public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-13 01:36:23 +00:00
Code Issues Releases Wiki Activity
Files
f22dd8eb507860aa91c0cf4ff533302b88f79520
geek-cookbook/docs/recipes/keycloak/authenticate-against-openldap.md
David Young f22dd8eb50 Add authentik, tidy up recipe-footer 
Signed-off-by: David Young <davidy@funkypenguin.co.nz>
2023-10-31 14:37:29 +13:00

2.8 KiB
Raw Blame History

title, description
title description
Integrate LDAP server with Keycloak for user federation Here's how we'll add an LDAP provider to our Keycloak server for user federation.

Authenticate Keycloak against OpenLDAP

!!! warning This is not a complete recipe - it's an optional component of the Keycloak recipe, but has been split into its own page to reduce complexity.

Keycloak gets really sexy when you integrate it into your OpenLDAP stack (also, it's great not to have to play with ugly LDAP tree UIs). Note that OpenLDAP integration is not necessary if you want to use Keycloak with Traefik Forward Auth - all you need for that is [local users][keycloak], and an OIDC client.

Ingredients

!!! Summary Existing:

* [X] [Keycloak](/recipes/keycloak/) recipe deployed successfully

New:

* [ ] An [OpenLDAP server](/recipes/openldap/) (*assuming you want to authenticate against it*)

Preparation

You'll need to have completed the OpenLDAP recipe

You start in the "Master" realm - but mouseover the realm name, to a dropdown box allowing you add an new realm:

Create Realm

Keycloak Add Realm Screenshot{ loading=lazy }

Enter a name for your new realm, and click "Create":

Keycloak Add Realm Screenshot{ loading=lazy }

Setup User Federation

Once in the desired realm, click on User Federation, and click Add Provider. On the next page ("Required Settings"), set the following:

  • Edit Mode : Writeable
  • Vendor : Other
  • Connection URL : ldap://openldap
  • Users DN : ou=People,<your base DN>
  • Authentication Type : simple
  • Bind DN : cn=admin,<your base DN>
  • Bind Credential : <your chosen admin password>

Save your changes, and then navigate back to "User Federation" > Your LDAP name > Mappers:

Keycloak Add Realm Screenshot{ loading=lazy }

For each of the following mappers, click the name, and set the "Read Only" flag to "Off" (this enables 2-way sync between Keycloak and OpenLDAP)

  • last name
  • username
  • email
  • first name

Keycloak Add Realm Screenshot{ loading=lazy }

Summary

We've setup a new realm in Keycloak, and configured read-write federation to an OpenLDAP backend. We can now manage our LDAP users using either [Keycloak][keycloak] 1 or LDAP directly, and we can protect vulnerable services using Traefik Forward Auth.

!!! Summary Created:

* [X] Keycloak realm in read-write federation with [OpenLDAP](/recipes/openldap/) directory

{% include 'recipe-footer.md' %}

  1. A much nicer experience IMO! ↩︎

Reference in New Issue View Git Blame Copy Permalink