ehehHEAD main

author: hc <haocheng.xie@respiree.com> 2026-02-20 11:46:25 +0800
committer: hc <haocheng.xie@respiree.com> 2026-02-20 11:46:25 +0800
commit: 712c7be06ba24bc427792bfa29d3d7c5c88b06dd (patch)
tree: b1e034c4f1a91fcdee073c5224ab850d31d601e5 /SETUP.md
1 files changed, 238 insertions, 0 deletions
diff --git a/SETUP.md b/SETUP.md
new file mode 100644
index 0000000..fafc7a5
--- /dev/null
+++ b/SETUP.md
@@ -0,0 +1,238 @@
+# OpenLDAP + Keycloak OIDC Lab Setup
+A Docker-based lab for testing SSO with OIDC on Apple Silicon (M1/M2/M3).
+## Quick Start
+```bash
+docker compose up -d
+```
+## Access Points
+| Service | URL | Credentials |
+|---------|-----|-------------|
+| **Keycloak** | http://localhost:8080 | admin / admin |
+| **LDAP Admin** | http://localhost:8081 | See below |
+| **OpenLDAP** | ldap://localhost:389 | See below |
+---
+## Step 1: Login to LDAP Admin
+1. Open http://localhost:8081
+2. Click **"login"** on the left sidebar
+3. Enter:
+| Field | Value |
+|-------|-------|
+| Login DN | `cn=admin,dc=lab,dc=local` |
+| Password | `admin123` |
+---
+## Step 2: Create Test Users in LDAP
+### Option A: Via Command Line
+**1. Create organizational unit for users:**
+```bash
+printf 'dn: ou=users,dc=lab,dc=local\nobjectClass: organizationalUnit\nou: users\n' | docker exec -i openldap ldapadd -x -H ldap://localhost -D "cn=admin,dc=lab,dc=local" -w admin123
+```
+**2. Create test user:**
+```bash
+printf 'dn: cn=testuser,ou=users,dc=lab,dc=local\nobjectClass: inetOrgPerson\ncn: testuser\nsn: User\ngivenName: Test\nuid: testuser\nuserPassword: Password123\nmail: testuser@lab.local\n' | docker exec -i openldap ldapadd -x -H ldap://localhost -D "cn=admin,dc=lab,dc=local" -w admin123
+```
+**3. Create another user:**
+```bash
+printf 'dn: cn=jdoe,ou=users,dc=lab,dc=local\nobjectClass: inetOrgPerson\ncn: jdoe\nsn: Doe\ngivenName: John\nuid: jdoe\nuserPassword: Password123\nmail: jdoe@lab.local\n' | docker exec -i openldap ldapadd -x -H ldap://localhost -D "cn=admin,dc=lab,dc=local" -w admin123
+```
+### Option B: Via LDAP Admin UI
+1. Login to http://localhost:8081
+2. Expand `dc=lab,dc=local` in the tree
+3. Click "Create new entry here"
+4. Select "Generic: Organisational Unit" → name it `users`
+5. Inside `ou=users`, create "Generic: User Account"
+---
+## Step 3: Configure Keycloak
+### 3.1 Create a Realm
+1. Open http://localhost:8080
+2. Login with `admin` / `admin`
+3. Click dropdown (top-left, says "master") → **Create realm**
+4. Name: `lab`
+5. Click **Create**
+### 3.2 Add LDAP User Federation
+1. Go to **User federation** (left menu, bottom)
+2. Click **Add Ldap providers**
+3. Fill in:
+| Setting | Value |
+|---------|-------|
+| UI display name | `OpenLDAP` |
+| Vendor | `Other` |
+| Connection URL | `ldap://openldap:389` |
+| Bind DN | `cn=admin,dc=lab,dc=local` |
+| Bind credentials | `admin123` |
+| Edit mode | `WRITABLE` |
+| Users DN | `ou=users,dc=lab,dc=local` |
+| Username LDAP attribute | `uid` |
+| RDN LDAP attribute | `cn` |
+| UUID LDAP attribute | `entryUUID` |
+| User object classes | `inetOrgPerson` |
+4. Click **Save**
+5. Click **Action**(top right) dropdown → **Sync all users**
+### 3.3 Verify Users Synced
+1. Go to **Users** (left menu)
+2. Click **View all users**
+3. You should see `testuser` and `jdoe`
+---
+## Step 4: Create an OIDC Client
+1. Go to **Clients** → **Create client**
+2. Fill in:
+   - Client type: `OpenID Connect`
+   - Client ID: `my-test-app`
+   - Click **Next**
+3. Client authentication: `On`
+4. Click **Next**
+5. Valid redirect URIs: `http://localhost:3000/*`
+   - Also add: `https://oidcdebugger.com/debug`
