Getting started with Keycloak/Apricot

[tamama-plb]

Greetings,

I use apricot release 0.0.7

I use docker compose
Here is my env:

DEBUG=true

PORT=2389
BACKEND="Keycloak"

KEYCLOAK_BASE_URL="https://auth.tamama.io"
KEYCLOAK_REALM="robo-tamama"

CLIENT_ID="app--apricot"
CLIENT_SECRET="0123456789abcdef"

DOMAIN="dc=tamama,dc=io"

Ultimate goal - somthing like this:

uid=tamama,ou=users,dc=tamama,dc=io
gid=role-admin,ou=groups,dc=tamama,dc=io

However, when I do smoke test:

[tamama@tamama-1 robo-tamama-kernel-security-keycloak]$ ldapsearch -H ldap://172.21.1.1:2389 -D uid=tamama -b dc=tamama,dc=io
ldap_bind: Protocol error (2)
        additional info: LDAP bind request failed. Expecting value: line 1 column 1 (char 0)
[tamama@tamama-1 robo-tamama-kernel-security-keycloak]$ 

Any quick advise or getting-started guide on this?

Thank you in advance.

---

• I confirm that the Keycloak backend is working OK with:

POST https://auth.tamama.io/realms/robo-tamama/protocol/openid-connect/token
{
      "grant_type": "client_credentials",
      "client_id": "app--apricot",
      "client_secret": "xxxxxxxxx"
}

returns me the right access token.

I can share with you the `client_secret` over DM of course... 

[jemrobinson]

Can you post the output from the apricot server? I don't think the output from ldapsearch will be enough to debug this.

[tamama-plb]

Sure thing.

Cmd:

[tamama@tamama-1 robo-tamama-kernel-security-keycloak]$ ldapsearch -H ldap://172.21.1.1:2389 -D uid=tamama -b dc=tamama,dc=io
ldap_bind: Protocol error (2)
        additional info: LDAP bind request failed. Expecting value: line 1 column 1 (char 0)
[tamama@tamama-1 robo-tamama-kernel-security-keycloak]$ 

Debug log from Apricot:

robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:56:38+0000 [-] Log opened.
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:56:38+0000 [-] Using a local user-id cache.
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:56:38+0000 [-] Creating an OAuthClient for OAuthBackend.KEYCLOAK.
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:56:38+0000 [-] Initialising application credential client.
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:56:38+0000 [-] Initialising delegated credential client.
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:56:38+0000 [-] Creating an LDAPServerFactory.
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:56:38+0000 [-] Attaching a listening endpoint (plain).
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:56:38+0000 [-] OAuthLDAPServerFactory starting on 2389
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:56:38+0000 [-] Starting factory OAuthLDAPServerFactory using adaptor OAuthLDAPTree with backend KeycloakClient
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:56:38+0000 [-] Starting the Twisted reactor.

robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:57:43+0000 [ReadOnlyLDAPServer,0,172.21.1.1] S<-C LDAPMessage(id=1, value=LDAPBindRequest(version=3, dn=b'uid=tamama', auth='', sasl=False), controls=None)
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:57:43+0000 [ReadOnlyLDAPServer,0,172.21.1.1] Handling an LDAP bind request.
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:57:43+0000 [ReadOnlyLDAPServer,0,172.21.1.1] Starting an LDAP lookup for 'uid=tamama'.
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:57:43+0000 [ReadOnlyLDAPServer,0,172.21.1.1] Retrieving OAuth data.
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:57:43+0000 [ReadOnlyLDAPServer,0,172.21.1.1] Requesting a new authentication token from the OAuth backend.
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:57:44+0000 [ReadOnlyLDAPServer,0,172.21.1.1] S->C LDAPMessage(id=1, value=LDAPBindResponse(resultCode=2, errorMessage='LDAP bind request failed. Expecting value: line 1 column 1 (char 0)'), controls=None)
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:57:44+0000 [ReadOnlyLDAPServer,0,172.21.1.1] S<-C LDAPMessage(id=2, value=LDAPUnbindRequest(), controls=None)
robo-tamama-kernel-security-keycloak-node-1-_robo_tamama_kernel_security_keycloak_apricot-1  | 2024-11-05 20:57:44+0000 [ReadOnlyLDAPServer,0,172.21.1.1] Handling an LDAP unbind request.

[tamama-plb]

@jemrobinson Please do not hesitate to ask me for further details to help in your debugging. Thank you!

[jemrobinson]

@tamama-plb : Thanks - I'm a bit busy at the moment but I'll come back to this. I'll probably have to make a separate Docker container release for this (with a bit more debug info) and I'll let you now when that's done.

[jemrobinson]

@tamama-plb : Did you find a fix for this? Sorry, I haven't had time to look into it yet.

[tamama-plb]

@jemrobinson No worries, I found an alternative solution for the time being (i.e. Keycloak -> Authentik -> LDAP). No rush, I would be happy to help test your new patch whenever you are ready.
:)