On Пан, 14 кра 2025, Entrepreneur AJ via FreeIPA-users wrote:
I am a little confused on best way to make this work.
I have a fresh install of both the latest FreeIPA server and Keycloak
server, my laptop is enrolled with FreeIPA client.
My browser is configured to login to my ipa domain via kerberos which
works perfectly with the browser, cant seem to get ldap to authenticate
with kerberos but thats not on my priority list at the moment.
Both servers are running on a Vultr VPS's with private lan (vpc) enabled.
FreeIPA private IP is 10.56.112.4 and Keycloak Private IP is
10.56.112.7. I have created a service account using red hat
documentation and successfully been able to setup ldap user federation
between the two systems over the private ip's.
Keycloak operates on 3 realms:
master: (Default super admin realm) at keycloak.domain1.tld
intramural: (for internal systems only) at auth.domain1.tld
society: (for customer facing services) at auth.domain2.tld
Just a note: Keycloak realms != Kerberos realms. In FreeIPA you have
only one Kerberos realm. When you configure an application such as
Keycloak to accept Kerberos authentication, you would still be
configuring it to work against that single Kerberos realm that FreeIPA
provides. This assumes you have a single FreeIPA deployment.
Nginx config is restricting which domain can access which realm in case
anyone was interested.
On company devices I want to be able to have Kerberos automatically
login to these realms.
Before I install freeipa-client on the keycloak server I wanted to know
how would keytabs work with each realm being on a different domain, I
am using a single keycloak instance on a single server for now would i
need a key tab per domain or can I just use the same key tab and some
sort of hostname alias?
Keycloak doesn't care about Kerberos itself. Its 'realms' have nothing
to do with Kerberos. They are just definitions of the resources which
cannot be shared across multiple Keycloak realms. Whether they are
backed by the same FreeIPA deployment is not visible to Keycloak.
Each nginx server stanza is set to a separate virtual ip if it helps
the servers hostname itself is kc1.man-gb.domain1.tld which is routed
through to the vps providers ip's and then the 3 nginx host names are
from my own ip pools being announced with bgp to my provider.
Ask yourself: what client's browser would do? In order to authenticate
with Kerberos against a particular HTTPS resource, a browser needs:
- see that this HTTPS resource advertises Negotiate mechanism
- request a service ticket to HTTP/<HTTPS-resource-hostname> from a
Kerberos infrastructure in use
- if a service ticket was obtained, use HTTP Auth Negotiate mechanis to
exchange the details with the HTTPS resource.
So if the endpoint is nginx server named kc1.man-gb.domain1.tld, then
there should be HTTP/kc1.man-gb.domain1.tld in the Kerberos realm
reachable by the client (either the same Kerberos realm or a trusted
one). And in Keycloak one would need to configure handling Kerberos
authentication by this Kerberos service principal.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