+6. Click **Save**
+7. Go to **Credentials** tab → Copy the **Client secret**
+---
+## Step 5: Test OIDC
+### OIDC Discovery Endpoint
+```
+http://localhost:8080/realms/lab/.well-known/openid-configuration
+```
+### Test with OIDC Debugger (easiest)
+1. Go to https://oidcdebugger.com
+2. Fill in:
+| Field | Value |
+|-------|-------|
+| Authorize URI | `http://localhost:8080/realms/lab/protocol/openid-connect/auth` |
+| Redirect URI | `https://oidcdebugger.com/debug` |
+| Client ID | `my-test-app` |
+| Scope | `openid profile email` |
+| Response type | `code` |
+3. Click **Send Request**
+4. Login with `testuser` / `Password123`
+5. You'll get an authorization code back
+### Test with curl
+```bash
+# Get token using password grant (for testing only)
+curl -X POST http://localhost:8080/realms/lab/protocol/openid-connect/token \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "client_id=my-test-app" \
+  -d "client_secret=YOUR_CLIENT_SECRET" \
+  -d "grant_type=password" \
+  -d "username=testuser" \
+  -d "password=Password123" | jq
+```
+### Decode the Token
+Copy the `access_token` or `id_token` and paste at https://jwt.io to see the claims.
+---
+## Architecture
+```
+┌─────────────────────────────────────────────┐
+│           Your App / OIDC Debugger          │
+└──────────────────┬──────────────────────────┘
+                   │ OIDC (authorize, token)
+                   ▼
+┌─────────────────────────────────────────────┐
+│              Keycloak :8080                 │
+│         (Identity Provider)                 │
+└──────────────────┬──────────────────────────┘
+                   │ LDAP bind (auth check)
+                   ▼
+┌─────────────────────────────────────────────┐
+│             OpenLDAP :389                   │
+│           (User Directory)                  │
+└─────────────────────────────────────────────┘
+```
+---
+## Useful Commands
+```bash
+# View logs
+docker compose logs -f
+# List LDAP users
+docker exec openldap ldapsearch -x -H ldap://localhost -b "dc=lab,dc=local" -D "cn=admin,dc=lab,dc=local" -w "admin123"
+# Reset user password
+docker exec openldap ldappasswd -x -D "cn=admin,dc=lab,dc=local" -w "admin123" -s "NewPass123!" "cn=testuser,ou=users,dc=lab,dc=local"
+# Delete a user
+docker exec openldap ldapdelete -x -D "cn=admin,dc=lab,dc=local" -w "admin123" "cn=testuser,ou=users,dc=lab,dc=local"
+# Stop everything
+docker compose down
+# Stop and delete all data
+docker compose down -v
+```
+---
+## Troubleshooting
+**Keycloak can't connect to LDAP:**
+- Verify OpenLDAP is running: `docker compose ps`
+- Test connection: `docker exec keycloak curl -v ldap://openldap:389`
+**Users not syncing:**
+- Make sure `ou=users` exists in LDAP
+- Check Users DN is: `ou=users,dc=lab,dc=local`
+- Try "Sync all users" again in Keycloak
+**LDAP Admin won't login:**
+- Use full DN: `cn=admin,dc=lab,dc=local`
+- Password: `admin123`
+**Port 389 already in use:**
+- Change port in docker-compose.yml: `"3389:389"`
+- Update Keycloak connection URL accordingly
+---
+## Next Steps
+- [ ] Test SAML SSO (Keycloak supports both OIDC and SAML)
+- [ ] Add MFA/2FA in Keycloak
+- [ ] Try social login (Google, GitHub) alongside LDAP users
+- [ ] Build a sample app that uses OIDC login
+- [ ] Explore Keycloak themes and branding
author	hc <haocheng.xie@respiree.com>	2026-02-20 11:46:25 +0800
committer	hc <haocheng.xie@respiree.com>	2026-02-20 11:46:25 +0800
commit	712c7be06ba24bc427792bfa29d3d7c5c88b06dd (patch)
tree	b1e034c4f1a91fcdee073c5224ab850d31d601e5 /SETUP.md

diff --git a/SETUP.md b/SETUP.md new file mode 100644 index 0000000..fafc7a5 --- /dev/null +++ b/SETUP.md
