Configuration the keycloak server for SSO(Single-Sign-On) for a lab environment (2)
Continuing from the last time(Configuration the keycloak server for SSO(Single-Sign-On) for a lab environment), This time we will connect users and groups in keycloak to LDAP.
For keycloak access, you must first configure HAProxy. The HAProxy configuration is relatively simple, so I will not explain it separately in this article. (When I have time later, I will explain the redundant configuration of HAProxy separately.)
If you access the keycloak address connected to HAProxy, a page like an image above will open. We select “Administration Console” here and connect to the account set for administration.
Realm Creation
The first thing we need to do is create a realm. Move the mouse to the master on the left to create a realm. Here, the realm name is set to homelab, and the realm is created.
User Federation using LDAP
Now it’s time to integrate LDAP. After selecting User Federation on the left, select LDAP from Add provider on the right.
When the LDAP page is displayed, set the connection information of the previously set 389DS server(Configuration the 389 directory server for authentication and authorization for lab environment). Vendor to Red Hat Directory Server (389DS is the Open Source version of Red Hat Directory Server.) Most of the required fields are filled in automatically. However, be sure to check once more whether the attribute value is the same as the actual LDAP setting. If the attributes are different, the user may not be searched even if the user synchronization is marked as successful.
The entire setting was set the same as the image above, and User Object Classes were different from the LDAP set attribute, so I entered the LDAP setting directly after checking the LDAP setting. When the setting is complete, click Test connection and Test authentication to check whether the connection is properly established.
When the user set is completed, proceed with the group object synchronization setting. Group object synchronization can be set in the Mappers tab. Set the Mapper name and set the Mapper Type to group-ldap-mapper.
For ldap groups DN, input the location information of the group to be synchronized in the actual LDAP. The group object of the actual LDAP is set up as follows and is set identically.
When user and group settings are completed, select Synchronize all users and Sync LDAP Groups To Keycloak on each page to synchronize LDAP information with keycloak. If all settings are successful, you can check LDAP user and group information in users and groups.
As above, if the LDAP information is checked normally in keycloak, it can be judged that all settings have been made normally. In addition, in the above User information, it appears that the email information is not mapped normally. This is a phenomenon that occurs because the attribute value matching for the email of LDAP and Keycloak is not performed normally.
If the attribute value is not displayed as intended, select the attribute value from the Mappers information and check the mapping value between LDAP and Keycloak to proceed with synchronization.
Conclusion
Keycloak provides an SSO function that can provide the same authentication for multiple applications, and provides OIDC and Federation Service, so it is very convenient to extend authentication. The importance of management increases as much as it is convenient. For this purpose, we introduced the keycloak setting method for user authentication twice.
I hope it will be helpful to those who are looking for related content. And if you have saved a lot of time with this content, please donate a cup of coffee. (Please help me to write while eating ice americano at a local cafe.)
And I am looking for a job. If you are interested, please comment for me.
