Nethserver with Keycloak as ldap user federation


(Karim Paul) #1

Hello all,

I have an amazing installation with nethserver.
I have installed the local ldap as the directory.
There’s not too much options that I can do with it like custom emails and so on.
So I have decided to install Keycloak as a user federation and Authenticator.

With regards to Keycloak I would like very much help on how to configure this
Keycloak can connect to ldap
I have installed it on a separate server just to avoid overloading it.
Therefore am trying to find the url of the ldap. I only see the 127.0.0.1.
Also when i try with the domain of the server I get a connection refused.
Any pointers ?


(Markus Neuberger) #2

You may get the connection settings from the Domain accounts page in web UI or on command line with

account-provider-test


(Karim Paul) #3

Thank you. When I check that I don’t get the Public url.


(Markus Neuberger) #4

You may have to open the ldap port for public in the “Network services” page.

http://docs.nethserver.org/en/v7/base_system.html#network-services

For public url the public IP should work.


(Karim Paul) #5

So 1st: THANK YOU
Such a simple task and so easily overlooked.
Now it works and it’s ldaps:// :636 therefore secure. = better.
2nd. Are you familiar with Keycloak?
I am having trouble to Create a clear and easy communication with the ldap and the Auth server.
They don’t talk to each other properly.
Keycloak offers mappers. Which are supposed to adjust to each ldaps. But somehow I can’t find any proper attibutes and their matches.

Have a great day


(Markus Neuberger) #6

Not yet, I am going to test it…

You may use phpldapadmin or command line to get the used ldap fields.

https://wiki.nethserver.org/doku.php?id=phpldapadmin

https://wiki.nethserver.org/doku.php?id=howto:useful_commands#ldap


(Karim Paul) #7

Alright. To test it. Here is the install link I used. Beware not to do the MySQL connection. Keeps failing for me.
http://www.pimwiddershoven.nl/entry/install-keycloak-on-centos-7-with-mysql-backend
I will look at what you send me tomorrow.
However if you figure out some of the issues I would be really happy to know
Thanks again for all of your support and time


(HF) #8

Interesting read, but I have NO clue what ldap user federation does…

Anyone care to explain to the benefit of the unaware? :slight_smile:

TIA


(Markus Neuberger) #9

It seems to be just a connection to LDAP/AD:

https://www.keycloak.org/about.html

I installed it on a Nethserver with local LDAP and it worked, I synced an LDAP user and could login with Google authenticator.

Install steps:
yum install java-1.8.0-openjdk curl
groupadd -r keycloak
useradd -m -d /var/lib/keycloak -s /sbin/nologin -r -g keycloak keycloak
curl https://downloads.jboss.org/keycloak/4.6.0.Final/keycloak-4.6.0.Final.tar.gz -o keycloak.tar.gz
mkdir -p /opt/keycloak/4.6.0
ln -s /opt/keycloak/4.6.0 /opt/keycloak/current
tar -xzf keycloak.tar.gz -C /opt/keycloak/current --strip-components=1
chown keycloak: -R /opt/keycloak
cd /opt/keycloak/current
sudo -u keycloak chmod 700 standalone

cat > /etc/systemd/system/keycloak.service <<EOF
 
[Unit]
Description=Keycloak
After=network.target
 
[Service]
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/current/bin/standalone.sh -b 0.0.0.0
TimeoutStartSec=600
TimeoutStopSec=600
 
[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable keycloak --now

bin/add-user-keycloak.sh -r master -u admin -p secret123

systemctl restart keycloak

config set fw_keycloak service status enabled TCPPort 8080 access green
signal-event firewall-adjust

Now you can connect to http://nethserver:8080 and login with admin and password secret123.

Here are my ldap settings, just use account-provider-test dump to get your credentials. The default mappings worked.


(Karim Paul) #10

Thank you for taking the time to test this out,
I would like to know, if there is a way to put it as a proxy like instead of https://nethserver.com:8080 to have it as key.nethserver.com.
I have looked into the mattermost vhost config

VhostConfig

<VirtualHost *:80>
IncludeOptional conf.d/default-virtualhost.inc

<VirtualHost :80>
ServerName key.nethserver.com
RedirectMatch 301 ^(?!/.well-known/acme-challenge/).
https://key.nethserver.com

<VirtualHost *:443>
ServerName key.nethserver.com

SSLEngine on
ProxyPreserveHost On

setup the proxy

<Proxy *>
Order allow,deny
Allow from all

Set web sockets

RewriteEngine On
RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:8080%{REQUEST_URI} [P,QSA,L]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f

Force SSL redirect

RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

<LocationMatch “^/api/v(?[0-9]+)/(?users/)?websocket”>
Require all granted
ProxyPass ws://127.0.0.1:8080/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
ProxyPassReverse ws://127.0.0.1:8080/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
ProxyPassReverseCookieDomain 127.0.0.1 key.nethserver.com

Require all granted ProxyPass http://127.0.0.1:8080/ ProxyPassReverse http://127.0.0.1:8080/ ProxyPassReverseCookieDomain 127.0.0.1 key.nethserver.com

I saved it in the /etc/httpd/conf, restarted the http server.
and I also used these:

$ sudo -u keycloak ./bin/jboss-cli.sh ‘embed-server,/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)’
$ sudo -u keycloak ./bin/jboss-cli.sh ‘embed-server,/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)’
$ sudo -u keycloak ./bin/jboss-cli.sh ‘embed-server,/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)’

But it seems not to work,
I also opened the ports 8080 on my router and in NS config.
No luck.
I noticed that keycloak config for the ldap doesn’t work when it not on the same network,

Lastly, could you let me know how did you manage to get the google authenticator working?

