Differences

This shows you the differences between two versions of the page.

--- linux_server_manuals:keycloak_openldap_integration [2018/01/31 18:41] – created ronney
+++ linux_server_manuals:keycloak_openldap_integration [2018/05/12 16:28] (current) – ronney
@@ Line 1: / Line 1: @@
 ====== Setup openLDAP and integrate it with Keycloak ======
-For that manual, we assume that you've already got a working Keycloak installation. Otherwise take a look at [[linux_server_manuals:install_docker_and_with_keycloak|]] first.
+For that manual, we assume that you've already got a working Keycloak installation. Otherwise take a look at [[linux_server_manuals:docker_keycloak_container_with_local_postgresql]] first.
 The manual was written for Debian Stretch, but should also work with other distributions.
@@ Line 23: / Line 23: @@
 </code>
+If you changed the above setting, that slapd should not listen on all hosts, then you also need to tell slapd it should not start up before docker. Otherwise the dockerinterface is not ready to bind to it:
+<code>
+systemctl edit slapd.service
+</code>
+In the editor that was opened enter:
+<code>
+[Unit]
+After=docker.service
+</code>
 create file /tmp/test.ldif:
@@ Line 98: / Line 109: @@
 changetype: modify
 add: olcDbIndex
-olcDbIndex: memberOf eq
+olcDbIndex: memberOf, mail eq
 </code>
@@ Line 105: / Line 116: @@
 ldapadd -Q -Y EXTERNAL -H ldapi:/// -f index.ldif
 </code>
+create file database.ldif to increase the maxsize of 1GB of the database.I once run out of space after only adding a few 100 users...
+<file>
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: OlcDbMaxSize
+OlcDbMaxSize: 20073741824
+</file>
+Execute:
+<code>
+ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f database.ldif
+</code>
 ===== Setup Keycloak LDAP federation =====
@@ Line 118: / Line 143: @@
 Set following settings:
-add new user federation provider:ldap
+^Setting ^ Value ^ Comment ^
-import users: on
+|**import users** | on | only necessary if you also change users over other means than keycloak |
-edit mode: writeable
+|**edit mode** | writeable |
-sync registration: on
+|**sync registration** | on |
-vendor: other
+|**vendor** | other |
-connection url: ldap://172.17.0.1
+|**connection url** | ldap://172.17.0.1 | assuming keycloak is installed as docker image |
-users dn: ou=People,dc=example,dc=com
+|**users dn** | ou=People,dc=example,dc=com |
-bind dn: cn=admin,dc=example,dc=com
+|**bind dn** | cn=admin,dc=example,dc=com  |
-bind credential: Xxxx
+|**bind credential** | <admin credentials which you've chosen on installind openLDAP> |
-then ldap mappers, create:
-name: group
-mapper type: group-ldap-mapper
-ldap groups dn: ou=Group,dc=example,dc=com
-edit mapping: first name:
-ldap attribute: givenName
-create mapping:
+Then Save everything and click on Mappers.
-name: full name
-mapper type:  	full-name-ldap-mapper
-LDAP Full Name Attribute: cn
-create new role with name realmadmin.
+Create a new mapper with following settings:
-then save, and then:
+^ setting ^ value ^
-composite roles: on
+|**name** | groups |
-client roles: realm-management. associate all available roles.
+|**mapper type** | group-ldap-mapper |
+|**ldap groups dn** | ou=Group,dc=example,dc=com |
-create new group with name admin.
+Then edit the mapping: "first name" and change:
-add role realmadmin.
+^ setting ^ value ^
+|**ldap attribute** | givenName |
-(you don't necessarily have to do that. you could have users which are only admins for the installed applications.
+Create a new mapping
-and some superadmin, which can also manage the realm in keycloak.)
+^ setting ^ value ^
+|**name** | full name |
+|**mapper type** | full-name-ldap-mapper |
+|**LDAP Full Name Attribute** | cn |
-then create new user admin, and add it to the group admin.
+Now newly created and changes to users should be synced to the ldap directory.