@@ -0,0 +1,238 @@
	1	# OpenLDAP + Keycloak OIDC Lab Setup
	2
	3	A Docker-based lab for testing SSO with OIDC on Apple Silicon (M1/M2/M3).
	4
	5	## Quick Start
	6
	7	```bash
	8	docker compose up -d
	9	```
	10
	11
	12	## Access Points
	13
	14	\| Service \| URL \| Credentials \|
	15	\|---------\|-----\|-------------\|
	16	\| Keycloak \| http://localhost:8080 \| admin / admin \|
	17	\| LDAP Admin \| http://localhost:8081 \| See below \|
	18	\| OpenLDAP \| ldap://localhost:389 \| See below \|
	19
	20	---
	21
	22	## Step 1: Login to LDAP Admin
	23
	24	1. Open http://localhost:8081
	25	2. Click "login" on the left sidebar
	26	3. Enter:
	27
	28	\| Field \| Value \|
	29	\|-------\|-------\|
	30	\| Login DN \| `cn=admin,dc=lab,dc=local` \|
	31	\| Password \| `admin123` \|
	32
	33	---
	34
	35	## Step 2: Create Test Users in LDAP
	36
	37	### Option A: Via Command Line
	38
	39	1. Create organizational unit for users:
	40	```bash
	41	printf 'dn: ou=users,dc=lab,dc=local\nobjectClass: organizationalUnit\nou: users\n' \| docker exec -i openldap ldapadd -x -H ldap://localhost -D "cn=admin,dc=lab,dc=local" -w admin123
	42	```
	43
	44	2. Create test user:
	45	```bash
	46	printf 'dn: cn=testuser,ou=users,dc=lab,dc=local\nobjectClass: inetOrgPerson\ncn: testuser\nsn: User\ngivenName: Test\nuid: testuser\nuserPassword: Password123\nmail: testuser@lab.local\n' \| docker exec -i openldap ldapadd -x -H ldap://localhost -D "cn=admin,dc=lab,dc=local" -w admin123
	47	```
	48
	49	3. Create another user:
	50	```bash
	51	printf 'dn: cn=jdoe,ou=users,dc=lab,dc=local\nobjectClass: inetOrgPerson\ncn: jdoe\nsn: Doe\ngivenName: John\nuid: jdoe\nuserPassword: Password123\nmail: jdoe@lab.local\n' \| docker exec -i openldap ldapadd -x -H ldap://localhost -D "cn=admin,dc=lab,dc=local" -w admin123
	52	```
	53
	54	### Option B: Via LDAP Admin UI
	55
	56	1. Login to http://localhost:8081
	57	2. Expand `dc=lab,dc=local` in the tree
	58	3. Click "Create new entry here"
	59	4. Select "Generic: Organisational Unit" → name it `users`
	60	5. Inside `ou=users`, create "Generic: User Account"
	61
	62	---
	63
	64	## Step 3: Configure Keycloak
	65
	66	### 3.1 Create a Realm
	67
	68	1. Open http://localhost:8080
	69	2. Login with `admin` / `admin`
	70	3. Click dropdown (top-left, says "master") → Create realm
	71	4. Name: `lab`
	72	5. Click Create
	73
	74	### 3.2 Add LDAP User Federation
	75
	76	1. Go to User federation (left menu, bottom)
	77	2. Click Add Ldap providers
	78	3. Fill in:
	79
	80	\| Setting \| Value \|
	81	\|---------\|-------\|
	82	\| UI display name \| `OpenLDAP` \|
	83	\| Vendor \| `Other` \|
	84	\| Connection URL \| `ldap://openldap:389` \|
	85	\| Bind DN \| `cn=admin,dc=lab,dc=local` \|
	86	\| Bind credentials \| `admin123` \|
	87	\| Edit mode \| `WRITABLE` \|
	88	\| Users DN \| `ou=users,dc=lab,dc=local` \|
	89	\| Username LDAP attribute \| `uid` \|
	90	\| RDN LDAP attribute \| `cn` \|
	91	\| UUID LDAP attribute \| `entryUUID` \|
	92	\| User object classes \| `inetOrgPerson` \|
	93
	94	4. Click Save
	95	5. Click Action(top right) dropdown → Sync all users
	96
	97	### 3.3 Verify Users Synced
	98
	99	1. Go to Users (left menu)
	100	2. Click View all users
	101	3. You should see `testuser` and `jdoe`
	102
	103	---
	104
	105	## Step 4: Create an OIDC Client
	106
	107	1. Go to Clients → Create client
	108	2. Fill in:
	109	- Client type: `OpenID Connect`
	110	- Client ID: `my-test-app`
	111	- Click Next
	112	3. Client authentication: `On`
	113	4. Click Next
	114	5. Valid redirect URIs: `http://localhost:3000/*`
	115	- Also add: `https://oidcdebugger.com/debug`
	116	6. Click Save
