Keycloak
1 前言
一个问题,一篇文章,一出故事。
本章将在Keycloak环境导入AD用户用于认证。
2 最佳实践
2.1 部署环境
2.1.1 准备KeyCloak环境并创建Realm
2.1.2 准备AD服务器
ldapsearch -x -h cmdschool.org -p 3268 -w "adminpwd" -D "CN=admin,CN=Users,DC=cmdschoo,DC=org" -b DC=cmdschool,DC=org "(&(sAMAccountName=will)(objectCategory=person))"
在设置之前,我们建议你使用如下命令确认AD服务器就绪并了解他返回的属性,详细范例如下,
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (&(sAMAccountName=will)(objectCategory=person))
# requesting: ALL
#
# Tan Will, Office, User, cmdschool.org
dn: CN=Tan Will,OU=User,DC=cmdschool,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Tan Will
sn: Tan
c: CN
l: Dongguan
st: Guangdong
title: Engineer I
description:: 6K2a5oyv6LaF
postalCode: 52xxxx
physicalDeliveryOfficeName: DG
telephoneNumber: (86-769) 22xxxxxx Ext.xxxx
facsimileTelephoneNumber: (86-769) 22xxxxxx
givenName: Will
distinguishedName: CN=Tan Will,OU=User,DC=cmdschool,DC=org
instanceType: 4
whenCreated: 20230301034231.0Z
whenChanged: 20250826065941.0Z
displayName: Will Tan
otherTelephone: { (32)xxxx }
#...
co: China
department: IT
company: CMDSCHOOL
#...
streetAddress: xxxxxx
name: Tan Will
objectGUID:: axi074M35EiC/Ys5YLoAxw==
userAccountControl: 512
pwdLastSet: 133995381734345232
#...
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
2.2 Keycloak集成AD
2.2.1 选择Realm
单击【Manage realms】->【cmdschool】
2.2.2 设置AD服务器连接参数
单击【User federation】->【Add new provider】->【LDAP】
“Settings”选项卡的“General Options”中,
- 选项“UI display name *”中填写“ldap_cmdschool.org” - 选项“Vendor *”中填写“Active Directory”
“Settings”选项卡的“Connection and authentication settings”中,
- 选项“Connection URL *”中填写“ldap://cmdschool.org:389” - 选项“Enable StartTLS”选择“Off” - 选项“Use Truststore SPI ”选择“Always” - 选项“Connection pooling”选择“On” - 选项“Connection timeout”中填写“7000”
单击【Test connection】并留意是否连接成功
“Settings”选项卡的“Connection and authentication settings”中,
- 选项“Bind type *”选择“simple” - 选项“Bind DN *”中填写“cn=admin,cn=users,dc=cmdschool.org,dc=org” - 选项“Bind credentials *”中填写“adminpwd”
单击【Test authentication】并留意是否认证成功
“Settings”选项卡的“LDAP searching and updating”中,
- 选项“Edit mode”选择“READ_ONLY” - 选项“Users DN *”中填写“ou=users,dc=cmdschool.org,dc=org” - 选项“Relative user creation DN”中填写“”,即留空 - 选项“Username LDAP attribute *”中填写“sAMAccountName” - 选项“RDN LDAP attribute *”中填写“userPrincipalName” - 选项“UUID LDAP attribute *”中填写“objectGUID” - 选项“User object classes *”中填写“person, organizationalPerson, user” - 选项“User LDAP filter”中根据实际需求填写,本范例填写“(&(sAMAccountName=*)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectclass=computer))(!(mail=*@no-email.cmdschool.org)))” - 选项“Search scope”选择“Subtree” - 选项“Read timeout”中填写“”,即留空 - 选项“Pagination”选择“On” - 选项“Read timeout”选择“”,即留空
“Settings”选项卡的“Synchronization settings”中,
- 选项“Import users”选择“Off” - 选项“Sync Registrations”选择“Off” - 选项“Batch size”中填写“”,即留空 - 选项“Periodic full sync”选择“Off” - 选项“Periodic changed users sync”选择“Off” - 选项“Remove invalid users during searches ”选择“Off”
“Settings”选项卡的“Kerberos integration”中,
- 选项“Allow Kerberos authentication”选择“Off” - 选项“Use Kerberos for password authentication”选择“Off”
“Settings”选项卡的“Cache settings”中,
- 选项“Cache policy ”选择“NO_CACHE”
“Settings”选项卡的“Advanced settings”中,
- 选项“Enable the LDAPv3 password modify extended operation”选择“Off” - 选项“Validate password policy”选择“Off” - 选项“Trust Email”选择“Off” - 选项“Connection trace”选择“Off”
根据自己的实际需求修改后,单击【Save】保存即可
2.2.3 设置AD连接的映射属性(必须)
单击【User federation】->【Add new provider】->【LDAP】
“Mappers”选项卡中,单击【Add mapper】添加自定义字段
– 属性“email”
-- 选项“Name *”中填写“email” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”选择“email” -- 选项“LDAP Attribute”中填写“email” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“mail”
-- 选项“Name *”中填写“mail” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“mail” -- 选项“LDAP Attribute”中填写“mail” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“objectGUID”
-- 选项“Name *”中填写“objectGUID” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“objectGUID” -- 选项“LDAP Attribute”中填写“objectGUID” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“sAMAccountName”
-- 选项“Name *”中填写“sAMAccountName” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“sAMAccountName” -- 选项“LDAP Attribute”中填写“sAMAccountName” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“username”
-- 选项“Name *”中填写“uid” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“username” -- 选项“LDAP Attribute”中填写“sAMAccountName” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“userPrincipalName”
