Keycloak Cluster

As resilient as our docker build is I’d like to extend it to a clustered instance of Keycloak. This way, I can load balance a pair of docker containers and maintain an even higher uptime. The model I’ve chosen is the standalone HA method. This gives me two Keylcoak instances and a single back end database.

I wanted to build this across a data centre in two different virtual hosts, connected to the same network. I’m also going to replicate the postgres database between systems using repmgr.

First thing is to prepare the environment and allow firewall connections between the virtuals on TCP ports 5432 (for postgres) and TCP port 7600 (for Keycloak TCPPING). Then I need acess to TCP port 8080 (for the Keycloak web interface) from the load balancer. I’ll be using TLS termination on the load balancer/reverse proxy to handle the certificates.

Continue reading →

Project Gatekeeper, Part 4

This section focusses on the optional configuration of a custom schema for LDAP. It’s completely optional, as you can use ready-made LDAP attributes to store data.

Why would we do this?

LDAP already has a number of attributes you can use to store card and pin details, but I’d rather have a set of specific, well named attributes that are clearly designed for the purpose. For instance, I could store a Card UID in employeeNumber, but why not have an attribute CardUID instead?

Continue reading →