The_miro
/
Dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Dotfiles/setup/modules/FreeipaAnsible/image/keycloak-configure.sh

273 lines
12 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# keycloak-configure.sh — wire Keycloak to FreeIPA via LDAP user federation
#
# Run this AFTER both FreeIPA and Keycloak are fully up.
# Reads settings from environment variables or a .env file in the same directory.
#
# Required env vars:
# IPA_SERVER FreeIPA server FQDN
# IPA_DOMAIN FreeIPA domain
# IPA_DM_PASSWORD Directory Manager password (used as LDAP bind credential
# unless IPA_BIND_DN / IPA_BIND_PASSWORD override it)
# KC_ADMIN_PASSWORD Keycloak admin password
#
# Optional env vars (defaults shown):
# KC_URL http://localhost:8080
# KC_ADMIN admin
# KC_REALM freeipa (realm to create)
# KC_REALM_DISPLAY <IPA_DOMAIN>
# IPA_REALM <IPA_DOMAIN uppercased>
# IPA_BIND_DN cn=Directory Manager
# IPA_BIND_PASSWORD <IPA_DM_PASSWORD>
# IPA_USE_LDAPS false
# IPA_LDAP_PORT 389 (or 636 if LDAPS)
# SYNC_FULL_PERIOD 604800 (1 week)
# SYNC_CHANGED_PERIOD 86400 (1 day)
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
[[ -f "$SCRIPT_DIR/.env" ]] && set -a && source "$SCRIPT_DIR/.env" && set +a
RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; CYAN='\033[0;36m'; NC='\033[0m'
log() { echo -e "${GREEN}[+]${NC} $*"; }
warn() { echo -e "${YELLOW}[!]${NC} $*"; }
error() { echo -e "${RED}[✗]${NC} $*" >&2; }
info() { echo -e "${CYAN}[i]${NC} $*"; }
: "${IPA_SERVER:?IPA_SERVER is required}"
: "${IPA_DOMAIN:?IPA_DOMAIN is required}"
: "${IPA_DM_PASSWORD:?IPA_DM_PASSWORD is required}"
: "${KC_ADMIN_PASSWORD:?KC_ADMIN_PASSWORD is required}"
KC_URL="${KC_URL:-http://localhost:8080}"
KC_ADMIN="${KC_ADMIN:-admin}"
KC_REALM="${KC_REALM:-freeipa}"
KC_REALM_DISPLAY="${KC_REALM_DISPLAY:-$IPA_DOMAIN}"
IPA_REALM="${IPA_REALM:-${IPA_DOMAIN^^}}"
IPA_BIND_DN="${IPA_BIND_DN:-cn=Directory Manager}"
IPA_BIND_PASSWORD="${IPA_BIND_PASSWORD:-$IPA_DM_PASSWORD}"
IPA_USE_LDAPS="${IPA_USE_LDAPS:-false}"
IPA_LDAP_SCHEME="ldap"
IPA_LDAP_PORT=389
[[ "$IPA_USE_LDAPS" == "true" ]] && IPA_LDAP_SCHEME="ldaps" && IPA_LDAP_PORT=636
IPA_LDAP_URL="${IPA_LDAP_URL:-${IPA_LDAP_SCHEME}://${IPA_SERVER}:${IPA_LDAP_PORT}}"
IPA_BASEDN="dc=${IPA_DOMAIN/./,dc=}"
SYNC_FULL_PERIOD="${SYNC_FULL_PERIOD:-604800}"
SYNC_CHANGED_PERIOD="${SYNC_CHANGED_PERIOD:-86400}"
# ─── Helpers ──────────────────────────────────────────────────────────────────
kc_token() {
curl -sf -X POST \
"$KC_URL/realms/master/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=admin-cli&grant_type=password" \
-d "username=$KC_ADMIN" \
--data-urlencode "password=$KC_ADMIN_PASSWORD" \
| jq -r '.access_token'
}
kc_get() { curl -sf -H "Authorization: Bearer $TOKEN" "$KC_URL$1"; }
kc_post() { curl -sf -X POST -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" -d "$2" "$KC_URL$1"; }
kc_put() { curl -sf -X PUT -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" -d "$2" "$KC_URL$1"; }
kc_status() { curl -sf -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer $TOKEN" "$KC_URL$1"; }
# ─── Wait for Keycloak ────────────────────────────────────────────────────────
info "Waiting for Keycloak at $KC_URL..."
for i in $(seq 1 60); do
curl -sf "$KC_URL/health/ready" &>/dev/null && break
[[ $i -eq 60 ]] && { error "Keycloak not ready after 120s."; exit 1; }
sleep 2
done
log "Keycloak is ready."
