public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-19 20:51:43 +00:00
Code Issues Releases Wiki Activity
Files
478e5f2fd8bc24624cc396ad0de9abd8c2a96bcd
geek-cookbook/manuscript/recipes/keycloak/authenticate-against-openldap.md
AutoPenguin 2e8e16157b Update for leanpub preview
2020-06-03 01:42:01 +00:00

3.2 KiB
Raw Blame History

Authenticate KeyCloak against OpenLDAP

!!! warning This is not a complete recipe - it's an optional component of the Keycloak reciperecipes/keycloak/), but has been split into its own page to reduce complexity.

KeyCloak gets really sexy when you integrate it into your OpenLDAPrecipes/openldap/) stack (also, it's great not to have to play with ugly LDAP tree UIs). Note that OpenLDAP integration is not necessary if you want to use KeyCloak with Traefik Forward Authha-docker-swarm/traefik-forward-auth/) - all you need for that is local usersrecipes/keycloak/create-user/), and an OIDC client.

Ingredients

!!! Summary Existing:

* [X] [KeyCloak](https://geek-cookbook.funkypenguin.co.nz/)recipes/keycloak/) recipe deployed successfully

New:

* [ ] An [OpenLDAP server](https://geek-cookbook.funkypenguin.co.nz/)recipes/openldap/) (*assuming you want to authenticate against it*)

Preparation

You'll need to have completed the OpenLDAPrecipes/openldap/) recipe

You start in the "Master" realm - but mouseover the realm name, to a dropdown box allowing you add an new realm:

Create Realm

KeyCloak Add Realm Screenshotimages/sso-stack-keycloak-1.png)

Enter a name for your new realm, and click "Create":

KeyCloak Add Realm Screenshotimages/sso-stack-keycloak-2.png)

Setup User Federation

Once in the desired realm, click on User Federation, and click Add Provider. On the next page ("Required Settings"), set the following:

  • Edit Mode : Writeable
  • Vendor : Other
  • Connection URL : ldap://openldap
  • Users DN : ou=People,<your base DN>
  • Authentication Type : simple
  • Bind DN : cn=admin,<your base DN>
  • Bind Credential : <your chosen admin password>

Save your changes, and then navigate back to "User Federation" > Your LDAP name > Mappers:

KeyCloak Add Realm Screenshotimages/sso-stack-keycloak-3.png)

For each of the following mappers, click the name, and set the "Read Only" flag to "Off" (this enables 2-way sync between KeyCloak and OpenLDAP)

  • last name
  • username
  • email
  • first name

KeyCloak Add Realm Screenshotimages/sso-stack-keycloak-4.png)

Summary

We've setup a new realm in KeyCloak, and configured read-write federation to an OpenLDAPrecipes/openldap/) backend. We can now manage our LDAP users using either KeyCloak or LDAP directly, and we can protect vulnerable services using Traefik Forward Authha-docker-swarm/traefik-forward-auth/).

!!! Summary Created:

* [X] KeyCloak realm in read-write federation with [OpenLDAP](https://geek-cookbook.funkypenguin.co.nz/)recipes/openldap/) directory

Chef's Notes

Reference in New Issue View Git Blame Copy Permalink