Authenticate Keycloak against OpenLDAP
Warning
This is not a complete recipe - it's an optional component of the Keycloak recipe, but has been split into its own page to reduce complexity.
Keycloak gets really sexy when you integrate it into your OpenLDAP stack (also, it's great not to have to play with ugly LDAP tree UIs). Note that OpenLDAP integration is not necessary if you want to use Keycloak with Traefik Forward Auth - all you need for that is local users, and an OIDC client.
Ingredients
Summary
Existing:
- Keycloak recipe deployed successfully
New:
- An OpenLDAP server (assuming you want to authenticate against it)
Preparation
You'll need to have completed the OpenLDAP recipe
You start in the "Master" realm - but mouseover the realm name, to a dropdown box allowing you add an new realm:
Create Realm
Enter a name for your new realm, and click "Create":
Setup User Federation
Once in the desired realm, click on User Federation, and click Add Provider. On the next page ("Required Settings"), set the following:
- Edit Mode : Writeable
- Vendor : Other
- Connection URL : ldap://openldap
- Users DN : ou=People,<your base DN>
- Authentication Type : simple
- Bind DN : cn=admin,<your base DN>
- Bind Credential : <your chosen admin password>
Save your changes, and then navigate back to "User Federation" > Your LDAP name > Mappers:
For each of the following mappers, click the name, and set the "Read Only" flag to "Off" (this enables 2-way sync between Keycloak and OpenLDAP)
- last name
- username
- first name
Summary
We've setup a new realm in Keycloak, and configured read-write federation to an OpenLDAP backend. We can now manage our LDAP users using either Keycloak 1 or LDAP directly, and we can protect vulnerable services using Traefik Forward Auth.
Chef's notes 📓
-
A much nicer experience IMO! ↩
Tip your waiter (sponsor) 👏
Did you receive excellent service? Want to compliment the chef? (..and support development of current and future recipes!) Sponsor me on Github / Ko-Fi / Patreon, or see the contribute page for more (free or paid) ways to say thank you! 👏
Employ your chef (engage) 🤝
Is this too much of a geeky PITA? Do you just want results, stat? I do this for a living - I'm a full-time Kubernetes contractor, providing consulting and engineering expertise to businesses needing short-term, short-notice support in the cloud-native space, including AWS/Azure/GKE, Kubernetes, CI/CD and automation.
Learn more about working with me here.
Flirt with waiter (subscribe) 💌
Want to know now when this recipe gets updated, or when future recipes are added? Subscribe to the RSS feed, or leave your email address below, and we'll keep you updated.