Effortlessly Integrate OpenLDAP with Keycloak for User Management
Written on
Chapter 1: Introduction to OpenLDAP and Keycloak
OpenLDAP is a popular open-source LDAP server that facilitates a centralized directory for user identities and credentials. Keycloak serves as a robust identity and access management platform that integrates with various external user directories, including LDAP systems like OpenLDAP. This guide will detail the steps necessary to set up an OpenLDAP server alongside Keycloak for effective user federation, particularly beneficial for developers wishing to experiment locally.
Before we begin, ensure that Docker is installed on your machine. If you need assistance, you can refer to this installation guide.
For those coming from my GitHub repository on springboot-keycloak-openldap, you may skip ahead to the Configuration of Keycloak section.
Project Overview
The project architecture we will follow consists of three main components. On the left, we have OpenLDAP, which houses the directory of users and groups within our organization. On the right is the application named simple-service, which requires authentication and authorization to access its resources. Keycloak, positioned in the center, acts as a bridge between OpenLDAP and simple-service.
Let's take a look at the project diagram for clarity.
Chapter 2: Setting Up OpenLDAP and Keycloak
To kick things off, we need to establish a Docker network for our containers. Use the following command:
docker network create openldap-keycloak-net
Next, launch the OpenLDAP and Keycloak Docker containers using these commands:
docker run -d -p 8080:8080 --name keycloak
-e KEYCLOAK_ADMIN=admin
-e KEYCLOAK_ADMIN_PASSWORD=admin
—network openldap-keycloak-net
quay.io/keycloak/keycloak:22.0.1
start-dev
docker run -d -p 389:389 --name openldap
-e LDAP_ORGANISATION="MyCompany Inc."
-e LDAP_DOMAIN=mycompany.com
—network openldap-keycloak-net
osixia/openldap:1.5.0
Importing Users into OpenLDAP
Now, let's configure our OpenLDAP server with predefined users and groups. We will utilize a downloadable LDIF file that outlines the structure for mycompany.com, incorporating two groups (developers and admin) and four users (Bill Gates, Steve Jobs, Mark Cuban, and Ivan Franchin). The usernames for these individuals are bgates, sjobs, mcuban, and ifranchin, with all users sharing the password "123."
Download the LDIF file and save it as ldap-mycompany-com.ldif. Open a terminal and execute the following command to import the file into OpenLDAP:
ldapadd -x -D "cn=admin,dc=mycompany,dc=com"
-w admin -H ldap://localhost
-f ldap-mycompany-com.ldif
Configuring Keycloak
Now, open your web browser and navigate to the Keycloak Admin Console at http://localhost:8080/admin.
Sign In
On the login page, enter "admin" for both the Username and Password fields, then click the Sign In button.
Create a New Realm
In the left menu, click the dropdown next to Master and select the Create Realm option. In the Realm name field, enter company-services, then click the Create button.
Add a New Client
Go to the Clients section in the left-hand menu and click on the Create client button. In the General Settings tab, input simple-service as the Client ID and leave the other fields as they are. Click Next to move to the Capability Configuration tab, enable Client authentication, and click Next again. In the Login Settings tab, retain the default values and click Save.
On this main page, you will find information and settings regarding the simple-service client, including its client secret under the Credentials tab.
Next, let's add a role for the simple-service client. In the Roles tab, click the Create Role button, enter USER as the Role Name, and click Save to finalize the process.
Integrating OpenLDAP
In the left menu, navigate to User Federation and click on the Add LDAP provider button.
Select "Other" for the Vendor field and input ldap://openldap in the Connection URL field. Click the Test connection button to ensure Keycloak can connect to OpenLDAP, which should yield a "Successfully connected to LDAP" notification.
For the Bind DN field, enter cn=admin,dc=mycompany,dc=com, and for the Bind Credential, input "admin." Click the Test authentication button to confirm successful authentication, followed by another notification stating "Successfully connected to LDAP."
Set the Edit Mode to READ_ONLY and designate ou=users,dc=mycompany,dc=com for the Users DN field. To filter the imported users to just those in the developers group, set (gidnumber=500) in the User LDAP Filter field. Click Save to complete the OpenLDAP integration.
Assigning Roles to Users
Navigate to the Users section in the left menu. In the Search user field, enter * and press Enter. The three users should appear.
To assign the USER role to bgates, click on his username link. In the Role mapping tab, click the Assign role button. From the Filter by realm role dropdown, choose Filter by clients and type USER in the Search by role name field. The USER role for the simple-service client should display; select it and click Assign.
You can assign the USER role to the other users as needed.
Cleaning Up
To stop the OpenLDAP and Keycloak Docker containers, run the following command in the terminal:
docker rm -fv openldap keycloak
Then, execute the command below to remove the Docker network:
docker network rm openldap-keycloak-net
Conclusion
In conclusion, the integration of OpenLDAP with Keycloak offers a robust solution for centralized identity and access management, streamlining authentication and authorization processes within organizations. By following this guide, you can effectively set up OpenLDAP with Keycloak for user federation and harness the advanced security features Keycloak provides.
Support and Engagement
If you found this article helpful and would like to show your support, consider taking the following actions:
👏 Engage by clapping, highlighting, and responding to my story. I'm here to answer any questions you may have!
🌐 Share this story on social media.
🔔 Follow me on: Medium | LinkedIn | Twitter.
✉️ Subscribe to my newsletter to stay updated on my latest posts.