User Tools
сервис_keycloak
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_keycloak [2025/12/04 11:07] val [Kubernetes] |
сервис_keycloak [2025/12/25 15:08] (current) val [Kubernetes] |
||
|---|---|---|---|
| Line 182: | Line 182: | ||
| # password: strongpassword | # password: strongpassword | ||
| - | ##extraVolumeMounts: | + | ###extraVolumeMounts: |
| - | ##- mountPath: /opt/bitnami/keycloak/themes | + | ###- mountPath: /opt/bitnami/keycloak/themes |
| - | ## name: themes | + | ### name: themes |
| - | ##extraVolumes: | + | ###extraVolumes: |
| - | ##- emptyDir: {} | + | ###- emptyDir: {} |
| - | ## name: themes | + | ### name: themes |
| #initContainers: | #initContainers: | ||
| Line 201: | Line 201: | ||
| # volumeMounts: | # volumeMounts: | ||
| # - mountPath: /opt/bitnami/keycloak/themes | # - mountPath: /opt/bitnami/keycloak/themes | ||
| - | ## name: themes | + | ### name: themes |
| # name: empty-dir | # name: empty-dir | ||
| # subPath: app-themes-dir | # subPath: app-themes-dir | ||
| Line 238: | Line 238: | ||
| Users | Users | ||
| Add User | Add User | ||
| - | user1/kcpassword1 | + | user1/kcpassword1 (Temporary: off) |
| - | В новых версиях надо ФИО и email, иначе Account is not fully set up | + | В новых версиях обязательно ФИО и email, иначе, Account is not fully set up |
| Realm settings | Realm settings | ||
| Line 266: | Line 266: | ||
| может понадобиться включить | может понадобиться включить | ||
| Direct access grants | Direct access grants | ||
| + | | ||
| + | для передачи списка групп в токене понадобится: | ||
| + | Client scopes -> | ||
| + | Create client scope -> Name: groups | ||
| + | Configure a new mapper: Groups Membership | ||
| + | Name: groups | ||
| + | Configure a new mapper: Audience !!! Для "подсовывания" токена в .kube/config | ||
| + | Name (и везде): any-client | ||
| + | |||
| + | Clients -> any-client | ||
| + | Client scopes | ||
| + | Add client scopes to any-client: groups | ||
| + | Add: Default | ||
| + | | ||
| + | Include in token scope ? | ||
| + | | ||
| + | Add to lightweight access token ? | ||
| + | |||
| + | Token Claim Name: groups | ||
| + | Full group path: No | ||
| </code> | </code> | ||
| - | ==== Проверка ==== | + | ==== Проверка получения токена ==== |
| * [[Материалы по Windows#Windows CA для Linux сервисов]] | * [[Материалы по Windows#Windows CA для Linux сервисов]] | ||
| Line 355: | Line 375: | ||
| === FreeIPA === | === FreeIPA === | ||
| + | |||
| + | * [[https://itdraft.ru/2023/03/01/nastrojka-oauth-avtorizacii-cherez-keycloak-freeipa-v-dokuwiki/|Настройка oAuth авторизации через Keycloak+FreeIPA в DokuWiki]] | ||
| + | |||
| <code> | <code> | ||
| Vendor: Other | Vendor: Other | ||
| Line 367: | Line 390: | ||
| Edit mode: READ_ONLY | Edit mode: READ_ONLY | ||
| - | Users DN: cn=users,cn=compat,dc=corpX,dc=un | + | #Users DN: cn=users,cn=compat,dc=corpX,dc=un |
| Users DN: cn=users,cn=accounts,dc=corpX,dc=un | Users DN: cn=users,cn=accounts,dc=corpX,dc=un | ||
| ... | ... | ||
| Line 374: | Line 397: | ||
| RDN LDAP attribute: uid | RDN LDAP attribute: uid | ||
| ... | ... | ||
| - | UUID LDAP attribute: ipaAnchorUUID | + | #UUID LDAP attribute: ipaAnchorUUID |
| - | UUID LDAP attribute: uid | + | #UUID LDAP attribute: uid |
| + | UUID LDAP attribute: ipaUniqueID | ||
| + | |||
| + | Mappers -> | ||
| + | |||
| + | Name: first name | ||
| + | LDAP Attribute: givenname | ||
| + | |||
| + | Name: groups | ||
| + | Mapper type: group-ldap-mapper | ||
| + | LDAP Groups DN: cn=groups,cn=accounts,dc=corpX,dc=un | ||
| + | Relative creation DN: cn | ||
| + | Group Name LDAP Attribute: cn | ||
| </code> | </code> | ||
сервис_keycloak.1764835644.txt.gz · Last modified: 2025/12/04 11:07 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
