[keycloak-dev] LDAP setup for demonstration purposes

Stian Thorgersen sthorger at redhat.com
Wed Sep 14 07:13:10 EDT 2016


Bruno - notice the missing fix version! It's a nice to have background task
and not a high priority at the moment.

On 14 September 2016 at 13:12, Stian Thorgersen <sthorger at redhat.com> wrote:

> We do now:
> https://issues.jboss.org/browse/KEYCLOAK-3577
>
> On 14 September 2016 at 12:11, Bruno Oliveira da Silva <
> bruno at abstractj.org> wrote:
>
>> +1 Not arguing in favor or against it, but thinking about what you
>> described seems like the solution is the combination of both: Vagrant and
>> Docker.
>>
>> Do we have a Jira for this?
>>
>> On 2016-09-14, Stian Thorgersen wrote:
>> > To elaborate I could eventually see us having a big demo setup in the
>> form
>> > of:
>> >
>> > * Keycloak or RH-SSO box
>> > * Database box
>> > * FreeIPA box
>> > * Active Directory box
>> > * Some SAML provider
>> > * Some OIDC provider
>> > * Fedora workstation
>> > * Windows workstation
>> >
>> > Everything ready to go to show Keycloak as a fully capable identity
>> > federation platform.
>> >
>> > On 14 September 2016 at 09:32, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>> >
>> > > I want full desktop and show user login via desktop login, not
>> Kerberos
>> > > client. So full Gnome is required. Also, I think the DNS setup as
>> well as
>> > > orchestration may be simpler with Vagrant than Docker.
>> > >
>> > > We also may want to extend this to include good old Microsoft
>> software in
>> > > the form of Windows and Active Directory. In that case Docker is a
>> show
>> > > stopper and Vagrant/VMs is the only option.
>> > >
>> > > On 13 September 2016 at 21:46, Marek Posolda <mposolda at redhat.com>
>> wrote:
>> > >
>> > >> On 13/09/16 21:10, Bruno Oliveira da Silva wrote:
>> > >> > My 2 cents on it. Unless we have any strong argument for doing
>> this,
>> > >> > let's move forward with Docker. We already have a repository for
>> this
>> > >> > and I'm not sure if we have bandwidth to maintain 2 distinct
>> > >> repositories.
>> > >> >
>> > >> > Btw I'm curious, which real world scenario you could not reproduce
>> with
>> > >> > Docker?
>> > >> I guess SPNEGO login with Firefox is the example of that scenario?
>> > >>
>> > >> If you want workstation with Kerberos + SPNEGO, you will need to
>> > >> configure kerberos client and your Firefox and then run FF inside
>> docker
>> > >> container and display it "locally" on your laptop. Or is it something
>> > >> like the "propagation" of X from docker to your laptop possible? If
>> yes,
>> > >> then everything is doable with docker though.
>> > >>
>> > >> Marek
>> > >>
>> > >> >
>> > >> > On 2016-09-13, Thomas Raehalme wrote:
>> > >> >> How about setting up multiple VMs with Vagrant but handling all
>> > >> software
>> > >> >> components with Docker?
>> > >> >>
>> > >> >> Best of both worlds and also a simulation of the real world (which
>> > >> could
>> > >> >> perhaps be used as a reference).
>> > >> >>
>> > >> >> Best regards,
>> > >> >> Thomas
>> > >> >>
>> > >> >> On Sep 13, 2016 5:46 PM, "Scott Rossillo" <
>> srossillo at smartling.com>
>> > >> wrote:
>> > >> >>
>> > >> >>> Vagrant leaves funny taste in my mouth. Docker Compose to
>> orchestrate
>> > >> >>> things seems like a better option.
>> > >> >>>
>> > >> >>> Scott Rossillo
>> > >> >>> Smartling | Senior Software Engineer
>> > >> >>> srossillo at smartling.com
>> > >> >>>
>> > >> >>> On Sep 13, 2016, at 10:39 AM, Bruno Oliveira da Silva <
>> > >> bruno at abstractj.org>
>> > >> >>> wrote:
>> > >> >>>
>> > >> >>> My question is: Docker or Vagrant?
>> > >> >>>
