Skip to content

Add keycloak and LDAP for SSO#28

Open
e1mo wants to merge 1 commit into
mainfrom
keycloak
Open

Add keycloak and LDAP for SSO#28
e1mo wants to merge 1 commit into
mainfrom
keycloak

Conversation

@e1mo

@e1mo e1mo commented Aug 13, 2023

Copy link
Copy Markdown
Member

TODO:

  • Dial in LDAP Permissions (current state is still heavily influenced by debug)
  • Figure out why the registration captcha is not working: Incompatible plugin and theme version, replaced it with a hack using the user profile
  • Test data migration from old to new keycloak version: Works. Migrations apply cleanly
  • Test LDAP Data migration: See down below

Notes for migration:

Keycloak setup

This is some sort of quick-ish documentation since some required changes will need ot be done in the Web-UI.

To manage the realm, log in at https://sso.chaos.jetzt/auth/admin. Navigate to the chaos-jetzt realm.

Importing the old database & LDAP

  1. Stop postgres & keycloak on the old host. Preferably mask the keycloak systemd service. Create a dump on the old host sudo -u postgres pg_dump keycloak > keycloak.sql
  2. Get it over to the new host
  3. Ensure that keycloak is not running on the new host: systemctl stop keycloak
  4. Wipe the keycloak database and recreate it: echo "DROP DATABASE keycloak;" | sudo -u postgres psql and then systemctl start keycloakPostgreSQLInit.service
  5. Import the old dump: sudo -u postgres psql < keycloak.sql
  6. Create a dump of the ldap data on the old host: slapcat -l backup.ldiff
  7. Get it over to the new host
  8. Import it on the new host: slapadd -v -c -l backup.ldiff -F /etc/openldap/slapd.d
  9. Start keycloak, in the logs there should be something about migrations being performend.

Other migration notes

  • Switch to a default theme. Under Realm settings -> Themes select keycloak.v2 as login theme.
  • Switch back to the default registration flow: Go to Authentication, click on the three buttons next to the registration flow and klick on Bind flow. Select Registration flow.
  • Do the migrate away from custom captcha plugin and remove first and last name fields (see down below)

Migrate away from the custom captcha plugin

With the new user profiles feature, we can replace the previously developed custom plugin. It probably is not a beautiful solution, but it's reasonably easy to implement, tho it's manual clicking arround.

Navigate to Realm settings, select the User profile tab. Click "Create attribute". Use captcha as the name, click on the small translation icon right next to the display name and set the description ("Private Daten ?, öffentliche Daten nützen"). Ensure Enable when is at always, that Required field is on as well. Required for should be at only users. Required when at alwys.
For permissions, it should be view- and editable for both users and admins.

For the validation itself, click Add validator. Select a pattern validator. Set (?i:sch(?:ü|(?:ue?))tzen) (Case insensitive version of the word, written both with ü or ue or u). Set the error message to profile.attributes.captcha.incorrect (We'll add that string later on). Confirm.

Add two annotations. Input helper text (above) with a value of Welches Wort kommt hier anstelle des ? hin?. First Input helper text (under) with a value of Die Antwort findest du in der <a href="https://www.ccc.de/de/hackerethik">CCC Hacker*innenethik</a>. Save.

Navigate to Localization. Select the Realm overrides sub-tab. Select German as a locale. Click Add translation. Set the key to profile.attributes.captcha.incorrect and a Value of Das ist leider nicht korrekt. Schaue noch einmal in die Hacker*innenethik.

Remove First and Last name fields

We don't want these attributes about our users. We finally can just not ask for them with the User profile feature.
Navigate to User profile as described above. Click on the three dot's next to firstname and click delete. Repeat for the lastname attribute.

@Proliecan Proliecan marked this pull request as ready for review March 30, 2025 13:13
@Proliecan Proliecan requested a review from a team as a code owner March 30, 2025 13:13
@Proliecan Proliecan requested review from gametabe and ruru4143 March 30, 2025 13:13

@Proliecan Proliecan left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know too much about this, but reading it, no obvious alarm bells rang.
Only question I have: Why are the services in the goldberg configuration.nix being commented out? Does it mean these services will be unavailable due to the memory constraints described in the commit message?

@e1mo e1mo force-pushed the keycloak branch 2 times, most recently from f3c2dc8 to 55a1254 Compare April 20, 2025 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants