Ldap integrauon with Redhat Ansible AAP or Ansible Community Tower Part 2

 Now Lets start with the Ansible IT part you need to have working AAP setup

Go to settings and the LDAP settings in that Enter the below values

Ldap server URI :  ldap://192.168.1.17:389

ldap bind dn:  cn=admin,dc=example,dc=org

ldap bind password : admin

ldap group type : PosixGroup Type

Ldap User Search : 

[

  "OU=users,dc=example,dc=org",

  "SCOPE_SUBTREE",

  "(uid=%(user)s)"

]

Ldap Group Search:

[

  "dc=example,dc=org",

  "SCOPE_SUBTREE",

  "(objectClass=group)"

]

Ldap User Attribute map:

{

  "email": "mail",

  "first_name": "givenName",

  "last_name": "sn"

}

Ldap Group Type Parameters:

{

  "name_attr": "cn"

}

Ldap User Flag By Group:

{

  "is_superuser": [

    "cn=superusers,ou=users,dc=example,dc=org"

  ],

  "is_system_auditor": [

    "cn=auditors,ou=groups,dc=example,dc=org"

  ]

}

save all the settings and try login using nrathi ,kjha and lrathi

if you login using nrathi it will be System Administrator

if you login using kjha it will be Nornal User

if you login using lrathi it will be system auditor

And thats how its done...! Enjoy

Ldap integrauon with Redhat Ansible AAP or Ansible Community Tower Part 1

 In order to achieve this in POC we need to have Below prerequisites we need at least two VM's 

1  Ansible Controler / Ansible Tower

OS: Redhat 9  

 IP : 192.168.1.11

2 Ldap Server

OS: redhat 9 

IP : 192.168.1.17

    On the ldap server there is podman installed by default if not install podman its a alternative to docker

launch a podman container with ldap with below command

 # podman run -p 389:389 -p 636:636 --name my-openldap-container osixia/openldap:1.5.0 --env LDAP_ADMIN_PASSWORD="admin"

if you are not an expert with ldap and required GUI then launch another podman container

#  podman run -p 443:443  --env PHPLDAPADMIN_LDAP_HOSTS=192.168.1.17         --detach osixia/phpldapadmin:0.9.0

Once you done with launching two containers you need to test that they are working/ in running state 

[root@localhost ~]# podman ps

CONTAINER ID  IMAGE                                COMMAND     CREATED       STATUS       PORTS                                       NAMES

d560d0d2d420  docker.io/osixia/phpldapadmin:0.9.0              10 hours ago  Up 10 hours  0.0.0.0:443->443/tcp                        suspicious_albattani

116f874f9da6  docker.io/osixia/openldap:1.5.0                  10 hours ago  Up 10 hours  0.0.0.0:389->389/tcp, 0.0.0.0:636->636/tcp  my-openldap-container

[root@localhost ~]# 

  open a brower and hit https://192.168.1.17/phpldapadmin

in the username cn=admin,dc=example,dc=org and in password admin  these are the default values for ldap server to login 

you need to create bunch of groups and users in the ldap to keep the things simple i have shared the export here

# LDIF Export for dc=example,dc=org
# Server: 192.168.1.17 (192.168.1.17)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 9
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on March 7, 2024 11:09 pm
# Version: 1.2.5

version: 1

# Entry 1: dc=example,dc=org
dn: dc=example,dc=org
dc: example
o: Example Inc.
objectclass: top
objectclass: dcObject
objectclass: organization

# Entry 2: ou=groups,dc=example,dc=org
dn: ou=groups,dc=example,dc=org
objectclass: organizationalUnit
objectclass: top
ou: groups

# Entry 3: cn=Admin,ou=groups,dc=example,dc=org
dn: cn=Admin,ou=groups,dc=example,dc=org
cn: Admin
gidnumber: 500
objectclass: posixGroup
objectclass: top

# Entry 4: cn=auditors,ou=groups,dc=example,dc=org
dn: cn=auditors,ou=groups,dc=example,dc=org
cn: auditors
gidnumber: 502
objectclass: posixGroup
objectclass: top

