I am a little confused on best way to make this work. I have a fresh install of both the latest FreeIPA server and Keycloak server, my laptop is enrolled with FreeIPA client.
My browser is configured to login to my ipa domain via kerberos which works perfectly with the browser, cant seem to get ldap to authenticate with kerberos but thats not on my priority list at the moment. Both servers are running on a Vultr VPS's with private lan (vpc) enabled. FreeIPA private IP is 10.56.112.4 and Keycloak Private IP is 10.56.112.7. I have created a service account using red hat documentation and successfully been able to setup ldap user federation between the two systems over the private ip's. Keycloak operates on 3 realms: master: (Default super admin realm) at keycloak.domain1.tld intramural: (for internal systems only) at auth.domain1.tld society: (for customer facing services) at auth.domain2.tld Nginx config is restricting which domain can access which realm in case anyone was interested. On company devices I want to be able to have Kerberos automatically login to these realms. Before I install freeipa-client on the keycloak server I wanted to know how would keytabs work with each realm being on a different domain, I am using a single keycloak instance on a single server for now would i need a key tab per domain or can I just use the same key tab and some sort of hostname alias? Each nginx server stanza is set to a separate virtual ip if it helps the servers hostname itself is kc1.man-gb.domain1.tld which is routed through to the vps providers ip's and then the 3 nginx host names are from my own ip pools being announced with bgp to my provider. Any guidance would be greatly appreciated. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
