====== Setup openLDAP and integrate it with Keycloak ======
For that manual, we assume that you've already got a working Keycloak installation. Otherwise take a look at [[linux_server_manuals:docker_keycloak_container_with_local_postgresql]] first.
The manual was written for Debian Stretch, but should also work with other distributions.
===== openLDAP setup =====
Install openLDAP:
aptitude install slapd ldap-utils
We only want to accept localhost and docker connections, so:
edit /etc/default/slapd
SLAPD_SERVICES="ldap://127.0.0.1 ldap://172.17.0.1 ldapi:///"
restart ldap server
systemctl restart slapd
If you changed the above setting, that slapd should not listen on all hosts, then you also need to tell slapd it should not start up before docker. Otherwise the dockerinterface is not ready to bind to it:
systemctl edit slapd.service
In the editor that was opened enter:
[Unit]
After=docker.service
create file /tmp/test.ldif:
dn: ou=People,dc=example,dc=com
ou: People
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: organizationalUnit
execute:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f /tmp/test.ldif
create file member.ldif :
dn: cn=module,cn=config
cn: module
objectclass: olcModuleList
objectclass: top
olcmoduleload: memberof
olcmodulepath: /usr/lib/ldap
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
execute
ldapadd -Y EXTERNAL -Q -H ldapi:/// -f member.ldif
new file refint.ldif
dn: cn=module{1},cn=config
add: olcmoduleload
olcmoduleload: refint
execute
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint.ldif
create file refintconf.ldif
dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
execute
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refintconf.ldif
createfile index.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: memberOf, mail eq
execute:
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f index.ldif
create file database.ldif to increase the maxsize of 1GB of the database.I once run out of space after only adding a few 100 users...
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: OlcDbMaxSize
OlcDbMaxSize: 20073741824
Execute:
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f database.ldif
===== Setup Keycloak LDAP federation =====
If you didn't create a new realm besides the master realm yet, do that now.
You should setup the LDAP integration before you add any users to Keycloak. Unfortunately Keycloak as of version 3.4.3 does not support to write already existing users to the LDAP directory. It only writes/adds them there on doing changes on the user.
In the new realm click on "User Federation" and then on "Add Provider..."/"Ldap".
Set following settings:
^Setting ^ Value ^ Comment ^
|**import users** | on | only necessary if you also change users over other means than keycloak |
|**edit mode** | writeable |
|**sync registration** | on |
|**vendor** | other |
|**connection url** | ldap://172.17.0.1 | assuming keycloak is installed as docker image |
|**users dn** | ou=People,dc=example,dc=com |
|**bind dn** | cn=admin,dc=example,dc=com |
|**bind credential** | |
Then Save everything and click on Mappers.
Create a new mapper with following settings:
^ setting ^ value ^
|**name** | groups |
|**mapper type** | group-ldap-mapper |
|**ldap groups dn** | ou=Group,dc=example,dc=com |
Then edit the mapping: "first name" and change:
^ setting ^ value ^
|**ldap attribute** | givenName |
Create a new mapping
^ setting ^ value ^
|**name** | full name |
|**mapper type** | full-name-ldap-mapper |
|**LDAP Full Name Attribute** | cn |
Now newly created and changes to users should be synced to the ldap directory.