This is an old revision of the document!
Table of Contents
Setup openLDAP and integrate it with Keycloak
For that manual, we assume that you've already got a working Keycloak installation. Otherwise take a look at install_docker_and_with_keycloak first.
The manual was written for Debian Stretch, but should also work with other distributions.
openLDAP setup
Install openLDAP:
aptitude install slapd ldap-utils
We only want to accept localhost and docker connections, so:
edit /etc/default/slapd
SLAPD_SERVICES="ldap://127.0.0.1 ldap://172.17.0.1 ldapi:///"
restart ldap server
systemctl restart slapd
create file /tmp/test.ldif:
dn: ou=People,dc=example,dc=com ou: People objectClass: organizationalUnit dn: ou=Group,dc=example,dc=com ou: Group objectClass: organizationalUnit
execute:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f /tmp/test.ldif
create file member.ldif :
dn: cn=module,cn=config cn: module objectclass: olcModuleList objectclass: top olcmoduleload: memberof olcmodulepath: /usr/lib/ldap dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof
execute
ldapadd -Y EXTERNAL -Q -H ldapi:/// -f member.ldif
new file refint.ldif
dn: cn=module{1},cn=config add: olcmoduleload olcmoduleload: refint
execute
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint.ldif
create file refintconf.ldif
dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof member manager owner
execute
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refintconf.ldif
createfile index.ldif
dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: memberOf eq
execute:
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f index.ldif
Setup Keycloak LDAP federation
If you didn't create a new realm besides the master realm yet, do that now.
You should setup the LDAP integration before you add any users to Keycloak. Unfortunately Keycloak as of version 3.4.3 does not support to write already existing users to the LDAP directory. It only writes/adds them there on doing changes on the user.
In the new realm click on “User Federation” and then on “Add Provider…”/“Ldap”.
Set following settings:
add new user federation provider:ldap
import users: on
edit mode: writeable
sync registration: on
vendor: other
connection url: ldap://172.17.0.1
users dn: ou=People,dc=example,dc=com
bind dn: cn=admin,dc=example,dc=com
bind credential: Xxxx
then ldap mappers, create:
name: group
mapper type: group-ldap-mapper
ldap groups dn: ou=Group,dc=example,dc=com
edit mapping: first name:
ldap attribute: givenName
create mapping:
name: full name
mapper type: full-name-ldap-mapper
LDAP Full Name Attribute: cn
create new role with name realmadmin.
then save, and then:
composite roles: on
client roles: realm-management. associate all available roles.
create new group with name admin.
add role realmadmin.
(you don't necessarily have to do that. you could have users which are only admins for the installed applications.
and some superadmin, which can also manage the realm in keycloak.)
then create new user admin, and add it to the group admin.