undefined | Better HN

0 pointsznpy4y ago0 comments

Uhm, keycloak does all the things you name and more.

I have it in production at work. Three instances, clustered (infinispan), running in docker containers orchestrated by kubernetes.

Each instance (pod) is upper-limited to 2gb ram (or 3, can't recall the details now).

It works very well and very reliably, serving about 750 users (as in, real people).

If you have 2GB to spare and a physical core, you can run keycloak with no problems at all.

After all, it all depends on the amount of traffic. Little traffic = little cpu load.

Don't dismiss keycloak because it's written in Java... Quite the contrary, you can tune the JVM to work with little memory (-Xms -Xmx iirc).

Ten years ago it was very common to see tips and tricks to make grails web apps work on as little as 64mb of ram on chap VPSes.

0 comments

traverseda4y ago

Can you provide an example docker compose to deploy keycloak+ldap in docker (not kubernetes)?

red0point4y ago

I googled that for you, first result:

https://github.com/ivangfr/springboot-keycloak-openldap/blob...

traverseda4y ago

Okaaay, now I have a keycloak server and an ldap server running. I guess my next step is to shell in to the ldap host, wget https://github.com/ivangfr/springboot-keycloak-openldap/blob..., edit it to my needs, look up how to generate openldap password hashes, go back in to keycloak, and try to configure that to talk to my ldap server.

So now I need to look up the default values for

Vendor, Username LDAP attribute, RDN LDAP attribute, UUID LDAP attribute, User Object Classes, Connection URL, Users DN, Custom User LDAP Filter, Search Scope, Bind Type, Bind DN, Bind Credential

If I knew what vendor openldap was considered setting the Vendor would fill a bunch of of those in. Well let's try following through this this random blog post and hope it works: https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/au...

Compare that to the experience of deploying say, wordpress. And hey look, it already comes with an authentication backed!

Sure, you can build something that does more or less the same thing but you have to do a fair bit of work to get to that point. Realistically if you haven't done it before, and if you don't have any ldap experience, you're looking at a solid couple of hours to get that set up.

And it's still apparently going to use 100s of MB of ram.

Where as wordpress goes up in a few minutes, handles user account but uses less ram, I don't really need to do any extra work, and I'm confident it's going to work.

I'm not looking to build a skill, I'm looking to just have an auth server I can use and that I can link my own apps against easily.

As an aside I had seen that one before and it is workable, it's just a lot of work to get from there to an actual working deployment I can use on my home server.

1 more reply

j / k navigate · click thread line to collapse

0 pointsznpy4y ago0 comments

Uhm, keycloak does all the things you name and more.

I have it in production at work. Three instances, clustered (infinispan), running in docker containers orchestrated by kubernetes.

Each instance (pod) is upper-limited to 2gb ram (or 3, can't recall the details now).

It works very well and very reliably, serving about 750 users (as in, real people).

If you have 2GB to spare and a physical core, you can run keycloak with no problems at all.

After all, it all depends on the amount of traffic. Little traffic = little cpu load.

Don't dismiss keycloak because it's written in Java... Quite the contrary, you can tune the JVM to work with little memory (-Xms -Xmx iirc).

Ten years ago it was very common to see tips and tricks to make grails web apps work on as little as 64mb of ram on chap VPSes.

0 comments

traverseda4y ago

Can you provide an example docker compose to deploy keycloak+ldap in docker (not kubernetes)?

red0point4y ago

I googled that for you, first result:

https://github.com/ivangfr/springboot-keycloak-openldap/blob...

traverseda4y ago

So now I need to look up the default values for

Vendor, Username LDAP attribute, RDN LDAP attribute, UUID LDAP attribute, User Object Classes, Connection URL, Users DN, Custom User LDAP Filter, Search Scope, Bind Type, Bind DN, Bind Credential

Compare that to the experience of deploying say, wordpress. And hey look, it already comes with an authentication backed!

And it's still apparently going to use 100s of MB of ram.

Where as wordpress goes up in a few minutes, handles user account but uses less ram, I don't really need to do any extra work, and I'm confident it's going to work.

I'm not looking to build a skill, I'm looking to just have an auth server I can use and that I can link my own apps against easily.

As an aside I had seen that one before and it is workable, it's just a lot of work to get from there to an actual working deployment I can use on my home server.

1 more reply

j / k navigate · click thread line to collapse