-- 选项“Name *”中填写“uid” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“userPrincipalName” -- 选项“LDAP Attribute”中填写“userPrincipalName” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“whenCreated”
-- 选项“Name *”中填写“uuid” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“whenCreated” -- 选项“LDAP Attribute”中填写“whenCreated” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
2.2.4 设置AD连接的映射属性(可选但建议)
单击【User federation】->【Add new provider】->【LDAP】
“Mappers”选项卡中,单击【Add mapper】添加自定义字段
– 属性“first name”
-- 选项“Name *”中填写“first name” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“first name” -- 选项“LDAP Attribute”中填写“givenName” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“On” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“last name”
-- 选项“Name *”中填写“last name” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“last name” -- 选项“LDAP Attribute”中填写“sn” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“On” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
2.2.5 设置AD连接的映射属性(可选)
单击【User federation】->【Add new provider】->【LDAP】
“Mappers”选项卡中,单击【Add mapper】添加自定义字段
– 属性“cn”
-- 选项“Name *”中填写“cn” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“cn” -- 选项“LDAP Attribute”中填写“cn” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“whenChanged”
-- 选项“Name *”中填写“whenChanged” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“whenChanged” -- 选项“LDAP Attribute”中填写“whenChanged” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“modify date”
-- 选项“Name *”中填写“modify date” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“modifyTimestamp” -- 选项“LDAP Attribute”中填写“whenChanged” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“creation date”
-- 选项“Name *”中填写“modify date” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“createTimestamp” -- 选项“LDAP Attribute”中填写“whenCreated” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“department”
-- 选项“Name *”中填写“department” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“department” -- 选项“LDAP Attribute”中填写“department” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“description”
-- 选项“Name *”中填写“description” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“description” -- 选项“LDAP Attribute”中填写“description” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“displayname”
-- 选项“Name *”中填写“displayname” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“displayname” -- 选项“LDAP Attribute”中填写“displayname” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“givenName”
-- 选项“Name *”中填写“givenName” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“givenName” -- 选项“LDAP Attribute”中填写“givenName” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“MSAD account controls”
-- 选项“Name *”中填写“MSAD account controls” -- 选项“Mapper type *”选择“msad-user-account-control-mapper” -- 选项“Password Policy Hints Enabled”选择“Off”
单击【Save】保存即可
– 属性“msDS-UserPasswordExpiryTimeComputed”
-- 选项“Name *”中填写“msDS-UserPasswordExpiryTimeComputed” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“msDS-UserPasswordExpiryTimeComputed” -- 选项“LDAP Attribute”中填写“msDS-UserPasswordExpiryTimeComputed” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“otherTelephone”
-- 选项“Name *”中填写“otherTelephone” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“otherTelephone” -- 选项“LDAP Attribute”中填写“otherTelephone” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“pwdLastSet”
-- 选项“Name *”中填写“pwdLastSet” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“pwdLastSet” -- 选项“LDAP Attribute”中填写“pwdLastSet” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
– 属性“title”
-- 选项“Name *”中填写“title” -- 选项“Mapper type *”选择“user-attribute-ldap-mapper” -- 选项“User Model Attribute”中填写“title” -- 选项“LDAP Attribute”中填写“title” -- 选项“Read Only”选择“On” -- 选项“Is Mandatory In LDAP”选择“Off” -- 选项“Attribute default value”中填写“”,即留空 -- 选项“Force a Default Value”选择“Off” -- 选项“Is Binary Attribute”选择“Off”
单击【Save】保存即可
2.2.6 验证设置
https://websso.cmdschool.org/realms/cmdschool/account
User: will
Password: willPassword
单击【Sign in】如果能成功登陆即成功。
注意:以上连接“cmdschool”必须对应Realm名称
参阅文档
====================
https://www.keycloak.org/docs/latest/server_admin/index.html#_ldap
https://www.keycloak.org/docs/latest/server_admin/index.html#creating-first-admin_server_administration_guide
https://docs.redhat.com/zh-cn/documentation/red_hat_build_of_keycloak/26.2/html-single/getting_started_guide/index#getting-started-zip-create-a-realm
没有评论