mirror of
https://github.com/nitnelave/lldap.git
synced 2023-04-12 14:25:13 +00:00
README: Add keycloak config guide
This commit is contained in:
parent
d96b534921
commit
656edc3763
11
README.md
11
README.md
@ -105,12 +105,13 @@ filter like: `(memberOf=cn=admins,ou=groups,dc=example,dc=com)`.
|
|||||||
The administrator group for LLDAP is `lldap_admin`: anyone in this group has
|
The administrator group for LLDAP is `lldap_admin`: anyone in this group has
|
||||||
admin rights in the Web UI.
|
admin rights in the Web UI.
|
||||||
|
|
||||||
### Authelia configuration
|
### Sample client configurations
|
||||||
|
|
||||||
If you are using `LLDAP` as a backend for `Authelia` you need to adjust the
|
Some specific clients have been tested to work and come with sample
|
||||||
`Authelia` configuration.
|
configuration files, or guides. See the `example_configs` folder for help with:
|
||||||
|
- Authelia
|
||||||
You can find an example `authelia_config.yml` inside the `example_configs` folder.
|
- KeyCloak
|
||||||
|
- Jisti Meet
|
||||||
|
|
||||||
## I can't log in!
|
## I can't log in!
|
||||||
|
|
||||||
|
64
example_configs/keycloak.md
Normal file
64
example_configs/keycloak.md
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
# KeyCloak configuration
|
||||||
|
|
||||||
|
Configuring [KeyCloak](https://www.keycloak.org) takes a bit of effort. Once
|
||||||
|
the KeyCloak instance is up and you logged in as admin (see [this
|
||||||
|
guide](https://www.keycloak.org/getting-started/getting-started-docker) to get
|
||||||
|
started with KeyCloak), you'll need to configure the LDAP mapping.
|
||||||
|
|
||||||
|
Keep in mind that LLDAP is _read-only_: that means that if you create some
|
||||||
|
users in KeyCloak, they won't be reflected to LLDAP. Instead, you should create
|
||||||
|
the user from LLDAP, and it will appear in KeyCloak. Same for groups. However,
|
||||||
|
you can set the permissions associated with users or groups in KeyCloak.
|
||||||
|
|
||||||
|
## Configure user authentication
|
||||||
|
|
||||||
|
In the admin console of KeyCloak, on the left, go to "User Federation". You can
|
||||||
|
then add an LDAP backend.
|
||||||
|
|
||||||
|
The key settings are:
|
||||||
|
|
||||||
|
- Edit Mode: `READ_ONLY`
|
||||||
|
- Vendor: `Other`
|
||||||
|
- Username LDAP attribute: `uid`
|
||||||
|
- UUID LDAP attribute: `uid`
|
||||||
|
- User Object Classes: `person`
|
||||||
|
- Connection URL: `ldap://<your-lldap-container>:3890`
|
||||||
|
- Users DN: `ou=people,dc=example,dc=com` (or whatever `dc` you have)
|
||||||
|
- Bind Type: `simple`
|
||||||
|
- Bind DN: `admin` (your LLDAP admin user)
|
||||||
|
- Bind Credential: your LLDAP admin password
|
||||||
|
|
||||||
|
Test the connection and authentication, it should work.
|
||||||
|
|
||||||
|
In the "Advanced Settings", you can "Query Supported Extensions", or just
|
||||||
|
enable the "LDAPv3 Password Modify Extended Operation".
|
||||||
|
|
||||||
|
Turn "Pagination" off.
|
||||||
|
|
||||||
|
Save the provider.
|
||||||
|
|
||||||
|
## Configure group mapping
|
||||||
|
|
||||||
|
Getting the LDAP groups to be imported into KeyCloak requires one more step:
|
||||||
|
|
||||||
|
Go back to "User Federation", and edit your LDAP integration. At the top, click
|
||||||
|
on the "Mappers" tab.
|
||||||
|
|
||||||
|
Find or create the `groups` mapper, with type `group-ldap-mapper`. The key
|
||||||
|
settings are:
|
||||||
|
|
||||||
|
- LDAP Groups DN: `ou=groups,dc=example,dc=com` (or whatever `dc` you have)
|
||||||
|
- Group Name LDAP Attribute: `cn`
|
||||||
|
- Group Object Classes: `groupOfUniqueNames`
|
||||||
|
- Mode: `READ_ONLY`
|
||||||
|
|
||||||
|
Save, then sync LDAP groups to KeyCloak, and (from the LDAP integration page)
|
||||||
|
sync the users to KeyCloak as well.
|
||||||
|
|
||||||
|
## Give the LDAP admin user admin rights to KeyCloak
|
||||||
|
|
||||||
|
Once the groups are synchronized, go to "Manage > Groups" on the left. Click on
|
||||||
|
`lldap_admin`, then "Edit".
|
||||||
|
|
||||||
|
Assign the role "admin" to the group. Now you can log in as the LLDAP admin to
|
||||||
|
the KeyCloak admin console.
|
Loading…
Reference in New Issue
Block a user