For that manual, we assume that you've already got a working Keycloak installation. Otherwise take a look at Install Keycloak as Docker Container with Apache Web Server as Reverse Proxy and a local PostgreSQL first.
The manual was written for Debian Stretch, but should also work with other distributions.
Install openLDAP:
aptitude install slapd ldap-utils
We only want to accept localhost and docker connections, so:
edit /etc/default/slapd
SLAPD_SERVICES="ldap://127.0.0.1 ldap://172.17.0.1 ldapi:///"
restart ldap server
systemctl restart slapd
If you changed the above setting, that slapd should not listen on all hosts, then you also need to tell slapd it should not start up before docker. Otherwise the dockerinterface is not ready to bind to it:
systemctl edit slapd.service
In the editor that was opened enter:
[Unit] After=docker.service
create file /tmp/test.ldif:
dn: ou=People,dc=example,dc=com ou: People objectClass: organizationalUnit dn: ou=Group,dc=example,dc=com ou: Group objectClass: organizationalUnit
execute:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f /tmp/test.ldif
create file member.ldif :
dn: cn=module,cn=config cn: module objectclass: olcModuleList objectclass: top olcmoduleload: memberof olcmodulepath: /usr/lib/ldap dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof
execute
ldapadd -Y EXTERNAL -Q -H ldapi:/// -f member.ldif
new file refint.ldif
dn: cn=module{1},cn=config add: olcmoduleload olcmoduleload: refint
execute
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint.ldif
create file refintconf.ldif
dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof member manager owner
execute
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refintconf.ldif
createfile index.ldif
dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: memberOf, mail eq
execute:
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f index.ldif
create file database.ldif to increase the maxsize of 1GB of the database.I once run out of space after only adding a few 100 users…
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: OlcDbMaxSize OlcDbMaxSize: 20073741824
Execute:
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f database.ldif
If you didn't create a new realm besides the master realm yet, do that now.
You should setup the LDAP integration before you add any users to Keycloak. Unfortunately Keycloak as of version 3.4.3 does not support to write already existing users to the LDAP directory. It only writes/adds them there on doing changes on the user.
In the new realm click on “User Federation” and then on “Add Provider…”/“Ldap”.
Set following settings:
Setting | Value | Comment |
---|---|---|
import users | on | only necessary if you also change users over other means than keycloak |
edit mode | writeable | |
sync registration | on | |
vendor | other | |
connection url | ldap://172.17.0.1 | assuming keycloak is installed as docker image |
users dn | ou=People,dc=example,dc=com | |
bind dn | cn=admin,dc=example,dc=com | |
bind credential | <admin credentials which you've chosen on installind openLDAP> |
Then Save everything and click on Mappers.
Create a new mapper with following settings:
setting | value |
---|---|
name | groups |
mapper type | group-ldap-mapper |
ldap groups dn | ou=Group,dc=example,dc=com |
Then edit the mapping: “first name” and change:
setting | value |
---|---|
ldap attribute | givenName |
Create a new mapping
setting | value |
---|---|
name | full name |
mapper type | full-name-ldap-mapper |
LDAP Full Name Attribute | cn |
Now newly created and changes to users should be synced to the ldap directory.