# Entry 5: cn=superusers,ou=groups,dc=example,dc=org
dn: cn=superusers,ou=groups,dc=example,dc=org
cn: superusers
gidnumber: 501
memberuid: nrathi
objectclass: posixGroup
objectclass: top

# Entry 6: ou=users,dc=example,dc=org
dn: ou=users,dc=example,dc=org
objectclass: organizationalUnit
objectclass: top
ou: users

# Entry 7: cn=Kishor jha,ou=users,dc=example,dc=org
dn: cn=Kishor jha,ou=users,dc=example,dc=org
cn: Kishor jha
gidnumber: 500
givenname: Kishor
homedirectory: /home/users/kjha
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: jha
uid: kjha
uidnumber: 1001
userpassword: {MD5}ISMvKXpXpadDiUoOSoAfww==

# Entry 8: cn=Leena Rathi,ou=users,dc=example,dc=org
dn: cn=Leena Rathi,ou=users,dc=example,dc=org
cn: Leena Rathi
gidnumber: 502
givenname: Leena
homedirectory: /home/users/lrathi
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Rathi
uid: lrathi
uidnumber: 1002
userpassword: {MD5}ISMvKXpXpadDiUoOSoAfww==

# Entry 9: cn=Navneet Rathi,ou=users,dc=example,dc=org
dn: cn=Navneet Rathi,ou=users,dc=example,dc=org
cn: Navneet Rathi
gidnumber: 500
givenname: Navneet
homedirectory: /home/users/nrathi
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Rathi
uid: nrathi
uidnumber: 1000
userpassword: {MD5}ISMvKXpXpadDiUoOSoAfww==

I have created 5 groups

1. groups
2. users
3. superusers
4. Admin
5.  auditors

I have created 3 users 

1.  Navneet Rathi --> nrathi (system Administrator)  Memberof  superusers group 
2.  Kishor jha --> kjha          (Normal user)                Memberof  Admin group
3. Leena Rathi --> lrathi       (Syste, Auditors)           Memberof auditors group

Once done with this we need to look at the redhat Ansible aap /Ansible tower where we need to configure the RedHat aap /Ansible tower

ref : https://github.com/osixia/docker-openldap?tab=readme-ov-file#defaultstartupyaml

ref : https://github.com/osixia/docker-phpLDAPadmin

ref : https://docs.ansible.com/automation-controller/latest/html/administration/ldap_auth.html

Kubernetes Dashboard SSO OIDC with keycloak-Part1

 Hello Guys,

For a long time i was working on this how to chive a SSO for k8s dashboard and I have failed many time while setup the sso for my K8S cluster and after searching a lot on internet and putting together a complete documentation how we can achieve it without any buying any domain and with a self sign ssl certs. I was trying to achieve it only with the open source software available and on base metal cluster.

here is my setup looks like for POC.

  

1. Vm1 (Pfsense)        192.168.56.100
2. vm2  (console)        192.168.56.109
3. vm3   (keycloak)     192.168.56.162
4. vm4   (master-sso)  192.168.56.164 

for the sake of the simplicity i am not going to include the integration between keycloak and Active directory or OpenLdap i will cover it in another post.

so lets start.

In pfsense which is my router so that i can create a local network on my Laptop it have two interfaces 

1 NAT  2 hostonly adapter and i have stop the DHCP server run by the virtualbox

on Console VM I have installed a  GUI based centos so that i can use browser in that  network.

 yum groupinstall "GNOME Desktop" "Graphical Administration Tools"

Make it boot by default in init 5 mode

 ln -sf /lib/systemd/system/runlevel5.target /etc/systemd/system/default.target

apart form this i have also make the ssh password less auth on keycloak and master-sso server for this 

ssh-keygen -t rsa

ssh-copy-id  root@keycloak

ssh-copy-id  root@master-sso

Setup Keycloak server with Selfsign cert with CA

• Update & Upgrade your server

apt updateapt upgrade

• Install JDK 8, keycloak need Java to run

apt-get install openjdk-8-jdk

• Download keycloak, the program directory will run in /opt

wget https://downloads.jboss.org/keycloak/8.0.2/keycloak-8.0.2.tar.gztar -xzf keycloak-8.0.2.tar.gz -C /opt/mv /opt/keycloak-8.0.2 /opt/keycloak

