Git Product home page Git Product logo

keycloak-kerberos's Introduction

KeyCloak Kerberos Demo

QuickStart

Kerberos Setup

Review permissions of volume mounts to ensure file permissions are at least 644.

#Ensure files are executeable
#-rwxr-xr-x openldap/service/z_kadmind/process.sh
#-rwxr-xr-x openldap/service/z_krb5kdc/process.sh
chmod 0755 openldap/service/z_kadmind/process.sh  openldap/service/z_krb5kdc/process.sh 
#ls -la openldap/service/z_kadmind/process.sh  openldap/service/z_krb5kdc/process.sh 

# Start services using Docker Compose
docker-compose up

# Verify valid keytab file generated
docker exec keycloak-openldap kinit HTTP/[email protected] -k -t /etc/keytabs/keycloak.keytab
# List and destroy Kerberos ticket
docker exec keycloak-openldap klist
docker exec keycloak-openldap kdestroy

# Verify permissions of shared keytab file to ensure it can be read by Keycloak
docker exec --user root keycloak chmod 644 /tmp/keytabs/keycloak.keytab

Accessing Keycloak

  • URL: http://keycloak.127.0.0.1.nip.io:8080

  • Username: admin

  • Password: password

  • OIDC Endpoint: http://keycloak.127.0.0.1.nip.io:8080/auth/realms/{realm}/.well-known/openid-configuration

  • Authorization Endpoint: http://keycloak.127.0.0.1.nip.io:8080/auth/realms/{realm}/protocol/openid-connect/auth

  • Account Management: http://keycloak.127.0.0.1.nip.io:8080/auth/realms/{realm}/account

Kerberos Login Test

Credentials: [email protected] / password, [email protected] / password

  1. js-console login

  2. OIDC Debugger login

    Open Send Request using InPrivate / Cognito Window

    • Authorization Endpoint: http://keycloak.127.0.0.1.nip.io:8080/ auth/realms/dev/protocol/openid-connect/auth

    • Redirect URL: https://oidcdebugger.com/debug

    • Client ID: oidc-debugger

Cleanup

# Cleanup
docker-compose rm -f
docker volume rm keycloak_vol-mariadb  keycloak_vol-openldap-ldap keycloak_vol-openldap-slapd

Creating new Users

Creating users is now a two-step process:

  1. Create new user with ldapadd (if KeyCloak Kerberos configured to be backed by an LDAP server).

  2. Create new KDC entry using addprinc (for Kerberos Authentication) and link it to the DN. E.g.:

    kadmin.local
kadmin.local: addprinc -pw password -x dn=uid=charlie,ou=People,   dc=example,dc=org charlie

Kerberos Setup Verification / Debugging

Run the following commands in keycloak-openldap container: docker exec -it keycloak-openldap bash Default password for ldapsearch command is provided using -w flag. Use -W for interactive password prompt.

# Verify LDAP credentials
ldapwhoami -x -D "cn=admin,dc=example,dc=org" -w admin
ldapwhoami -x -D "uid=alice,ou=People,dc=example,dc=org" -w password

# Verify krbContainer container exists (numEntries: 1)
ldapsearch -L -x -D cn=admin,dc=example,dc=org -b dc=example,dc=org -w admin cn=krbContainer

# Verify ACL for kdc-service and kadmin-service (numEntries: 12)
ldapsearch -L -x -D uid=kdc-service,dc=example,dc=org -b cn=krbContainer,dc=example,dc=org -w password
ldapsearch -L -x -D uid=kadmin-service,dc=example,dc=org -b cn=krbContainer,dc=example,dc=org -w password

# Verify Kerberos services are started
service krb5-kdc status
service krb5-admin-server status

# Validate Kerberos token can be obtained using keytab file
kinit HTTP/[email protected] -k -t /etc/keytabs/keycloak.keytab
klist
kdestroy

# Login using SPNEGO
# 302 returned with access code: # http://js-console.127.0.0.1.nip.io:8000/?session_state=...&code=...
# To use existing ticket, use curl -I --negotiate -u : http://....
curl -I --negotiate -u [email protected]:password "http://keycloak.127.0.0.1.nip.io:8080/auth/realms/dev/protocol/openid-connect/auth?client_id=js-console&redirect_uri=http%3A%2F%2Fjs-console.127.0.0.1.nip.io%3A8000%2F&response_type=code&scope=openid"

Active Directory Setup

To generate a keytab file for Active Directory, create a service account / user e.g. keycloak.

REM Set service principal name
setspn -s HTTP/myapp.example.org keycloak

REM Generate keytab
ktpass -princ HTTP/myapp.example.org ^
  -mapuser keycloak@dev.pc8.dsta -crypto ALL ^
  -ptype KRB5_NT_PRINCIPAL -pass * -out C:\keycloak.keytab

Windows Client Setup

Create a principal for Windows Client

# Remember the password for the principal (e.g. `password`)
# IMPORTANT: Value of %COMPUTERNAME% has to be lower case
docker exec -it keycloak-openldap kadmin.local -q "addprinc host/%COMPUTERNAME%.example.org"

# Run the following commands as Administrator

# Set domain (computername and workgroup of computer will change)
ksetup /setdomain EXAMPLE.ORG

# Update KDC for domain (where 172.30.160.1 is the IP of OpenLDAP)
# To verify windows client can reach the OpenLDAP via IP, use `openssl s_client -connect localhost:636`
ksetup /AddKdc EXAMPLE.ORG 172.30.160.1
# ksetup /DelKdc EXAMPLE.ORG X.X.X.X

# Set the machine password to be the same as the principal created above (`password` in this example)
ksetup /setmachpassword password

# Optional: ksetup /AddRealmFlags EXAMPLE.ORG delegate

# Map domain user to local user
ksetup /mapuser [email protected] %USERNAME%

Verify Windows Client can authenticate using Kerberos:

# For logs see `/var/log/krb5kdc.log` in OpenLDAP container (logging is configured in krb5.conf file)
runas /user:[email protected] cmd

Common Errors:

  1. 1787: The security database on the server does not have a computer account for this workstation trust relationship.

