Differences

This shows you the differences between two versions of the page.

--- сервис_keycloak [2025/12/04 10:54]
val [Базовая конфигурация]
+++ сервис_keycloak [2025/12/25 15:08] (current)
val [Kubernetes]
@@ Line 149: / Line 149: @@
   adminUser: admin
   adminPassword: strongpassword
-proxy: edge
+#proxy: edge
 #proxyHeaders: "xforwarded"
 ingress:
@@ Line 182: / Line 182: @@
 #  password: strongpassword
-#extraVolumeMounts:
+###extraVolumeMounts:
-#- mountPath: /opt/bitnami/keycloak/themes
+###- mountPath: /opt/bitnami/keycloak/themes
-#  name: themes
+###  name: themes
-#extraVolumes:
+###extraVolumes:
-#- emptyDir: {}
+###- emptyDir: {}
-#  name: themes
+###  name: themes
 #initContainers:
@@ Line 201: / Line 201: @@
 #  volumeMounts:
 #  - mountPath: /opt/bitnami/keycloak/themes
-#    name: themes
+###    name: themes
+#    name: empty-dir
+#    subPath: app-themes-dir
 </code><code>
 ~/keycloak$ ###helm template my-keycloak -f values.yaml oci://registry-1.docker.io/bitnamicharts/keycloak -n my-keycloak-ns --version $KC_HC_VER | less
@@ Line 235: / Line 238: @@
   Users
     Add User
-      user1/kcpassword1
+      user1/kcpassword1 (Temporary: off)
-      В новых версиях надо ФИО и email, иначе Account is not fully set up
+      В новых версиях обязательно ФИО и email, иначе, Account is not fully set up
   Realm settings
@@ Line 263: / Line 266: @@
 может понадобиться включить
     Direct access grants
+для передачи списка групп в токене понадобится:
+Client scopes ->
+  Create client scope -> Name: groups
+    Configure a new mapper: Groups Membership
+      Name: groups
+    Configure a new mapper: Audience  !!! Для "подсовывания" токена в .kube/config
+	  Name (и везде): any-client
+Clients -> any-client
+  Client scopes
+  Add client scopes to any-client: groups
+  Add: Default
+Include in token scope ?
+Add to lightweight access token ?
+Token Claim Name: groups
+Full group path: No
 </code>
-==== Проверка ====
+==== Проверка получения токена ====
   * [[Материалы по Windows#Windows CA для Linux сервисов]]
@@ Line 352: / Line 375: @@
 === FreeIPA ===
+  * [[https://itdraft.ru/2023/03/01/nastrojka-oauth-avtorizacii-cherez-keycloak-freeipa-v-dokuwiki/|Настройка oAuth авторизации через Keycloak+FreeIPA в DokuWiki]]
 <code>
 Vendor: Other
@@ Line 364: / Line 390: @@
 Edit mode: READ_ONLY
-Users DN: cn=users,cn=compat,dc=corpX,dc=un
+#Users DN: cn=users,cn=compat,dc=corpX,dc=un
 Users DN: cn=users,cn=accounts,dc=corpX,dc=un
 ...
@@ Line 371: / Line 397: @@
 RDN LDAP attribute: uid
 ...
-UUID LDAP attribute: ipaAnchorUUID
+#UUID LDAP attribute: ipaAnchorUUID
-UUID LDAP attribute: uid
+#UUID LDAP attribute: uid
+UUID LDAP attribute: ipaUniqueID
+Mappers ->
+  Name: first name
+  LDAP Attribute: givenname
+  Name: groups
+  Mapper type: group-ldap-mapper
+  LDAP Groups DN: cn=groups,cn=accounts,dc=corpX,dc=un
+  Relative creation DN: cn
+  Group Name LDAP Attribute: cn
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools