> - My docker image [1] already contains FreeIPA server and Keycloak
>> server
>> >>> pre-configured with LDAP+Kerberos federation provider to use it.
>> Thing is
>> >>> that both Keycloak+FreeIPA are on same machine, which is likely not
>> the
>> >>> best for show production setup. The workstation setup needs to be
>> done on
>> >>> your local machine (so you need KErberos client + Firefox setup on
>> your
>> >>> laptop. That's sufficient for testing, but probably also not ideal for
>> >>> showcase).
>> >>>
>> >>> - In addition to FreeIPA docker images for server, FreeIPA has also
>> docker
>> >>> image for client setup. See for example [2] . I am not 100% sure, but
>> I
>> >>> believe that if you run this docker image and point to the already
>> running
>> >>> "server" image, you will gain also all the things like PAM setup,
>> login to
>> >>> the workstation with Kerberos credentials, and automatically retrieved
>> >>> kerberos ticket during login. Hence you just login to workstation,
>> open
>> >>> firefox and you are authenticated to Keycloak. No need to manually run
>> >>> "kinit".
>> >>>
>> >>>
>> >>> The workstation will need to be a virtual machine rather than
>> container to
>> >>> add X support. So IMO we should just use Vagrant and have FreeIPA and
>> >>> use Vagrantfile to install Fedora + FreeIPA.
>> >>>
>> >>>
>> >>>
>> >>> - If Keycloak and FreeIPA server are on different workstations, then:
>> >>> -- The Keycloak server may also need FreeIPA client installed. Or at
>> least
>> >>> kerberos client installed with proper setup in /etc/krb5.conf
>> pointing to
>> >>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
>> >>>
>> >>>
>> >>>
>> >>> -- Also for different servers, you will likely need to add HTTP
>> kerberos
>> >>> principal for the server where keycloak is running. For example if
>> FreeIPA
>> >>> is on "freeipa.example.org" and keycloak is on "keycloak.example.org
>> ",
>> >>> you will need the principal like HTTP/keycloak.example.org at KEYC
>> LOAK.ORG
>> >>> <HTTP/keycloak.example.org at keycloak.org> .
>> >>> This corresponds to LDAP principal under "cn=services,cn=accounts,dc=
>> >>> freeipa,dc=example,dc=org"
>> >>> . Maybe FreeIPA has it documented somewhere and/or it's easily
>> possible to
>> >>> add new HTTP server principal through FreeIPA admin console. You will
>> also
>> >>> need keytab exported with the credentials of this principal.
>> >>> Note this step is not needed if Keycloak and FreeIPA are on same
>> machine
>> >>> as FreeIPA server automatically has HTTP principal for it's own
>> machine
>> >>> (something like HTTP/freeipa.example.org at KEYCLOAK.ORG
>> >>> <HTTP/freeipa.example.org at keycloak.org> for the example
>> >>> above), to allow login to FreeIPA admin console with kerberos OOTB.
>> >>>
>> >>>
>> >>> We should really figure out how to do this on separate machines, so I
>> think
>> >>> going that way would be best even though it's harder to do.
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
>> >>> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-client
>> >>>
>> >>> Marek
>> >>>
>> >>>
>> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
>> >>>
>> >>> I'd like to have a simple way to demo LDAP and Kerberos support. To
>> that
>> >>> end we should add a Vagrant setup with the following:
>> >>>
>> >>> * Keycloak server
>> >>> * MySQL or Postgres
>> >>> * FreeIPA
>> >>> * Workstation with Kerberos authentication (needs X and Firefox
>> installed)
>> >>>
>> >>> The Keycloak server should already be configured to use the FreeIPA
>> >>> server as a user federation provider (using LDAP and Kerberos). The
>> >>> workstation can be co-located with FreeIPA server if it makes things
>> much
>> >>> simpler, but it should be possible to login to the workstation with
>> >>> Kerberos. Firefox should be pre-configured for Kerberos to work both
>> on
>> >>> Keycloak login and FreeIPA admin console.
>> >>>
>> >>> I want a proper database and a web based client for the database so
>> it's
>> >>> simple to inspect the database.
>> >>>
>> >>> Bruno has already volunteered to look into this, but first we should
>> make
>> >>> sure this is the setup we'd like to be able to showcase.
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> keycloak-dev mailing list
>> >>> keycloak-dev at lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>>
>> >>> abstractj
>> >>> PGP: 0x84DC9914
>> >>> _______________________________________________
>> >>> keycloak-dev mailing list
>> >>> keycloak-dev at lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> keycloak-dev mailing list
>> >>> keycloak-dev at lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>>
>> > --
>> >
>> > abstractj
>> > PGP: 0x84DC9914
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160914/0aa878b1/attachment-0001.html 


More information about the keycloak-dev mailing list