Keycloak + LDAP + SSH + PAM

1,741 views
Skip to first unread message

Xavier Millieret

unread,
Apr 20, 2020, 4:42:16 AM4/20/20
to Keycloak User
Hi all,

I try to delegate all authentication to keycloak and in particular ssh connection.

I have an openLadap + phpldapadmin on docker container.
I have a Keycloak on a docker container, too, I had  a user federation with my ldap, this one works, I have a connection with my ldap, I can retrieve all users coming from  my ldap container.
I have a debian 10 on a docker container to.

and on my /etc/pam.d/sshd I added this:
auth required pam_exec.so expose_authtok log=/var/log/ssh/pam.log /opt/pam-exec-oauth2/pam-exec-oauth2

on my pam-exec-oauth2.yaml i set this

{
    client-id: "ssh-demo",
    client-secret: "8872083d-a797-4d25-a516-5bbea961645d",
    redirect-url: "urn:ietf:wg:oauth:2.0:oob",
    scopes: ["openid"],
    extra-parameters: {
    },
    username-format: "%s",
}



When I try to have a ssh connection with my debian 10, it's works for users defined on keycloak, but not for user coming from ldap?
But i can retrieve a token for a user (defined on ldap) by this:

curl -d "client_id=ssh-demo" -d "client_secret=**********" -d "username=adam" -d "password=****" -d "grant_type=password" "http://172.17.0.2:8180/auth/realms/demo/protocol/openid-connect/token"

{"access_token":"eyJhbGciOiJSUzI1NiIsIn.............","token_type":"bearer","not-before-policy":0,"session_state":"13d78c2c-7b58-411c-8836-f1b81b40f34d","scope":"profile email"}
 
If I set my debian 10 with libnss-ldapd directly, set all configuration to reach my openldap, it's works

So, what is wrong?


Thanks a lot for any comment to help me for this configuration

Regards

MX

Xavier Millieret

unread,
Apr 21, 2020, 11:09:21 AM4/21/20
to Keycloak User
Complementay information,

in my pam.log, I had
Using config file: /opt/pam-exec-oauth2/pam-exec-oauth2.yaml
oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_grant","error_description":"Invalid user credentials"}

Keycloak or pam-exec-oauth2 ??

Regards

Narendra Kumar Reddy Challa

unread,
Oct 8, 2021, 4:54:04 AM10/8/21
to Keycloak User
Hi Xavier, 

Are you able to solve this use case, We are looking for a similar solution to authenticate users against Keycloak/OIDC for SSH Access.

Please provide any references. 

Thanks,

Joel Meyer

unread,
Aug 6, 2024, 3:55:04 AMAug 6
to Keycloak User

Hi all,

We are facing a similar issue and would appreciate it if you could share how you resolved it using Keycloak OIDC. Could you please outline the steps or methods you used to address this problem?

Kind regards,
Joel Meyer

Reply all
Reply to author
Forward
0 new messages