Hello all,

I have an amazing installation with nethserver.
I have installed the local ldap as the directory.
There’s not too much options that I can do with it like custom emails and so on.
So I have decided to install Keycloak as a user federation and Authenticator.

With regards to Keycloak I would like very much help on how to configure this
Keycloak can connect to ldap
I have installed it on a separate server just to avoid overloading it.
Therefore am trying to find the url of the ldap. I only see the 127.0.0.1.
Also when i try with the domain of the server I get a connection refused.
Any pointers ?

You may get the connection settings from the Domain accounts page in web UI or on command line with

account-provider-test

Thank you. When I check that I don’t get the Public url.

You may have to open the ldap port for public in the “Network services” page.

http://docs.nethserver.org/en/v7/base_system.html#network-services

For public url the public IP should work.

So 1st: THANK YOU
Such a simple task and so easily overlooked.
Now it works and it’s ldaps:// :636 therefore secure. = better.
2nd. Are you familiar with Keycloak?
I am having trouble to Create a clear and easy communication with the ldap and the Auth server.
They don’t talk to each other properly.
Keycloak offers mappers. Which are supposed to adjust to each ldaps. But somehow I can’t find any proper attibutes and their matches.

Have a great day

Not yet, I am going to test it…

You may use phpldapadmin or command line to get the used ldap fields.

https://wiki.nethserver.org/doku.php?id=phpldapadmin

https://wiki.nethserver.org/doku.php?id=howto:useful_commands#ldap

Alright. To test it. Here is the install link I used. Beware not to do the MySQL connection. Keeps failing for me.
http://www.pimwiddershoven.nl/entry/install-keycloak-on-centos-7-with-mysql-backend
I will look at what you send me tomorrow.
However if you figure out some of the issues I would be really happy to know
Thanks again for all of your support and time

Interesting read, but I have NO clue what ldap user federation does…

Anyone care to explain to the benefit of the unaware?

TIA

It seems to be just a connection to LDAP/AD:

https://www.keycloak.org/about.html

I installed it on a Nethserver with local LDAP and it worked, I synced an LDAP user and could login with Google authenticator.

yum install java-1.8.0-openjdk curl
groupadd -r keycloak
useradd -m -d /var/lib/keycloak -s /sbin/nologin -r -g keycloak keycloak
curl https://downloads.jboss.org/keycloak/4.6.0.Final/keycloak-4.6.0.Final.tar.gz -o keycloak.tar.gz
mkdir -p /opt/keycloak/4.6.0
ln -s /opt/keycloak/4.6.0 /opt/keycloak/current
tar -xzf keycloak.tar.gz -C /opt/keycloak/current --strip-components=1
chown keycloak: -R /opt/keycloak
cd /opt/keycloak/current
sudo -u keycloak chmod 700 standalone

cat > /etc/systemd/system/keycloak.service <<EOF
 
[Unit]
Description=Keycloak
After=network.target
 
[Service]
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/current/bin/standalone.sh -b 0.0.0.0
TimeoutStartSec=600
TimeoutStopSec=600
 
[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable keycloak --now

bin/add-user-keycloak.sh -r master -u admin -p secret123

systemctl restart keycloak

config set fw_keycloak service status enabled TCPPort 8080 access green
signal-event firewall-adjust

Now you can connect to http://nethserver:8080 and login with admin and password secret123.

Here are my ldap settings, just use account-provider-test dump to get your credentials. The default mappings worked.

grafik1535×928 63.3 KB

Thank you for taking the time to test this out,
I would like to know, if there is a way to put it as a proxy like instead of https://nethserver.com:8080 to have it as key.nethserver.com.
I have looked into the mattermost vhost config

I saved it in the /etc/httpd/conf, restarted the http server.
and I also used these:

$ sudo -u keycloak ./bin/jboss-cli.sh ‘embed-server,/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)’
$ sudo -u keycloak ./bin/jboss-cli.sh ‘embed-server,/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)’
$ sudo -u keycloak ./bin/jboss-cli.sh ‘embed-server,/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)’

But it seems not to work,
I also opened the ports 8080 on my router and in NS config.
No luck.
I noticed that keycloak config for the ldap doesn’t work when it not on the same network,

Lastly, could you let me know how did you manage to get the google authenticator working?

