2.6 KiB
Authenticate KeyCloak against OpenLDAP
!!! warning This is not a complete recipe - it's an optional component of the Keycloak recipe, but has been split into its own page to reduce complexity.
KeyCloak gets really sexy when you integrate it into your OpenLDAP stack (also, it's great not to have to play with ugly LDAP tree UIs). Note that OpenLDAP integration is not necessary if you want to use KeyCloak with Traefik Forward Auth - all you need for that is local users, and an OIDC client.
Ingredients
!!! Summary Existing:
* [X] [KeyCloak](/recipes/keycloak/) recipe deployed successfully
New:
* [ ] An [OpenLDAP server](/recipes/openldap/) (*assuming you want to authenticate against it*)
Preparation
You'll need to have completed the OpenLDAP recipe
You start in the "Master" realm - but mouseover the realm name, to a dropdown box allowing you add an new realm:
Create Realm
Enter a name for your new realm, and click "Create":
Setup User Federation
Once in the desired realm, click on User Federation, and click Add Provider. On the next page ("Required Settings"), set the following:
- Edit Mode : Writeable
- Vendor : Other
- Connection URL : ldap://openldap
- Users DN : ou=People,<your base DN>
- Authentication Type : simple
- Bind DN : cn=admin,<your base DN>
- Bind Credential : <your chosen admin password>
Save your changes, and then navigate back to "User Federation" > Your LDAP name > Mappers:
For each of the following mappers, click the name, and set the "Read Only" flag to "Off" (this enables 2-way sync between KeyCloak and OpenLDAP)
- last name
- username
- first name
Summary
We've setup a new realm in KeyCloak, and configured read-write federation to an OpenLDAP backend. We can now manage our LDAP users using either KeyCloak or LDAP directly, and we can protect vulnerable services using Traefik Forward Auth.
!!! Summary Created:
* [X] KeyCloak realm in read-write federation with [OpenLDAP](/recipes/openldap/) directory
--8<-- "recipe-footer.md"