[keycloak-dev] LDAP setup for demonstration purposes

Stian Thorgersen sthorger at redhat.com
Wed Sep 14 07:12:29 EDT 2016 

We do now:
https://issues.jboss.org/browse/KEYCLOAK-3577

On 14 September 2016 at 12:11, Bruno Oliveira da Silva <bruno at abstractj.org>
wrote:

> +1 Not arguing in favor or against it, but thinking about what you
> described seems like the solution is the combination of both: Vagrant and
> Docker.
>
> Do we have a Jira for this?
>
> On 2016-09-14, Stian Thorgersen wrote:
> > To elaborate I could eventually see us having a big demo setup in the
> form
> > of:
> >
> > * Keycloak or RH-SSO box
> > * Database box
> > * FreeIPA box
> > * Active Directory box
> > * Some SAML provider
> > * Some OIDC provider
> > * Fedora workstation
> > * Windows workstation
> >
> > Everything ready to go to show Keycloak as a fully capable identity
> > federation platform.
> >
> > On 14 September 2016 at 09:32, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> >
> > > I want full desktop and show user login via desktop login, not Kerberos
> > > client. So full Gnome is required. Also, I think the DNS setup as well
> as
> > > orchestration may be simpler with Vagrant than Docker.
> > >
> > > We also may want to extend this to include good old Microsoft software
> in
> > > the form of Windows and Active Directory. In that case Docker is a show
> > > stopper and Vagrant/VMs is the only option.
> > >
> > > On 13 September 2016 at 21:46, Marek Posolda <mposolda at redhat.com>
> wrote:
> > >
> > >> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
> > >> > My 2 cents on it. Unless we have any strong argument for doing this,
> > >> > let's move forward with Docker. We already have a repository for
> this
> > >> > and I'm not sure if we have bandwidth to maintain 2 distinct
> > >> repositories.
> > >> >
> > >> > Btw I'm curious, which real world scenario you could not reproduce
> with
> > >> > Docker?
> > >> I guess SPNEGO login with Firefox is the example of that scenario?
> > >>
> > >> If you want workstation with Kerberos + SPNEGO, you will need to
> > >> configure kerberos client and your Firefox and then run FF inside
> docker
> > >> container and display it "locally" on your laptop. Or is it something
> > >> like the "propagation" of X from docker to your laptop possible? If
> yes,
> > >> then everything is doable with docker though.
> > >>
> > >> Marek
> > >>
> > >> >
> > >> > On 2016-09-13, Thomas Raehalme wrote:
> > >> >> How about setting up multiple VMs with Vagrant but handling all
> > >> software
> > >> >> components with Docker?
> > >> >>
> > >> >> Best of both worlds and also a simulation of the real world (which
> > >> could
> > >> >> perhaps be used as a reference).
> > >> >>
> > >> >> Best regards,
> > >> >> Thomas
> > >> >>
> > >> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo" <srossillo at smartling.com
> >
> > >> wrote:
> > >> >>
> > >> >>> Vagrant leaves funny taste in my mouth. Docker Compose to
> orchestrate
> > >> >>> things seems like a better option.
> > >> >>>
> > >> >>> Scott Rossillo
> > >> >>> Smartling | Senior Software Engineer
> > >> >>> srossillo at smartling.com
> > >> >>>
> > >> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <
> > >> bruno at abstractj.org>
> > >> >>> wrote:
> > >> >>>
> > >> >>> My question is: Docker or Vagrant?
> > >> >>>
> > >> >>> If we have plans to showcase SSSD Federation provider + things
> like
> > >> >>> start/stop sssd service to demonstrate the SSSD provider won't be
> > >> >>> enabled. I would say that Vagrant is easier and we can benefit
> from
> > >> >>> these boxes[1], otherwise we just stick with Marek's work.
> > >> >>>
> > >> >>> I will give DBus on Docker a second try, but last time I checked
> > >> wasn't
> > >> >>> fun.
> > >> >>>
> > >> >>> [1] - https://github.com/freeipa/freeipa-workshop
> > >> >>>
> > >> >>> On 2016-09-13, Stian Thorgersen wrote:
> > >> >>>
> > >> >>> Forgot to add two things:
> > >> >>>
> > >> >>> * DNS setup - we want proper DNS setup on the machines, which
> would be
> > >> >>> required for the Kerberos stuff to work properly
> > >> >>> * HTTPS - optional, but would be great if it also had HTTPS
> configured
> > >> >>>
> > >> >>> On 13 September 2016 at 09:24, Marek Posolda <mposolda at redhat.com
> >
> > >> wrote:
> > >> >>>
> > >> >>> +1
> > >> >>>
> > >> >>> Few more things and tips (you may be already aware of them, but
> > >> still..
> > >> >>> Hope some of them are useful :) :
> > >> >>>
> > >> >>> - My docker image [1] already contains FreeIPA server and Keycloak
> > >> server
> > >> >>> pre-configured with LDAP+Kerberos federation provider to use it.
> > >> Thing is
> > >> >>> that both Keycloak+FreeIPA are on same machine, which is likely
> not
> > >> the
> > >> >>> best for show production setup. The workstation setup needs to be
> > >> done on
> > >> >>> your local machine (so you need KErberos client + Firefox setup on
> > >> your
> > >> >>> laptop. That's sufficient for testing, but probably also not
> ideal for
> > >> >>> showcase).
> > >> >>>
> > >> >>> - In addition to FreeIPA docker images for server, FreeIPA has
> also
> > >> docker
> > >> >>> image for client setup. See for example [2] . I am not 100% sure,