    Principal for Windows Client not added: The principal name has to be lowercase.

  2. SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)

    Keytab not found (check for typo in Keycloak settings).

  3. SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

    Check the FQDN or keycloak server (e.g. domain CNAME alias). To verify use wireshark to inspect TGS_REQ in req-body.

    Regenerate the keytab file:

    docker exec keycloak-openldap kadmin.local -q "ktadd -k /etc/keytabs/keycloak.keytab HTTP/[email protected]"
docker exec --user root keycloak chmod 644 /tmp/keytabs/keycloak.keytab

SSL Setup

# Generate CA key and cert
openssl req -x509 -nodes -newkey rsa:2048 -keyout rootCA.key \
  -days 3650 -out rootCA.crt \
  -subj "/C=SG/OU=www.org/O=MyOrg, Inc./CN=My Org Root CA"

# Generate CSR for keycloak
openssl req -newkey rsa:2048 -nodes -keyout keycloak.key \
  -new -out keycloak.csr \
  -subj "/C=SG/L=Singapore/O=MyOrg, Inc./CN=keycloak" \
  -addext "subjectAltName=DNS:localhost,DNS:keycloak.127.0.0.1.nip.io" \
  -addext "keyUsage=digitalSignature,keyEncipherment"

# Generate CA signed cert for keycloak
openssl x509 -in keycloak.csr \
  -CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
  -req -days 3650 -out keycloak.crt \
  -extfile <(printf "subjectAltName=DNS:localhost,DNS:keycloak,DNS:keycloak.127.0.0.1.nip.io")

# Generate CSR for openldap
openssl req -newkey rsa:2048 -nodes -keyout ldap.key \
  -new -out ldap.csr \
  -subj "/C=SG/L=Singapore/O=MyOrg, Inc./CN=openldap" \
  -addext "subjectAltName=DNS:localhost,DNS:openldap,DNS:openldap.127.0.0.1.nip.io" \
  -addext "keyUsage=digitalSignature,keyEncipherment"

# Generate CA signed cert for openldap (using previous CA serial file rootCA.srl)
openssl x509 -in ldap.csr \
  -CA rootCA.crt -CAkey rootCA.key -CAserial rootCA.srl \
  -req -days 3650 -out ldap.crt \
  -extfile <(printf "subjectAltName=DNS:localhost,DNS:openldap,DNS:openldap.127.0.0.1.nip.io")

# Verify certs
openssl verify -verbose -CAfile rootCA.crt keycloak.crt
openssl verify -verbose -CAfile rootCA.crt ldap.crt

SSL / TLS debugging

openssl s_client -connect localhost:636
openssl s_client -connect localhost:8443

References / Resources

Kerberos

keycloak-kerberos's People

Contributors

deskoh avatar hung135 avatar

Stargazers

Sapun4ik avatar Hudayfe Yurt avatar Charley Wu avatar Vasiliy Bukharev avatar avatar lvyhe avatar Shatrugna Korukanti avatar avatar Alex avatar avatar Robert Young avatar avatar Lexey Felde avatar avatar Dawid Dziurla avatar Sergey Baranov avatar Sebastian avatar

Watchers

James Cloos avatar avatar Kapatz avatar

Forkers

mmehali fontecha hung135 k-szewczyk blackcounter sanogotech devosonder rmdes

keycloak-kerberos's Issues

Kerberos can't use

When i connect to openldap contianer and call kadmin.local

Authenticating as principal root/[email protected] with password.
kadmin.local: Error reading password from stash: Cannot open LDAP password file '/etc/krb5kdc/ldap.stash': No such file or directory while initializing kadmin.local interface

nip.io and 127.0.0.1

For me 127.0.0.1.nip.io does not work:

$ dig  127.0.0.1.nip.io 

; <<>> DiG 9.16.15-Debian <<>> 127.0.0.1.nip.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58706
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;127.0.0.1.nip.io.              IN      A

;; Query time: 4 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Fri Aug 20 20:24:25 CEST 2021
;; MSG SIZE  rcvd: 34

Most likely this is my router that also acts as DNS server that tries to be clever and I have not found a way to configure that. However, 127.0.1.1.nip.io gets past my router:

$ dig  127.0.1.1.nip.io 

; <<>> DiG 9.16.15-Debian <<>> 127.0.1.1.nip.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34716
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;127.0.1.1.nip.io.              IN      A

;; ANSWER SECTION:
127.0.1.1.nip.io.       431238  IN      A       127.0.1.1

;; Query time: 0 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Fri Aug 20 20:26:48 CEST 2021
;; MSG SIZE  rcvd: 61

After changing this name I got the set-up running. I understand this is a local problem, but others might be affected as well. I can provide a PR if you are interested.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.