# ─── Authenticate ─────────────────────────────────────────────────────────────
TOKEN=$(kc_token)
[[ -z "$TOKEN" || "$TOKEN" == "null" ]] && { error "Failed to obtain Keycloak token."; exit 1; }
log "Admin token obtained."
# ─── Create realm ─────────────────────────────────────────────────────────────
REALM_STATUS=$(kc_status "/admin/realms/$KC_REALM")
if [[ "$REALM_STATUS" == "200" ]]; then
warn "Realm '$KC_REALM' already exists — updating."
kc_put "/admin/realms/$KC_REALM" \
"{\"realm\":\"$KC_REALM\",\"displayName\":\"$KC_REALM_DISPLAY\",\"enabled\":true,
\"ssoSessionMaxLifespan\":36000,\"accessTokenLifespan\":300}" >/dev/null
else
kc_post "/admin/realms" \
"{\"realm\":\"$KC_REALM\",\"displayName\":\"$KC_REALM_DISPLAY\",\"enabled\":true,
\"ssoSessionMaxLifespan\":36000,\"accessTokenLifespan\":300}" >/dev/null
log "Realm '$KC_REALM' created."
fi
TOKEN=$(kc_token)
# ─── LDAP user federation ─────────────────────────────────────────────────────
log "Configuring FreeIPA LDAP user federation..."
LDAP_COMPONENT=$(cat <<JSON
{
"name": "freeipa-ldap",
"providerId": "ldap",
"providerType": "org.keycloak.storage.UserStorageProvider",
"config": {
"enabled": ["true"],
"priority": ["1"],
"editMode": ["READ_ONLY"],
"syncRegistrations": ["false"],
"vendor": ["rhds"],
"usernameLDAPAttribute": ["uid"],
"rdnLDAPAttribute": ["uid"],
"uuidLDAPAttribute": ["ipaUniqueID"],
"userObjectClasses": ["inetOrgPerson, organizationalPerson"],
"connectionUrl": ["$IPA_LDAP_URL"],
"usersDn": ["cn=users,cn=accounts,$IPA_BASEDN"],
"authType": ["simple"],
"bindDn": ["$IPA_BIND_DN"],
"bindCredential": ["$IPA_BIND_PASSWORD"],
"searchScope": ["1"],
"validatePasswordPolicy": ["false"],
"trustEmail": ["false"],
"useTruststoreSpi": ["ldapsOnly"],
"connectionPooling": ["true"],
"pagination": ["true"],
"batchSizeForSync": ["1000"],
"fullSyncPeriod": ["$SYNC_FULL_PERIOD"],
"changedSyncPeriod": ["$SYNC_CHANGED_PERIOD"],
"importEnabled": ["true"],
"cachePolicy": ["DEFAULT"],
"kerberosRealm": ["$IPA_REALM"],
"serverPrincipal": ["HTTP/$IPA_SERVER@$IPA_REALM"],
"useKerberosForPasswordAuthentication": ["false"],
"allowKerberosAuthentication": ["false"],
"debug": ["false"]
}
}
JSON
)
EXISTING_ID=$(kc_get "/admin/realms/$KC_REALM/components?type=org.keycloak.storage.UserStorageProvider&name=freeipa-ldap" \
| jq -r '.[0].id // empty')
if [[ -n "$EXISTING_ID" ]]; then
warn "LDAP provider already exists (id=$EXISTING_ID) — updating."
kc_put "/admin/realms/$KC_REALM/components/$EXISTING_ID" "$LDAP_COMPONENT" >/dev/null
LDAP_ID="$EXISTING_ID"
else
LDAP_ID=$(kc_post "/admin/realms/$KC_REALM/components" "$LDAP_COMPONENT" \
| jq -r '.id // empty')
# Keycloak returns 201 with Location header, not a body with id — extract from header or re-query
if [[ -z "$LDAP_ID" ]]; then
LDAP_ID=$(kc_get "/admin/realms/$KC_REALM/components?type=org.keycloak.storage.UserStorageProvider&name=freeipa-ldap" \
| jq -r '.[0].id')
fi
log "LDAP provider created (id=$LDAP_ID)."
fi
# ─── Attribute mappers ────────────────────────────────────────────────────────
log "Adding LDAP attribute mappers..."
