libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

fixed RHSSO-932

Browse source
This commit is contained in:
Jen Malloy 2017-03-31 15:11:05 -04:00
parent 45e3761d8a
commit 0d830ad2f6
1 changed files with 6 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
server_admin/topics/user-federation/sssd.adoc
View file

@ -2,9 +2,9 @@
=== SSSD and FreeIPA Identity Management Integration === SSSD and FreeIPA Identity Management Integration
{{book.project.name}} also comes with a built-in https://fedorahosted.org/sssd/wiki[SSSD] (System Security Services Daemon) plugin. SSSD is part of the latest Fedora or Red Hat Enterprise Linux and provides access to multiple identity and authentication providers. It provides benefits such as failover and offline support. To see configuration options and for more information see https://fedorahosted.org/sssd/wiki/Documentation[the Fedora documentation]. {{book.project.name}} also comes with a built-in https://fedorahosted.org/sssd/wiki[SSSD] (System Security Services Daemon) plugin. SSSD is part of the latest Fedora or Red Hat Enterprise Linux and provides access to multiple identity and authentication providers. It provides benefits such as failover and offline support. To see configuration options and for more information see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/SSSD.html[the Red Hat Enterprise Linux Identity Management documentation].
SSSD also integrates with the http://www.freeipa.org/page/Main_Page[FreeIPA identity management (IdM)] server, providing authentication and access control. For {book_project_name}, we benefit from this integration authenticating against http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html[PAM] services and retrieving user data from SSSD. SSSD also integrates with the http://www.freeipa.org/page/Main_Page[FreeIPA identity management (IdM)] server, providing authentication and access control. For {book_project_name}, we benefit from this integration authenticating against http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html[PAM] services and retrieving user data from SSSD. For more information about using Red Hat Identity Management in Linux environments, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html[the Red Hat Enterprise Linux Identity Management documentation].
image:../../{{book.images}}/keycloak-sssd-freeipa-integration-overview.png[] image:../../{{book.images}}/keycloak-sssd-freeipa-integration-overview.png[]
@ -64,42 +64,13 @@ You must run the provisioning script available from the Keycloak distribution:
{% if book.product %} {% if book.product %}
You must copy and run this provisioning script: You must run this provisioning script:
[source,bash] [source]
----
$ .../bin/federation-sssd-setup.sh
---- ----
#!/bin/sh
# Setup for SSSD
SSSD_FILE="/etc/sssd/sssd.conf"
if [ -f "$SSSD_FILE" ];
then
sed -i '/ldap_tls_cacert/a ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber' $SSSD_FILE
sed -i 's/nss, sudo, pam/nss, sudo, pam, ifp/' $SSSD_FILE
sed -i '/\[ifp\]/a allowed_uids = root\nuser_attributes = +mail, +telephoneNumber, +givenname, +sn' $SSSD_FILE
systemctl restart sssd
else
echo "Please make sure you have $SSSD_FILE into your system! Aborting."
exit 1
fi
# Setup for PAM
PAM_FILE="/etc/pam.d/keycloak"
if [ ! -f "$PAM_FILE" ];
then
cat <<EOF > $PAM_FILE
auth required pam_sss.so
account required pam_sss.so
EOF
else
echo "$PAM_FILE already exists. Skipping it..."
exit 0
fi
----
{% endif %} {% endif %}
This script makes the necessary changes to `/etc/sssd/sssd.conf`: This script makes the necessary changes to `/etc/sssd/sssd.conf`: