linux_server_manuals:keycloak_openldap_integration
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
linux_server_manuals:keycloak_openldap_integration [2018/01/31 18:41] – created ronney | linux_server_manuals:keycloak_openldap_integration [2018/05/12 16:28] (current) – ronney | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Setup openLDAP and integrate it with Keycloak ====== | ====== Setup openLDAP and integrate it with Keycloak ====== | ||
- | For that manual, we assume that you've already got a working Keycloak installation. Otherwise take a look at [[linux_server_manuals: | + | For that manual, we assume that you've already got a working Keycloak installation. Otherwise take a look at [[linux_server_manuals: |
The manual was written for Debian Stretch, but should also work with other distributions. | The manual was written for Debian Stretch, but should also work with other distributions. | ||
Line 23: | Line 23: | ||
</ | </ | ||
+ | If you changed the above setting, that slapd should not listen on all hosts, then you also need to tell slapd it should not start up before docker. Otherwise the dockerinterface is not ready to bind to it: | ||
+ | |||
+ | < | ||
+ | systemctl edit slapd.service | ||
+ | </ | ||
+ | |||
+ | In the editor that was opened enter: | ||
+ | < | ||
+ | [Unit] | ||
+ | After=docker.service | ||
+ | </ | ||
create file / | create file / | ||
Line 98: | Line 109: | ||
changetype: modify | changetype: modify | ||
add: olcDbIndex | add: olcDbIndex | ||
- | olcDbIndex: memberOf eq | + | olcDbIndex: memberOf, mail eq |
</ | </ | ||
Line 105: | Line 116: | ||
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f index.ldif | ldapadd -Q -Y EXTERNAL -H ldapi:/// -f index.ldif | ||
</ | </ | ||
+ | |||
+ | create file database.ldif to increase the maxsize of 1GB of the database.I once run out of space after only adding a few 100 users... | ||
+ | < | ||
+ | dn: olcDatabase={1}mdb, | ||
+ | changetype: modify | ||
+ | replace: OlcDbMaxSize | ||
+ | OlcDbMaxSize: | ||
+ | </ | ||
+ | |||
+ | Execute: | ||
+ | < | ||
+ | ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f database.ldif | ||
+ | </ | ||
+ | |||
===== Setup Keycloak LDAP federation ===== | ===== Setup Keycloak LDAP federation ===== | ||
Line 118: | Line 143: | ||
Set following settings: | Set following settings: | ||
- | add new user federation provider: | + | ^Setting ^ Value ^ Comment ^ |
- | import users: on | + | |**import users** | on | only necessary if you also change users over other means than keycloak | |
- | edit mode: writeable | + | |**edit mode** | writeable |
- | sync registration: on | + | |**sync registration** | on | |
- | vendor: other | + | |**vendor** | other | |
- | connection url: ldap:// | + | |**connection url** | ldap:// |
- | users dn: ou=People, | + | |**users dn** | ou=People, |
- | bind dn: cn=admin, | + | |**bind dn** | cn=admin, |
- | bind credential: Xxxx | + | |**bind credential** | <admin credentials which you've chosen on installind openLDAP> |
- | + | ||
- | + | ||
- | then ldap mappers, create: | + | |
- | name: group | + | |
- | mapper type: group-ldap-mapper | + | |
- | ldap groups dn: ou=Group, | + | |
- | + | ||
- | edit mapping: first name: | + | |
- | ldap attribute: givenName | + | |
- | create mapping: | + | Then Save everything and click on Mappers. |
- | name: full name | + | |
- | mapper type: full-name-ldap-mapper | + | |
- | LDAP Full Name Attribute: cn | + | |
- | create | + | Create a new mapper |
- | then save, and then: | + | ^ setting ^ value ^ |
- | composite roles: on | + | |**name** | groups | |
- | client roles: realm-management. associate all available roles. | + | |**mapper type** | group-ldap-mapper | |
+ | |**ldap groups dn** | ou=Group, | ||
- | create new group with name admin. | + | Then edit the mapping: " |
- | add role realmadmin. | + | ^ setting ^ value ^ |
+ | |**ldap attribute** | givenName | | ||
- | (you don't necessarily have to do that. you could have users which are only admins for the installed applications. | + | Create a new mapping |
- | and some superadmin, which can also manage the realm in keycloak.) | + | ^ setting ^ value ^ |
+ | |**name** | full name | | ||
+ | |**mapper type** | full-name-ldap-mapper | | ||
+ | |**LDAP Full Name Attribute** | cn | | ||
- | then create new user admin, | + | Now newly created |
linux_server_manuals/keycloak_openldap_integration.1517424081.txt.gz · Last modified: 2018/01/31 18:41 by ronney