Document toolboxDocument toolbox

Setup: Importing LDAP Certificate Into Keycloak

Owned by Sidney Chen
Last updated: Sept 08, 2021 by Dean Nguyen
3 min read

Applicable to on premise deployments

Note this assumes one way SSL keycloak → LDAP. If your LDAP requires two way SSL please contact KADA before proceeding with this setup. Again these commands reference kubectl, if you are using openshift use oc instead

Purpose of this article:

In order for Keycloak to communicate with LDAP it will need the public certificate for the LDAP server.

 

Pre Start Check List

Ensure that you satisfy this check list before commencing

  1. You have access to modify secrets and stop and start pods on Kubernetes

  2. You have the public certificate or have access to someone that can provide you with the public certificate of the LDAP server

  3. You have the admin user or a privileged user that can inspect LDAP to pull back user information. This can be a read only user as Keycloak will not be configured to push back to LDAP.

  4. You have the distinguished names that is required when searching for users, if you do not know what this is, ensure you have a contact to help you out with getting this. It should be in the form of “dc=example,dc=com”. You will also need to know the objectClass of the users as well.

 

Deployment

When keycloak starts up initially for the K platform it holds a default certificate as a place holder, we will be updating the default configurations and then restarting the keycloak pod.

  1. Create a new secret using the public .crt file for the LDAP server and replace the existing secret keycloak-ldap-cert.yaml file, you should do this in the folder where this yaml file exists

    kubectl create secret generic keycloak-ldap-cert --from-file=<location of your public .crt file> -o yaml --dry-run > keycloak-ldap-cert.yaml

     

  2. Update the password for the keystore to something that is inline with your policies for keycloak-credentials.yaml

    apiVersion: v1 kind: Secret metadata: name: keycloak-credentials type: Opaque stringData: POSTGRES_USER: <postgres_user> POSTGRES_PASSWORD: <postgres_pass> KEYCLOAK_USER: <keycloak_user> KEYCLOAK_PASSWORD: <postgres_pass> LDAPS_KEYSTORE_PASSWORD: changeit <---- this password here

     

  3. Once that’s done you are ready to apply and replace the configurations for these two files

    kubectl apply -f keycloak-credentials.yaml kubectl apply -f keycloak-ldap-cert.yaml

     

  4. Now delete the keycloak pod so the truststore takes effect when it spins up again

     

  5. Check that it comes up and is stable

     

  6. Once it is stable access the keycloak console and setup the LDAP federation with Keycloak

     

  7. Log into the console using the Keycloak admin credentials that you saw in the above credentials file

     

  8. Head to user federation

     

  9. Add a provider LDAP

  10. Then populate the fields accordingly to the below table and then save and synchronise from LDAP. The synchronise option will only appear after you save. Ensure you test your configurations before you save. The screen shot here is only an example as depending on the provider it may differ slightly.

Configuration

Value

Configuration

Value

Console Display Name

Any name you wish or you can just leave it as ldap

Edit Mode

UNSYNCED (This will never write back to LDAP and only read)

Vendor

Choose your vendor accordinly and it will come up with different configurations. Populate the fields with a red asterisk accordingly.