Integrating Red Hat Single Sign-On version 7.4 with Red Hat Directory Server (LDAP)

Integrating Red Hat Single Sign-On version 7.4 with Red Hat Directory Server (LDAP)

This article describes the integration of Red Hat Single Sign-On (SSO) with Red Hat Directory Server 11 (LDAP). It also illustrates how it is possible to perform user synchronization and group synchronization between Red Hat Directory Server and Red Hat’s single sign-on tools.

Install Red Hat Directory Server 11

To install Red Hat Directory Server 11, you first need an active Red Hat Directory Server subscription (which you can get using the subscription-manager). Once you have this, do the following.

Install the Red Hat Directory Server 11 package

Install the Red Hat Directory Server 11 package with:

# yum module install redhat-ds:11

For more details, see chapter: 1.1. Installing the Directory Server packages.

Create a Red Hat Directory Server instance

Create a new LDAP instance on port 2389, with the database suffix dc=example,dc=com:

dscreate interactive
Install Directory Server (interactive mode)

Enter system's hostname [host1.remote.csb]:

Enter the instance name [jdoe]: ds2389

Enter port number []: 2389

Create self-signed certificate database [yes]:

Enter secure port number []: 2636

Enter Directory Manager DN [cn=Directory Manager]:

Enter the Directory Manager password: 
Confirm the Directory Manager Password:

Enter the database suffix (or enter "none" to skip) [dc=jdoe,dc=remote,dc=csb]: dc=example,dc=com

Create sample entries in the suffix [no]: yes
Do you want to start the instance after the installation? [yes]:

Are you ready to install? [no]: yes
Starting installation...
Completed installation for ds2389

Populate the ds2389 instance

Populate the new instance ds2389 with  the-existing example Example.ldif using the command ldif2db. To do so:

  1. Stop the ds2389 instance:
# dsctl ds2389 stop
Instance "ds2389" has been stopped
  1. Import the ldif example:
# dsctl ds2389 ldif2db userroot /usr/share/dirsrv/data/Example.ldif
ldif2db successful
  1. Restart the instance:
# dsctl ds2389 start
Instance "ds2389" has been started
  1. Set the instance to start automatically when the machine boots:
# systemctl enable dirsrv@ds2389

Note: For more information, see the Red Hat Directory Server documentation: 1.5. STARTING AND STOPPING A DIRECTORY SERVER INSTANCE.

Connect to the LDAP instance

Connect to the LDAP instance with an LDAP browser, such as JXplorer.

The information to connect are:

Connection URL: ldap://localhost:2389
Username: cn=Directory Manager
password: <ds28389-password>
JXplorer showing an example LDAP entry.

Figure 1: Explore the example ldif in JXplorer.

Install and deploy a Red Hat SSO instance

Now it’s time to install and deploy your Red Hat Single Sign-On instance.

Install Red Hat SSO

To install Red Hat SSO:

  1. Download the rh-sso zip distribution.
  2. Unzip rh-sso with:
unzip rh-sso-<release-number>.zip

For further details about installation, see Getting Guide Started Guide, section  2.1. Installing the Server.

Red Hat SSO instance deployment

To boot the Red Hat Single Sign-On server, go to the bin directory of the server distribution and run the standalone boot script:

cd bin
./standalone.sh
  • Open http://localhost:8080/auth in your web browser. The welcome page will indicate that the server is running.
  • Enter a username and password to create an initial admin user.
  • Create an LDAP Realm as shown in Figure 2.
RH-SSO admin console with ldap realm

Figure 2: RH-SSO admin console with ldap realm

Integrate Red Hat’s single sign-on tools and Red Hat Directory Server

Now that you have Red Hat’s single sign-on tools installed, you have a dedicated realm for your LDAP test. Do the following to set up the integration.

Federate LDAP users

In order to connect to the running Red Hat Directory Server ds2389 instance, select the User Federation tab, and select ldap provider. In addition, you have to provide the following information:

  • Vendor: Red Hat Directory Server
  • Username LDAP attribute: uid
  • RDN LDAP attribute: cn
  • UUID LDAP attribute: nsuniqueid
  • User Object Classes: InetOrgPerson, organizatioalPerson
  • Connection URL: ldap://localhost:2389
  • Users DN: ou=people,dc=example,dc=com
  • Bind Type: simple
  • Bind DN: cn=Directory Manager
  • Search Scope: Subtree

For the other fields, pick the default purpose value, as shown in Figure 3.

Configure your LDAP provider for user federation.

Figure 3: Configure your LDAP provider for user federation.

Synchronize single sign-on and LDAP users

Once all of the settings are entered, you can synchronize users either manually or automatically using the Sync Settings, as shown in Figure 4.

Under Sync Settings is Cache Settings, which has buttons. Either Synchronize button lets you sync LDAP & SSO users.

Figure 4: Synchronize your SSO and LDAP users.

To synchronize users:

  • Manually: Select either Synchronize all users or Synchronized changed users. The command Synchronize all users can be quite lengthy if you have a large number of LDAP users.
  • Automatically: Select either Periodic Full Sync or Periodic Changed Users Sync, based on the delta. The most efficient and less time-consuming option is to use a Periodic Changed Users Sync.

Once the sync finishes, your LDAP users become visible at the SSO level as shown in Figure 5. When synchronization is active, newly created LDAP users will also be synchronized and created at this level (upon the next synchronization).

Ldaptest > Manage > Users with the LDAP users now populated

Figure 5: Verify that your LDAP users now show up.

Synchronize Red Hat Single Sign On and Red Hat Directory Server via groups

It is also possible to perform group synchronization between Red Hat Directory Server and Red Hat’s single sign-on tools. In order to achieve this, you have to create a mapper of type group-ldap-mapper.

Configure a group LDAP mapper

In the Group-ldap-mapper section, provide the following fields:

  • Mapper Type: group-ldap-mapper
  • LDAP Groups DN: ou=groups,dc=example,dc=com
  • Group Name LDAP Attribute: cn
  • Group Object Classes: groupOfUniqueNames
  • Membership LDAP Attribute: uniqueMember
  • Membership User LDAP Attribute: uid
  • Member-Of LDAP Attribute: memberOf

For all the other fields, pick the default value as shown in Figure 6.

Ldaptest > User Federation > Group-ldap-mapper filled in with the specified values.

Figure 6: Synchronize your SSO and LDAP groups.

3.2 Synchronize your groups

It is only possible to perform group synchronization manually. You can perform group synchronization from Red Hat’s single sign-on tools to LDAP with the Sync Ldap Group to Keycloak button, and also from LDAP to Red Hat’s single sign-on tools with the Sync Keycloak Groups to LDAP button.

After group synchronization, all of the groups have been imported into SSO with their corresponding members, as shown in Figure 7.

Ldaptest > Manage > Groups with the LDAP groups now added and populated

Figure 7: Verify that your LDAP groups now show up.

Share