>> > >> >>> If we have plans to showcase SSSD Federation provider + things
>> like
>> > >> >>> start/stop sssd service to demonstrate the SSSD provider won't be
>> > >> >>> enabled. I would say that Vagrant is easier and we can benefit
>> from
>> > >> >>> these boxes[1], otherwise we just stick with Marek's work.
>> > >> >>>
>> > >> >>> I will give DBus on Docker a second try, but last time I checked
>> > >> wasn't
>> > >> >>> fun.
>> > >> >>>
>> > >> >>> [1] - https://github.com/freeipa/freeipa-workshop
>> > >> >>>
>> > >> >>> On 2016-09-13, Stian Thorgersen wrote:
>> > >> >>>
>> > >> >>> Forgot to add two things:
>> > >> >>>
>> > >> >>> * DNS setup - we want proper DNS setup on the machines, which
>> would be
>> > >> >>> required for the Kerberos stuff to work properly
>> > >> >>> * HTTPS - optional, but would be great if it also had HTTPS
>> configured
>> > >> >>>
>> > >> >>> On 13 September 2016 at 09:24, Marek Posolda <
>> mposolda at redhat.com>
>> > >> wrote:
>> > >> >>>
>> > >> >>> +1
>> > >> >>>
>> > >> >>> Few more things and tips (you may be already aware of them, but
>> > >> still..
>> > >> >>> Hope some of them are useful :) :
>> > >> >>>
>> > >> >>> - My docker image [1] already contains FreeIPA server and
>> Keycloak
>> > >> server
>> > >> >>> pre-configured with LDAP+Kerberos federation provider to use it.
>> > >> Thing is
>> > >> >>> that both Keycloak+FreeIPA are on same machine, which is likely
>> not
>> > >> the
>> > >> >>> best for show production setup. The workstation setup needs to be
>> > >> done on
>> > >> >>> your local machine (so you need KErberos client + Firefox setup
>> on
>> > >> your
>> > >> >>> laptop. That's sufficient for testing, but probably also not
>> ideal for
>> > >> >>> showcase).
>> > >> >>>
>> > >> >>> - In addition to FreeIPA docker images for server, FreeIPA has
>> also
>> > >> docker
>> > >> >>> image for client setup. See for example [2] . I am not 100%
>> sure, but
>> > >> I
>> > >> >>> believe that if you run this docker image and point to the
>> already
>> > >> running
>> > >> >>> "server" image, you will gain also all the things like PAM setup,
>> > >> login to
>> > >> >>> the workstation with Kerberos credentials, and automatically
>> retrieved
>> > >> >>> kerberos ticket during login. Hence you just login to
>> workstation,
>> > >> open
>> > >> >>> firefox and you are authenticated to Keycloak. No need to
>> manually run
>> > >> >>> "kinit".
>> > >> >>>
>> > >> >>>
>> > >> >>> The workstation will need to be a virtual machine rather than
>> > >> container to
>> > >> >>> add X support. So IMO we should just use Vagrant and have
>> FreeIPA and
>> > >> >>> use Vagrantfile to install Fedora + FreeIPA.
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> - If Keycloak and FreeIPA server are on different workstations,
>> then:
>> > >> >>> -- The Keycloak server may also need FreeIPA client installed.
>> Or at
>> > >> least
>> > >> >>> kerberos client installed with proper setup in /etc/krb5.conf
>> > >> pointing to
>> > >> >>> FreeIPA kerberos realm and proper DNS setup working with FreeIPA.
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> -- Also for different servers, you will likely need to add HTTP
>> > >> kerberos
>> > >> >>> principal for the server where keycloak is running. For example
>> if
>> > >> FreeIPA
>> > >> >>> is on "freeipa.example.org" and keycloak is on "
>> keycloak.example.org
>> > >> ",
>> > >> >>> you will need the principal like HTTP/keycloak.example.org at KEYC
>> > >> LOAK.ORG
>> > >> >>> <HTTP/keycloak.example.org at keycloak.org> .
>> > >> >>> This corresponds to LDAP principal under
>> "cn=services,cn=accounts,dc=
>> > >> >>> freeipa,dc=example,dc=org"
