Keycloak & Cloudron
-
@ianhyzy I finally managed to run Keycloak on Cloudron after a few days of trying. Most of the code is from this repository. The author seemed to have used a heavily modified configuration file, tailored to fit their needs. Also they had a two-step build system, where they pushed a customized Keycloak image to the hub, then the actual Cloudron app made use of the previously pushed image. That didn't seem necessary.
So, I wrote a simple build script that would:
- spawn a fresh installation of Keycloak
- export the default master realm configuration
- adds LDAP and SMTP configuration for Cloudron to the exported file
The app I put together is based on
cloudron/base:3.2
and makes use of the freshly exported and customized configuration file, which IMO is more compatible with Keycloak updates.I'll publish the code on Github this weekend. I'm planning to use this instance to install Outline because it now supports a custom OIDC auth provider.
Cheers!
-
@nj that will be awesome! Will go well together with the upcoming feature that exposes the Cloudron's LDAP server as well. As in, people can choose which LDAP server they want. Keycloak, I am sure can probably do a lot more than our LDAP server.
-
-
@girish, is there a way to import only active users when syncing users with LDAP?
After setting up Keycloak, only the "active" users could log in to Keycloak. But when I try to import active users to Keycloak, all users were imported, including those who were marked as not active in my Cloudron Users dashboard. -
@girish I always thought marking the users as inactive would mean they can't log in to the services that use Cloudron LDAP. On the other hand, for instance, Keycloak has an option to do a full sync of users from the LDAP server. In such cases, Keycloak does not have any way to know whether the users are still active. That's why I asked if there's any filter that I can apply to only fetch/sync active users.
-
@nj said in Keycloak & Cloudron:
@girish I always thought marking the users as inactive would mean they can't log in to the services that use Cloudron LDAP
Yes, that's the case. When you say "Cloudron LDAP" you mean the apps installed on Cloudron, right? Or have you made some custom patch to expose Cloudron LDAP to external apps ?
On the other hand, for instance, Keycloak has an option to do a full sync of users from the LDAP server.
I don't get this part... How can Keycloak sync from Cloudron ? (unless, of course, you have made some custom patch to expose Cloudron LDAP...).
(So, if the above is true, we can expose the active flag via LDAP. That should be straightforward, if that's what you are asking).
-
When you say "Cloudron LDAP" you mean the apps installed on Cloudron, right?
Yes. I recently built and run Keycloak as an app on my Cloudron instance.
we can expose the active flag via LDAP.
That's exactly what I want. If you could expose the
active
flag via LDAP, I could use a filter like(&(objectClass=user)(isActive=true))
to only fetch active users.I'm not a native English speaker, so excuse the confusion that I caused.
-
@nj I just made a fix in fact to not list inactive users in ldap at all. I think that was an oversight. After all, we don't want those users to appear in LDAP searches. Maybe you can try this patch - https://git.cloudron.io/cloudron/box/-/commit/8958b154e96832688896dafccf7350bad575b0a9
-
@girish That worked. By the way, is there a plan to package Keycloak? I managed to run Keycloak and Outline on Cloudron. Keycloak needed some patching to make it work on the read-only system without mounting everything to /app/data. Outline wiki app can be easily set up to authenticate using Keycloak. Both apps seem to be working as they should. Do you think we can publish those apps to the Cloudron App Store? That would be my first experience publishing an app.
Currently, I am packaging the Outline app to directly authenticate with the Cloudron user directory without the need to install Keycloak. If anyone is interested, I published a little more details in my blog. I'm doing another write-up describing the issues I solved while packaging Keylcloak.
-