-
Notifications
You must be signed in to change notification settings - Fork 2
FreeIPA
When you are using FreeIPA as an LDAP server containing user profiles, this can be connected to Keycloak. Keycloak can then lookup user info when needed by doing a lookup on the FreeIPA/LDAP server.
There are a few things to consider:
- Installation documentation can be found here
- Some usefull info can be found here
- When running the playbook, the default user with sudo rights after a clean install is the 'centos' user.
- Since the changes surrounding the CentOS distribution, combined with the fact that FreeIPA focusses on CentOS, we migrated to Rocky Linux without any problem at all.
- It is easy to add a FreeIPA server in Keycloak. Just select the correct domain, open the
User Federation→Add Provider→LDAP. From the Vendor drop down list, select Red Hat Directory Server. You will need to change the UUID LDAP attribute value toipaUniqueID. This attribute is only available with a non-anonymous bind, so arrange for some LDAP credentials to use for the connection. - The default 'Red Hat Directory Server' sync setup has an error. Not all default synced attributes are correct. The firstname attribute of the user should be 'givenName'. In KeyCloak: go to User Federation and select your LDAP provider. Locate at the top the "Mappers" tab. Edit the mapper for 'first name´. Change the value of the field 'LDAP Attribute' from 'cn' to 'givenName'. Sync the users again and notice that first name field is now correct.
- You will run into some challenges that the 'ipaUniqueID' does not map to previously used user-ids when you migrate with application to an SSO setup. Especially NextCloud and Xwiki do things default in a different way. If you don´t migrate from a previous setup, but this is a first roll-out you should (probably) be fine.
Trying a simple (anonymous) ldapsearch: ldapsearch -x -H ldap://ipa.company.lan -b 'dc=company,dc=lan' 'uid=john'
Trying a simple (inon-anonymous) ldapsearch: `ldapsearch -x -H ldap://ipa.company.lan -b 'dc=company,dc=lan' 'uid=john' -D 'uid=keycloak,cn=users,cn=accounts,dc=company,dc=lan' -W
When you try to authenticate from an Ubuntu Samba setup using Kerberos it won't work because Ubuntu on one hand and Red Hat/CentOS on the other use different encryption schemes for the password. Of course you can hack the source code but then maintainability goes out the window.