Note this assumes one way SSL keycloak → LDAP. If your LDAP requires two way SSL please contact KADA before proceeding with this setup. Again these commands reference kubectl, if you are using openshift use oc instead
In order for Keycloak to communicate with LDAP it will need the public certificate for the LDAP server.
Pre Start Check List
Ensure that you satisfy this check list before commencing
You have access to modify secrets and stop and start pods on Kubernetes
You have the public certificate or have access to someone that can provide you with the public certificate of the LDAP server
You have the admin user or a privileged user that can inspect LDAP to pull back user information. This can be a read only user as Keycloak will not be configured to push back to LDAP.
You have the distinguished names that is required when searching for users, if you do not know what this is, ensure you have a contact to help you out with getting this. It should be in the form of “dc=example,dc=com”. You will also need to know the objectClass of the users as well.
Deployment
When keycloak starts up initially for the K platform it holds a default certificate as a place holder, we will be updating the default configurations and then restarting the keycloak pod.
Create a new secret using the public .crt file for the LDAP server and replace the existing secret keycloak-ldap-cert.yaml file, you should do this in the folder where this yaml file exists
kubectl create secret generic keycloak-ldap-cert --from-file=<location of your public .crt file> -o yaml --dry-run > keycloak-ldap-cert.yaml
Update the password for the keystore to something that is inline with your policies for keycloak-credentials.yaml
apiVersion: v1 kind: Secret metadata: name: keycloak-credentials type: Opaque stringData: POSTGRES_USER: <postgres_user> POSTGRES_PASSWORD: <postgres_pass> KEYCLOAK_USER: <keycloak_user> KEYCLOAK_PASSWORD: <postgres_pass> LDAPS_KEYSTORE_PASSWORD: changeit <---- this password here
Once that’s done you are ready to apply and replace the configurations for these two files
kubectl apply -f keycloak-credentials.yaml kubectl apply -f keycloak-ldap-cert.yaml
Now delete the keycloak pod so the truststore takes effect when it spins up again
kubectl delete pod <keycloak pod id>
Check that it comes up and is stable
kubectl get pods
Once it is stable access the keycloak console and setup the LDAP federation with Keycloak
https://<your domain>/keycloak/auth
Log into the console using the Keycloak admin credentials that you saw in the above credentials file
Head to user federation
Add a provider LDAP
Then populate the fields accordingly to the below table and then save and synchronise from LDAP. The synchronise option will only appear after you save. Ensure you test your configurations before you save. The screen shot here is only an example as depending on the provider it may differ slightly.
Configuration | Value |
---|---|
Console Display Name | Any name you wish or you can just leave it as ldap |
Edit Mode | UNSYNCED (This will never write back to LDAP and only read) |
Vendor | Choose your vendor accordinly and it will come up with different configurations. Populate the fields with a red asterisk accordingly. |