> but
> > >> I
> > >> >>> believe that if you run this docker image and point to the already
> > >> running
> > >> >>> "server" image, you will gain also all the things like PAM setup,
> > >> login to
> > >> >>> the workstation with Kerberos credentials, and automatically
> retrieved
> > >> >>> kerberos ticket during login. Hence you just login to workstation,
> > >> open
> > >> >>> firefox and you are authenticated to Keycloak. No need to
> manually run
> > >> >>> "kinit".
> > >> >>>
> > >> >>>
> > >> >>> The workstation will need to be a virtual machine rather than
> > >> container to
> > >> >>> add X support. So IMO we should just use Vagrant and have FreeIPA
> and
> > >> >>> use Vagrantfile to install Fedora + FreeIPA.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> - If Keycloak and FreeIPA server are on different workstations,
> then:
> > >> >>> -- The Keycloak server may also need FreeIPA client installed. Or
> at
> > >> least
> > >> >>> kerberos client installed with proper setup in /etc/krb5.conf
> > >> pointing to
> > >> >>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> -- Also for different servers, you will likely need to add HTTP
> > >> kerberos
> > >> >>> principal for the server where keycloak is running. For example if
> > >> FreeIPA
> > >> >>> is on "freeipa.example.org" and keycloak is on "
> keycloak.example.org
> > >> ",
> > >> >>> you will need the principal like HTTP/keycloak.example.org at KEYC
> > >> LOAK.ORG
> > >> >>> <HTTP/keycloak.example.org at keycloak.org> .
> > >> >>> This corresponds to LDAP principal under
> "cn=services,cn=accounts,dc=
> > >> >>> freeipa,dc=example,dc=org"
> > >> >>> . Maybe FreeIPA has it documented somewhere and/or it's easily
> > >> possible to
> > >> >>> add new HTTP server principal through FreeIPA admin console. You
> will
> > >> also
> > >> >>> need keytab exported with the credentials of this principal.
> > >> >>> Note this step is not needed if Keycloak and FreeIPA are on same
> > >> machine
> > >> >>> as FreeIPA server automatically has HTTP principal for it's own
> > >> machine
> > >> >>> (something like HTTP/freeipa.example.org at KEYCLOAK.ORG
> > >> >>> <HTTP/freeipa.example.org at keycloak.org> for the example
> > >> >>> above), to allow login to FreeIPA admin console with kerberos
> OOTB.
> > >> >>>
> > >> >>>
> > >> >>> We should really figure out how to do this on separate machines,
> so I
> > >> think
> > >> >>> going that way would be best even though it's harder to do.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
> > >> >>> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-
> client
> > >> >>>
> > >> >>> Marek
> > >> >>>
> > >> >>>
> > >> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
> > >> >>>
> > >> >>> I'd like to have a simple way to demo LDAP and Kerberos support.
> To
> > >> that
> > >> >>> end we should add a Vagrant setup with the following:
> > >> >>>
> > >> >>> * Keycloak server
> > >> >>> * MySQL or Postgres
> > >> >>> * FreeIPA
> > >> >>> * Workstation with Kerberos authentication (needs X and Firefox
> > >> installed)
> > >> >>>
> > >> >>> The Keycloak server should already be configured to use the
> FreeIPA
> > >> >>> server as a user federation provider (using LDAP and Kerberos).
> The
> > >> >>> workstation can be co-located with FreeIPA server if it makes
> things
> > >> much
> > >> >>> simpler, but it should be possible to login to the workstation
> with
> > >> >>> Kerberos. Firefox should be pre-configured for Kerberos to work
> both
> > >> on
> > >> >>> Keycloak login and FreeIPA admin console.
> > >> >>>
> > >> >>> I want a proper database and a web based client for the database
> so
> > >> it's
> > >> >>> simple to inspect the database.
> > >> >>>
> > >> >>> Bruno has already volunteered to look into this, but first we
> should
> > >> make
> > >> >>> sure this is the setup we'd like to be able to showcase.
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> _______________________________________________
> > >> >>> keycloak-dev mailing list
> > >> >>> keycloak-dev at lists.jboss.org
> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> --
> > >> >>>
> > >> >>> abstractj
> > >> >>> PGP: 0x84DC9914
> > >> >>> _______________________________________________
> > >> >>> keycloak-dev mailing list
> > >> >>> keycloak-dev at lists.jboss.org
> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> _______________________________________________
> > >> >>> keycloak-dev mailing list
> > >> >>> keycloak-dev at lists.jboss.org
> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >> >>>
> > >> > --
> > >> >
> > >> > abstractj
> > >> > PGP: 0x84DC9914
> > >> > _______________________________________________
> > >> > keycloak-dev mailing list
> > >> > keycloak-dev at lists.jboss.org
> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>
> > >>
> > >> _______________________________________________
> > >> keycloak-dev mailing list
> > >> keycloak-dev at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>
> > >
> > >
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160914/2b2fb3b8/attachment-0001.html

More information about the keycloak-dev mailing list