Keycloak LDAP and Kerberos Demo

This project demonstrates a complete Keycloak setup with LDAP and Kerberos integration for protecting a web application.

Architecture

The demo includes:

• Keycloak 23.0 - Identity and Access Management
• PostgreSQL - Keycloak's database
• OpenLDAP - LDAP directory server with test users
• Kerberos KDC - Kerberos authentication server
• Simple Web App - Node.js application protected by Keycloak

Quick Start

Prerequisites

• Docker and Docker Compose
• curl and jq (for setup script)

Starting the Demo

1. Start all services:

docker-compose up -d

2. Wait for all services to start (this may take 1-2 minutes)

3. Run the Keycloak configuration script:

./setup-keycloak.sh

Access Points

• Keycloak Admin Console: http://localhost:8080

  • Username: admin
  • Password: admin

• Demo Web Application: http://localhost:3000

Test Users

All test users are available in both LDAP and Kerberos:

Username	Password	Full Name	Email
jdoe	password123	John Doe	[email protected]
asmith	password123	Alice Smith	[email protected]
bjones	password123	Bob Jones	[email protected]

Testing the Integration

LDAP Authentication

1. Go to http://localhost:3000
2. Click "Access Protected Resource"
3. You'll be redirected to Keycloak login
4. Log in with one of the test users (e.g., jdoe / password123)
5. You should see the protected page with user information from LDAP

Verifying LDAP Integration

1. Access Keycloak Admin Console
2. Navigate to Realm Settings > User Federation
3. You should see the configured LDAP provider
4. Click Synchronize all users to sync LDAP users
5. Go to Users to see the imported LDAP users

Kerberos Integration

The Kerberos setup includes:

• Realm: EXAMPLE.COM
• KDC: kerberos.example.com
• Service Principal: HTTP/[email protected]

Kerberos principals created:

• [email protected]
• [email protected]
• [email protected]
• HTTP/[email protected] (for Keycloak)

Configuration Details

LDAP Configuration

• Connection URL: ldap://ldap:389
• Base DN: dc=example,dc=com
• Users DN: ou=users,dc=example,dc=com
• Bind DN: cn=admin,dc=example,dc=com
• Bind Password: admin

Kerberos Configuration

• Realm: EXAMPLE.COM
• KDC: kerberos.example.com
• Admin Principal: admin/[email protected]
• Keycloak Service: HTTP/[email protected]

Keycloak Realm

• Realm Name: demo
• Client ID: webapp
• Client Secret: webapp-secret

Troubleshooting

Services not starting

Check service logs:

docker-compose logs [service-name]

LDAP users not showing

1. Check LDAP service is running:

docker-compose ps ldap

2. Manually sync LDAP users in Keycloak Admin Console

3. Test LDAP connection:

docker exec keycloak-ldap ldapsearch -x -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -w admin

Kerberos not working

1. Check Kerberos service:

docker-compose logs kerberos

2. Verify keytab was created:

docker exec keycloak-kerberos ls -la /var/lib/krb5kdc/keycloak.keytab

Stopping the Demo

docker-compose down

To remove all data:

docker-compose down -v

Project Structure

.
├── docker-compose.yml          # Main orchestration file
├── setup-keycloak.sh          # Keycloak configuration script
├── ldap/
│   └── ldif/
│       └── users.ldif         # LDAP test users
├── kerberos/
│   ├── Dockerfile             # Kerberos KDC image
│   ├── krb5.conf             # Kerberos client config
│   ├── kdc.conf              # KDC configuration
│   └── setup-kerberos.sh     # Kerberos initialization
└── webapp/
    ├── Dockerfile             # Web app image
    ├── package.json          # Node.js dependencies
    └── server.js             # Express application