• Create user & group for keycloak

groupadd keycloakuseradd -r -g keycloak -d /opt/keycloak -s /sbin/nologin keycloak

• How to run the keycloak? using systemd service file

mkdir -p /etc/keycloakcp /opt/keycloak/docs/contrib/scripts/systemd/wildfly.conf /etc/keycloak/keycloak.confcp /opt/keycloak/docs/contrib/scripts/systemd/launch.sh /opt/keycloak/bin/cp /opt/keycloak/docs/contrib/scripts/systemd/wildfly.service /etc/systemd/system/keycloak.service

• Edit launch.sh and specify home environment variable

vi /opt/keycloak/bin/launch.shWILDFLY_HOME='/opt/keycloak/'

• Edit keycloak service

vi /etc/systemd/system/keycloak.service[Unit]Description=The Keycloak ServerAfter=syslog.target network.targetBefore=httpd.service[Service]Environment=LAUNCH_JBOSS_IN_BACKGROUND=1EnvironmentFile=/etc/keycloak/keycloak.confUser=keycloakGroup=keycloakLimitNOFILE=102642PIDFile=/var/run/keycloak/keycloak.pidExecStart=/opt/keycloak/bin/launch.sh $WILDFLY_MODE $WILDFLY_CONFIG $WILDFLY_BINDStandardOutput=null[Install]WantedBy=multi-user.target

• Set permission in keycloak directory to user that we create before

chown keycloak:keycloak -R /opt/keycloakchmod o+x /opt/keycloak/bin

• Start keycloak service

systemctl daemon-reloadsystemctl enable keycloaksystemctl start keycloaksystemctl status keycloak

• Create admin user

/opt/keycloak/bin/add-user-keycloak.sh -r master -u <username> -p <password>systemctl restart keycloak

• Open keycloak web

http://IP_SERVER:8080/auth

Secure the Keycloak using SSL

Kubernetes currently not support provider with http, should be https. This tutorial will create self signed CA for keycloak.

• Create folder for certificate

mkdir -p /opt/kc-certificate

• Edit openssl configuration

vi /etc/ssl/openssl.cnf# RANDFILE = $ENV::HOME/.rnd

• Generate CA, I am using wildcard domain.

cd /opt/kc-certificateopenssl genrsa -out ca.key 2048openssl req -new -x509 -key ca.key -out ca.crt -subj "/C=US/ST=CA/O=Acme, Inc./CN=*.nrathi.io"keytool -import -file ca.crt -keystore ca.truststore -keypass PASSWORD -storepass PASSWORD
openssl genrsa -out keycloak.key 2048openssl req -new -key keycloak.key -out keycloak.csr -subj "/C=US/ST=CA/O=Acme, Inc./CN=*.nrathi.io"openssl x509 -req -days 3650 -in keycloak.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out keycloak.crtopenssl pkcs12 -export -in keycloak.crt -inkey keycloak.key -out keycloak.p12 -name myserverkeystore -CAfile ca.crtkeytool -importkeystore -deststorepass PASSWORD -destkeypass PASSWORD -destkeystore keycloak.keystore -srckeystore keycloak.p12 -srcstoretype PKCS12 -srcstorepass PASSWORD

if you ask for password, just add `PASSWORD`

• Copy generated certificate into keyclock directory

cp ca.truststore /opt/keycloak/standalone/configuration/cp keycloak.keystore /opt/keycloak/standalone/configuration/

• Change the permission again

chown keycloak:keycloak -R /opt/keycloak

• Enter to jboss CLI

cd /opt/keycloak/./bin/jboss-cli.shconnect

• Setup the SSL

/core-service=management/security-realm=ssl-realm:add()/core-service=management/security-realm=ssl-realm/server-identity=ssl:add(keystore-relative-to=jboss.server.config.dir,keystore-path=keycloak.keystore, keystore-password=PASSWORD)/core-service=management/security-realm=ssl-realm/authentication=truststore:add(keystore-relative-to=jboss.server.config.dir,keystore-path=ca.truststore, keystore-password=PASSWORD)/subsystem=undertow/server=default-server/https-listener=https:remove()/subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=ssl-realm,enable-http2=true, verify-client=REQUESTED)reloadexit

• Restart Keycloak

systemctl restart keycloak

• Open keycloak

https://IP_SERVER:8443/auth

you will see warning because self signed certificate, just accept that certificate.