With my best regards

I’ll have a look at the vhost config later today and report…

I used the Authenticator on my mobile phone, scanned the code presented by keycloak, entered the token once to verify and from now on I have to login to keycloak with a token.

Thanks,
Ok to get keycloak to use a ghost I did this and it works:

• create a conf file in /etchttpd/conf.d

        SSLEngine on
        SSLCertificateFile      /etc/pki/tls/certs/nethserver.crt
        SSLCertificatekeyFile   /etc/pki/tls/certs/key.nethserver.key
        SSLCertificateChainFile /etc/pki/tls/certs/nethserver.ca-bundle.crt

        ErrorLog /var/log/keycloak/keycloak-error.log
        CustomLog /var/log/keycloak/keycloak-access.log combined

ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
             
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
#ProxyHTMLURLMap / http://127.0.0.1:8080/
</VirtualHost>

• Then I restarted httpd service
  Now I can access keycloak with https://key.nethserver.com
  However, when I try a sync with the users, keycloak gets the users, however when I try to add a user or modify an imported user, I get an error,
  Here is a snap of my error.log from keycloak.

I use the following settings:

Screenshot 2018-12-03 at 12.56.04.png2108×1874 284 KB

Therefore I believe I need a superuser for the ldap, however I have no idea which one to use.
I tried with libuser, uid=admin etc and I cannot get it to work.
The I can’t nor add new users from keycloak, I would like to be able to manage users from that interface and not phpldapadmin and user from NS interface (too limitative)

EDIT:----

Just being curious and reading the documentation I found the user password for libuser. With it it works. Perfectly well.
However I believe that this is not the right thing to user as a user for ldap admin.

Thank you very much

Just to confirm, it’s working with libuser. I think it’s ok to use it.

Ok then I will, thank you.

However I seem to notice that the libuser account is not linked with the accounts and user interface of NS. is that not the same tree?

I am also trying to replicate the mappers to fit perfectly the phpldapadmin attributes and objects.

I have tried many combinations without success.
Lastly, how would I setup the openid solution with next cloud and teamchat mattermost and freeradius?
I have tried but failed. as I am not finding accurate documentation.
Again thank you, once I have fully implemented it, I will write a full stepbystep tutorial.

libuser and ldapservice are in root, NS admin and users are in OU people.

I am going to test it and report…

You are a rockstar thank you,
I get it however if I want them to have their OU people and groups can I do that with the libuser tree?
Also If I am to use freeradius will it be based from OU people and groups or that should be a different subtree?

With libuser you can access all users and groups.
I don’t use freeradius but I’ll try with nextcloud…

Sorry I wasn’t really clear,
I meant for free-radius to have then authenticated via the ldap and user mapping of Keycloak from the freeradius app of nethserver.

Let me explain to you my plan, like this you see the picture.

1 NS install that provides:

1. Internet via radius control (user choose their passwords via Keycloak and manage their credentials)

2. Nextcloud, hum hub and mattermost all linked to ldap and can manage their account password etc via Keycloak

3. Have Keycloak provide 1 authentification for all 4 services via openid or google authenticator

4. Create printer quotas and printing access based on the user group and profile.
   5 Get automatic quotas in GB for next cloud based on which group the user is a member of.

This is what I am trying so hard to put on and manage, not that simple du to lack of clear documentation.

I am planning to write a step-by-step guide to replicate my installation. This for a small co-working business based in Geneva Switzerland, and I am trying to do all of it open source.

Thanks to people like you and in the community, each day I am closer to my goal.

FYI, clearos wooed me with its easier and similar potential, but too restrictive and not enough options of customization.

Here is a tutorial for nextcloud and keycloak:

Seems like mattermost supports SAML too:

https://docs.mattermost.com/deployment/sso-saml.html

I am going to test it when I find time…

Hello @mrmarkuz,

Did you have a chance to test the system? what would be your setup to get the whole user federation with groups and attributes?

Have a great day