>> > >> >>> . Maybe FreeIPA has it documented somewhere and/or it's easily
>> > >> possible to
>> > >> >>> add new HTTP server principal through FreeIPA admin console. You
>> will
>> > >> also
>> > >> >>> need keytab exported with the credentials of this principal.
>> > >> >>> Note this step is not needed if Keycloak and FreeIPA are on same
>> > >> machine
>> > >> >>> as FreeIPA server automatically has HTTP principal for it's own
>> > >> machine
>> > >> >>> (something like HTTP/freeipa.example.org at KEYCLOAK.ORG
>> > >> >>> <HTTP/freeipa.example.org at keycloak.org> for the example
>> > >> >>> above), to allow login to FreeIPA admin console with kerberos
>> OOTB.
>> > >> >>>
>> > >> >>>
>> > >> >>> We should really figure out how to do this on separate machines,
>> so I
>> > >> think
>> > >> >>> going that way would be best even though it's harder to do.
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> [1] https://github.com/mposolda/keycloak-freeipa-docker/
>> > >> >>> [2] https://github.com/adelton/docker-freeipa/tree/fedora-22-cli
>> ent
>> > >> >>>
>> > >> >>> Marek
>> > >> >>>
>> > >> >>>
>> > >> >>> On 13/09/16 08:07, Stian Thorgersen wrote:
>> > >> >>>
>> > >> >>> I'd like to have a simple way to demo LDAP and Kerberos support.
>> To
>> > >> that
>> > >> >>> end we should add a Vagrant setup with the following:
>> > >> >>>
>> > >> >>> * Keycloak server
>> > >> >>> * MySQL or Postgres
>> > >> >>> * FreeIPA
>> > >> >>> * Workstation with Kerberos authentication (needs X and Firefox
>> > >> installed)
>> > >> >>>
>> > >> >>> The Keycloak server should already be configured to use the
>> FreeIPA
>> > >> >>> server as a user federation provider (using LDAP and Kerberos).
>> The
>> > >> >>> workstation can be co-located with FreeIPA server if it makes
>> things
>> > >> much
>> > >> >>> simpler, but it should be possible to login to the workstation
>> with
>> > >> >>> Kerberos. Firefox should be pre-configured for Kerberos to work
>> both
>> > >> on
>> > >> >>> Keycloak login and FreeIPA admin console.
>> > >> >>>
>> > >> >>> I want a proper database and a web based client for the database
>> so
>> > >> it's
>> > >> >>> simple to inspect the database.
>> > >> >>>
>> > >> >>> Bruno has already volunteered to look into this, but first we
>> should
>> > >> make
>> > >> >>> sure this is the setup we'd like to be able to showcase.
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> _______________________________________________
>> > >> >>> keycloak-dev mailing list
>> > >> >>> keycloak-dev at lists.jboss.org
>> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> --
>> > >> >>>
>> > >> >>> abstractj
>> > >> >>> PGP: 0x84DC9914
>> > >> >>> _______________________________________________
>> > >> >>> keycloak-dev mailing list
>> > >> >>> keycloak-dev at lists.jboss.org
>> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > >> >>>
>> > >> >>>
>> > >> >>>
>> > >> >>> _______________________________________________
>> > >> >>> keycloak-dev mailing list
>> > >> >>> keycloak-dev at lists.jboss.org
>> > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > >> >>>
>> > >> > --
>> > >> >
>> > >> > abstractj
>> > >> > PGP: 0x84DC9914
>> > >> > _______________________________________________
>> > >> > keycloak-dev mailing list
>> > >> > keycloak-dev at lists.jboss.org
>> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> keycloak-dev mailing list
>> > >> keycloak-dev at lists.jboss.org
>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > >>
>> > >
>> > >
>>
>> --
>>
>> abstractj
>> PGP: 0x84DC9914
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160914/3d38e77f/attachment-0001.html 


More information about the keycloak-dev mailing list