Good, Integration with kubernetes will be in the Part 2.

Free SSO with AWS SAML on Prem

Hello Guys,

I started working with a start up and they have about 7 to 8 AWS account and user management in all the AWS account is becoming a problem as well as the users who are leaving the company or in the company also using there programmatic access here and there,
     If we delete or inactive the users then some application is going to stop working so my manager want to came up with plan we have gone through many options and we also have budget issue as its a start up company.so we came up with a plan of using keycloak as our SSO SAML provider backed with postgress and i also want to demonstrate the capability of kubernetes so i deployed it in the kubernetes cluster
   I have use help to install keycloak on the kubernetes cluster which a got from codecentric repo.
https://codecentric.github.io/helm-charts i am also using kubeapps to deploy it in my kubernetes environement.

once install i have started configuring the keycloak

1) First step you need to do is — get saml-metadata.xml from Amazon AWS.

2) After you saved saml-metadata.xml file, go to your Keycloak server, go to “Clients” section and create new client:

your_realm_name — is the name of the keycloak realm, for which you configure SAML client

The only fields you need to fill are:

“Base URL” and “IDP Initiated SSO URL Name”

Set your “Base URL” to:  /auth/realms/<your_realm_name>/protocol/saml/clients/amazon-aws

and “IDP Initiated SSO URL Name” to  amazon-aws

5) Press “Save”

After you saved client settings, go to “Installation” tab, select “Mode Auth Mellon files” and press “Download”  zip file will get downloaded you need to extract the same  and file name idp-metadata.xml

Amazon AWS Service Provider setup

1) After you downloaded idp-metadata.xml file, go to your Amazon AWS account

2) Go to “IAM” section, select “Identity providers” and press “Create Provider” button.

3) Choose “SAML” as the provider type, set provider name and upload idp-metadata.xml file downloaded  and extracted from Keycloak server.

4) Press “Next Step” and then “Create”.

5) After you created your SAML Identity Provider, you need to create IAM role for this provider.

6) Go to “IAM” section, select “Roles”.

7) Press “Create New Role”, set role name.

For “Select Role Type” choose

“SAML 2.0 fedration”

and select your Saml provider which we have created earlier

PART 2: Keycloak Identity Provider setup

1) After IAM SAML role in AWS has been created, go to role summary and copy Role ARN, it should look like this:

arn:aws:iam::aws_acct_id:role/aws_iam_saml_role,arn:aws:iam:aws_acct_id:saml-provider/aws_iam_saml_idp

Go back to your Keycloak server, go to your realm in which you created AWS SAML client, go to “Roles” tab and press “Add Role”:

aws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provider

2) After that, go to “Mappers” section and create mappers for “Session Role”, “Session Duration” and “Session Name”

“Session Role” mapper:

“Session Name” mapper:

“Session Duration” mapper:

These mappers are required as per Amazon AWS SAML documentation.

3) After “Mappers”, go to Keycloak realm “Manage” section, select “Users” or “Groups” and choose, which group or user will be assigned to AWS SAML role, and assign it:

aws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provider

5) And, finally, go back to your defined AWS client, and press “Base URL” link:

your_realm_name — is the name of the keycloak realm, for which you configure SAML client

6) After you press “Base URL” link, it should redirect you to Keycloak login page, where you’ll need to enter user name and password for the user, who is member of a group, which has been assigned to AWS IAM SAML role, defined in Keycloak.

And after you enter your credentials, hopefully, you’ll be redirected to Amazon AWS console.

You can integrate the Keycloak with  Azure AD well.

Click on identity provider select microsoft  and fill the retails as requested Application ID and Application secret and you will be able to authenticate in keycloak using azure AD.

For the CLI/Programatic  access i will get bacl to you in my next blog