With my best regards


(Markus Neuberger) #11

I’ll have a look at the vhost config later today and report…

I used the Authenticator on my mobile phone, scanned the code presented by keycloak, entered the token once to verify and from now on I have to login to keycloak with a token.


(Karim Paul) #12

Thanks,
Ok to get keycloak to use a ghost I did this and it works:

  • create a conf file in /etchttpd/conf.d
conf file

<VirtualHost *:80>
ServerName key.nethserver.com
Redirect “/” “https://key.nethserver.com/

ServerName key.nethserver.com
        SSLEngine on
        SSLCertificateFile      /etc/pki/tls/certs/nethserver.crt
        SSLCertificatekeyFile   /etc/pki/tls/certs/key.nethserver.key
        SSLCertificateChainFile /etc/pki/tls/certs/nethserver.ca-bundle.crt

        ErrorLog /var/log/keycloak/keycloak-error.log
        CustomLog /var/log/keycloak/keycloak-access.log combined

ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
             
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
#ProxyHTMLURLMap / http://127.0.0.1:8080/
</VirtualHost>
  • Then I restarted httpd service
    Now I can access keycloak with https://key.nethserver.com
    However, when I try a sync with the users, keycloak gets the users, however when I try to add a user or modify an imported user, I get an error,
    Here is a snap of my error.log from keycloak.
Error

Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name ‘uid=kc,ou=People,dc=directory,dc=nh’
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3162)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:553)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:549)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:745)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:549)
… 81 more

I use the following settings:

Therefore I believe I need a superuser for the ldap, however I have no idea which one to use.
I tried with libuser, uid=admin etc and I cannot get it to work.
The I can’t nor add new users from keycloak, I would like to be able to manage users from that interface and not phpldapadmin and user from NS interface (too limitative)

EDIT:----

Just being curious and reading the documentation I found the user password for libuser. With it it works. Perfectly well.
However I believe that this is not the right thing to user as a user for ldap admin.

Thank you very much


(Markus Neuberger) #13

Just to confirm, it’s working with libuser. I think it’s ok to use it.


(Karim Paul) #14

Ok then I will, thank you.

However I seem to notice that the libuser account is not linked with the accounts and user interface of NS. is that not the same tree?

I am also trying to replicate the mappers to fit perfectly the phpldapadmin attributes and objects.

I have tried many combinations without success.
Lastly, how would I setup the openid solution with next cloud and teamchat mattermost and freeradius?
I have tried but failed. as I am not finding accurate documentation.
Again thank you, once I have fully implemented it, I will write a full stepbystep tutorial.


(Markus Neuberger) #15

libuser and ldapservice are in root, NS admin and users are in OU people.

grafik

I am going to test it and report…


(Karim Paul) #16

You are a rockstar thank you,
I get it however if I want them to have their OU people and groups can I do that with the libuser tree?
Also If I am to use freeradius will it be based from OU people and groups or that should be a different subtree?


(Markus Neuberger) #17

With libuser you can access all users and groups.
I don’t use freeradius but I’ll try with nextcloud…


(Karim Paul) #18

Sorry I wasn’t really clear,
I meant for free-radius to have then authenticated via the ldap and user mapping of Keycloak from the freeradius app of nethserver.

Let me explain to you my plan, like this you see the picture.

1 NS install that provides:

  1. Internet via radius control (user choose their passwords via Keycloak and manage their credentials)

  2. Nextcloud, hum hub and mattermost all linked to ldap and can manage their account password etc via Keycloak

  3. Have Keycloak provide 1 authentification for all 4 services via openid or google authenticator

  4. Create printer quotas and printing access based on the user group and profile.
    5 Get automatic quotas in GB for next cloud based on which group the user is a member of.

This is what I am trying so hard to put on and manage, not that simple du to lack of clear documentation.

I am planning to write a step-by-step guide to replicate my installation. This for a small co-working business based in Geneva Switzerland, and I am trying to do all of it open source.

Thanks to people like you and in the community, each day I am closer to my goal.

FYI, clearos wooed me with its easier and similar potential, but too restrictive and not enough options of customization.


(Markus Neuberger) #19

Here is a tutorial for nextcloud and keycloak:

Seems like mattermost supports SAML too:

https://docs.mattermost.com/deployment/sso-saml.html

I am going to test it when I find time…