add_mapper() {
local name="$1" type="$2" ldap_attr="$3" user_attr="$4"
local payload
payload=$(cat <<JSON
{
"name": "$name",
"providerId": "$type",
"providerType": "org.keycloak.storage.ldap.mappers.LDAPStorageMapper",
"parentId": "$LDAP_ID",
"config": {
"ldap.attribute": ["$ldap_attr"],
"user.model.attribute": ["$user_attr"],
"read.only": ["true"],
"always.read.value.from.ldap": ["false"],
"is.mandatory.in.ldap": ["false"]
}
}
JSON
)
local exists
exists=$(kc_get "/admin/realms/$KC_REALM/components?parent=$LDAP_ID&name=$name" \
| jq -r '.[0].id // empty')
if [[ -z "$exists" ]]; then
kc_post "/admin/realms/$KC_REALM/components" "$payload" >/dev/null
log " mapper: $name"
else
warn " mapper '$name' already exists — skipping."
fi
}
add_mapper "email" "user-attribute-ldap-mapper" "mail" "email"
add_mapper "first-name" "user-attribute-ldap-mapper" "givenName" "firstName"
add_mapper "last-name" "user-attribute-ldap-mapper" "sn" "lastName"
add_mapper "uid-number" "user-attribute-ldap-mapper" "uidNumber" "uidNumber"
# Group mapper (maps IPA groups to Keycloak groups)
GROUP_MAPPER=$(cat <<JSON
{
"name": "freeipa-groups",
"providerId": "group-ldap-mapper",
"providerType": "org.keycloak.storage.ldap.mappers.LDAPStorageMapper",
"parentId": "$LDAP_ID",
"config": {
"groups.dn": ["cn=groups,cn=accounts,$IPA_BASEDN"],
"group.name.ldap.attribute": ["cn"],
"group.object.classes": ["groupOfNames"],
"preserve.group.inheritance": ["false"],
"membership.ldap.attribute": ["member"],
"membership.attribute.type": ["DN"],
"mode": ["READ_ONLY"],
"user.roles.retrieve.strategy": ["LOAD_GROUPS_BY_MEMBER_ATTRIBUTE"],
"mapped.group.attributes": [""],
"drop.non.existing.groups.during.sync": ["false"]
}
}
JSON
)
exists=$(kc_get "/admin/realms/$KC_REALM/components?parent=$LDAP_ID&name=freeipa-groups" \
| jq -r '.[0].id // empty')
if [[ -z "$exists" ]]; then
kc_post "/admin/realms/$KC_REALM/components" "$GROUP_MAPPER" >/dev/null
log " mapper: freeipa-groups"
fi
# ─── Trigger initial sync ──────────────────────────────────────────────────────
log "Triggering initial user sync..."
SYNC_RESULT=$(kc_post "/admin/realms/$KC_REALM/user-storage/$LDAP_ID/sync?action=triggerFullSync" "" 2>/dev/null || echo "{}")
ADDED=$(echo "$SYNC_RESULT" | jq -r '.added // 0')
UPDATED=$(echo "$SYNC_RESULT" | jq -r '.updated // 0')
log "Sync complete: $ADDED added, $UPDATED updated."
# ─── Enable email login ────────────────────────────────────────────────────────
kc_put "/admin/realms/$KC_REALM" \
'{"loginWithEmailAllowed":true,"duplicateEmailsAllowed":false}' >/dev/null
log "Email login enabled on realm '$KC_REALM'."
# ─── Summary ─────────────────────────────────────────────────────────────────
cat <<EOF
${GREEN}Keycloak ↔ FreeIPA configuration complete.${NC}
Keycloak URL: $KC_URL
Realm: $KC_REALM (display: $KC_REALM_DISPLAY)
LDAP provider: $IPA_LDAP_URL
Users DN: cn=users,cn=accounts,$IPA_BASEDN
Groups DN: cn=groups,cn=accounts,$IPA_BASEDN
Sync schedule: full=${SYNC_FULL_PERIOD}s / changed=${SYNC_CHANGED_PERIOD}s
Admin console: $KC_URL/admin/$KC_REALM/console
User login: $KC_URL/realms/$KC_REALM/account
Next steps:
• Verify users are visible: Admin console → Users
• Set up client applications (OIDC/SAML) in this realm
• For production: switch Keycloak to 'start' mode with a TLS cert
• For Kerberos/SPNEGO: supply an HTTP service keytab and set
allowKerberosAuthentication=true in the LDAP provider config
EOF
Reference in New Issue View Git Blame Copy Permalink