	117	7. Go to Credentials tab → Copy the Client secret
	118
	119	---
	120
	121	## Step 5: Test OIDC
	122
	123	### OIDC Discovery Endpoint
	124
	125	```
	126	http://localhost:8080/realms/lab/.well-known/openid-configuration
	127	```
	128
	129	### Test with OIDC Debugger (easiest)
	130
	131	1. Go to https://oidcdebugger.com
	132	2. Fill in:
	133
	134	\| Field \| Value \|
	135	\|-------\|-------\|
	136	\| Authorize URI \| `http://localhost:8080/realms/lab/protocol/openid-connect/auth` \|
	137	\| Redirect URI \| `https://oidcdebugger.com/debug` \|
	138	\| Client ID \| `my-test-app` \|
	139	\| Scope \| `openid profile email` \|
	140	\| Response type \| `code` \|
	141
	142	3. Click Send Request
	143	4. Login with `testuser` / `Password123`
	144	5. You'll get an authorization code back
	145
	146	### Test with curl
	147
	148	```bash
	149	# Get token using password grant (for testing only)
	150	curl -X POST http://localhost:8080/realms/lab/protocol/openid-connect/token \
	151	-H "Content-Type: application/x-www-form-urlencoded" \
	152	-d "client_id=my-test-app" \
	153	-d "client_secret=YOUR_CLIENT_SECRET" \
	154	-d "grant_type=password" \
	155	-d "username=testuser" \
	156	-d "password=Password123" \| jq
	157	```
	158
	159	### Decode the Token
	160
	161	Copy the `access_token` or `id_token` and paste at https://jwt.io to see the claims.
	162
	163	---
	164
	165	## Architecture
	166
	167	```
	168	┌─────────────────────────────────────────────┐
	169	│ Your App / OIDC Debugger │
	170	└──────────────────┬──────────────────────────┘
	171	│ OIDC (authorize, token)
	172	▼
	173	┌─────────────────────────────────────────────┐
	174	│ Keycloak :8080 │
	175	│ (Identity Provider) │
	176	└──────────────────┬──────────────────────────┘
	177	│ LDAP bind (auth check)
	178	▼
	179	┌─────────────────────────────────────────────┐
	180	│ OpenLDAP :389 │
	181	│ (User Directory) │
	182	└─────────────────────────────────────────────┘
	183	```
	184
	185	---
	186
	187	## Useful Commands
	188
	189	```bash
	190	# View logs
	191	docker compose logs -f
	192
	193	# List LDAP users
	194	docker exec openldap ldapsearch -x -H ldap://localhost -b "dc=lab,dc=local" -D "cn=admin,dc=lab,dc=local" -w "admin123"
	195
	196	# Reset user password
	197	docker exec openldap ldappasswd -x -D "cn=admin,dc=lab,dc=local" -w "admin123" -s "NewPass123!" "cn=testuser,ou=users,dc=lab,dc=local"
	198
	199	# Delete a user
	200	docker exec openldap ldapdelete -x -D "cn=admin,dc=lab,dc=local" -w "admin123" "cn=testuser,ou=users,dc=lab,dc=local"
	201
	202	# Stop everything
	203	docker compose down
	204
	205	# Stop and delete all data
	206	docker compose down -v
	207	```
	208
	209	---
	210
	211	## Troubleshooting
	212
	213	Keycloak can't connect to LDAP:
	214	- Verify OpenLDAP is running: `docker compose ps`
	215	- Test connection: `docker exec keycloak curl -v ldap://openldap:389`
	216
	217	Users not syncing:
	218	- Make sure `ou=users` exists in LDAP
	219	- Check Users DN is: `ou=users,dc=lab,dc=local`
	220	- Try "Sync all users" again in Keycloak
	221
	222	LDAP Admin won't login:
	223	- Use full DN: `cn=admin,dc=lab,dc=local`
	224	- Password: `admin123`
	225
	226	Port 389 already in use:
	227	- Change port in docker-compose.yml: `"3389:389"`
	228	- Update Keycloak connection URL accordingly
	229
	230	---
	231
	232	## Next Steps
	233
	234	- [ ] Test SAML SSO (Keycloak supports both OIDC and SAML)
	235	- [ ] Add MFA/2FA in Keycloak
	236	- [ ] Try social login (Google, GitHub) alongside LDAP users
	237	- [ ] Build a sample app that uses OIDC login
	238	- [ ] Explore Keycloak themes and branding