README: Add keycloak config guide

2023-04-12 14:25:13 +00:00 · 2021-11-08 08:44:14 +01:00 · 2021-11-08 08:44:14 +01:00 · c14220b28d
commit c14220b28d
parent 08d0a1dc5b
2 changed files with 70 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -105,12 +105,13 @@ filter like: `(memberOf=cn=admins,ou=groups,dc=example,dc=com)`.
 The administrator group for LLDAP is `lldap_admin`: anyone in this group has
 admin rights in the Web UI.

-### Authelia configuration
+### Sample client configurations

-If you are using `LLDAP` as a backend for `Authelia` you need to adjust the 
-`Authelia` configuration.
-
-You can find an example `authelia_config.yml` inside the `example_configs` folder.
+Some specific clients have been tested to work and come with sample
+configuration files, or guides. See the `example_configs` folder for help with:
+  - Authelia
+  - KeyCloak
+  - Jisti Meet

 ## I can't log in!

--- a/example_configs/keycloak.md
+++ b/example_configs/keycloak.md
@ -0,0 +1,64 @@
+# KeyCloak configuration
+
+Configuring [KeyCloak](https://www.keycloak.org) takes a bit of effort. Once
+the KeyCloak instance is up and you logged in as admin (see [this
+guide](https://www.keycloak.org/getting-started/getting-started-docker) to get
+started with KeyCloak), you'll need to configure the LDAP mapping.
+
+Keep in mind that LLDAP is _read-only_: that means that if you create some
+users in KeyCloak, they won't be reflected to LLDAP. Instead, you should create
+the user from LLDAP, and it will appear in KeyCloak. Same for groups. However,
+you can set the permissions associated with users or groups in KeyCloak.
+
+## Configure user authentication
+
+In the admin console of KeyCloak, on the left, go to "User Federation". You can
+then add an LDAP backend.
+
+The key settings are:
+
+ - Edit Mode: `READ_ONLY`
+ - Vendor: `Other`
+ - Username LDAP attribute: `uid`
+ - UUID LDAP attribute: `uid`
+ - User Object Classes: `person`
+ - Connection URL: `ldap://<your-lldap-container>:3890`
+ - Users DN: `ou=people,dc=example,dc=com` (or whatever `dc` you have)
+ - Bind Type: `simple`
+ - Bind DN: `admin` (your LLDAP admin user)
+ - Bind Credential: your LLDAP admin password
+
+Test the connection and authentication, it should work.
+
+In the "Advanced Settings", you can "Query Supported Extensions", or just
+enable the "LDAPv3 Password Modify Extended Operation".
+
+Turn "Pagination" off.
+
+Save the provider.
+
+## Configure group mapping
+
+Getting the LDAP groups to be imported into KeyCloak requires one more step:
+
+Go back to "User Federation", and edit your LDAP integration. At the top, click
+on the "Mappers" tab.
+
+Find or create the `groups` mapper, with type `group-ldap-mapper`. The key
+settings are:
+
+  - LDAP Groups DN: `ou=groups,dc=example,dc=com` (or whatever `dc` you have)
+  - Group Name LDAP Attribute: `cn`
+  - Group Object Classes: `groupOfUniqueNames`
+  - Mode: `READ_ONLY`
+
+Save, then sync LDAP groups to KeyCloak, and (from the LDAP integration page)
+sync the users to KeyCloak as well.
+
+## Give the LDAP admin user admin rights to KeyCloak
+
+Once the groups are synchronized, go to "Manage > Groups" on the left. Click on
+`lldap_admin`, then "Edit".
+
+Assign the role "admin" to the group. Now you can log in as the LLDAP admin to
+the KeyCloak admin console.