I have been putting off centralized authentication in my homelab for a long time because there appears to be no simple implementation. I had the free time to try to impliment it. I started with Keycloak. Keycloak is simple to install and has a very nice web GUI.

Install Keycloak in Ubuntu 18.04

Install Java

sudo apt-get install default-jdk -y

Download Keycloak to your home directory

wegt https://downloads.jboss.org/keycloak/8.0.1/keycloak-8.0.1.tar.gz

Unzip the file we downloaded

sudo tar -xvzf keycloak-8.0.1.tar.gz

Make Keyclock a service file

sudo nano /etc/systemd/system/keycloak.service

Put this in your /etc/systemd/system/keycloak.service file

Note: Replace "banks" with your username and "" with your IP you want Keycloak to bind to
Description=Keyclock Service by Banks

ExecStart=/home/banks/keycloak-8.0.1/bin/standalone.sh -b


Enable Keycloak service so it will start on boot of your server

sudo systemctl enable keycloak

Reload systemctl

sudo systemctl daemon-reload

Start Keycloak

sudo service keycloak start

Make admin account with a Keycloak script because they don't let you use the web GUI to make an admin user if you access the server remotely (from another host), replace "banks" with your desired username

cd ~/keycloak-8.0.1/bin/
./add-user-keycloak.sh -u banks 

Restart your Keycloak server with the admin account setup

sudo service keycloak restart

You can now access Keycloak web GUI at  (with being your server's IP)

I recommend that you create a new realm and leave the default realm named "master" alone. In my case, I named my new realm "Nussman" and use "Nussman" for the rest of this post.

Reverse Proxying your Keycloak relm

To make Keycloak accessible publicly HTTPS, I reverse proxy with "account" client with NGINX. Below if the Nginx config I used to reverse proxy Keycloak.

    server_name auth.nussman.us;
    listen 80;
    location /
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host   $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Port 443;

Don't forget to restart Nginx after you add this!

You must make some changes to the default values stored in Client -> account as I will show below for Keycloak to work on a reverse proxy on a domain.

navigate to this page on your newly created realm, click Edit

Now edit your "account" client to match what I have below with your domain in replace of auth.nussman.us.

notice the "*" in the "Valid Redirect URLs" input, this is needed to work with the reverse proxy

Back your Keycloak Instance with a glauth LDAP server  

I realized Keyclock alone wasn't enough because it only handled simple SSO and not LDAP as things like Graylog and OpenVPN require for authentication. FreeIPA is garbage because you can't easily use it in a Homelab settings when your reverse proxy is already occupying ports 80 and 443. It's documentation is  very demanding with DNS and insists you setup with a FQDN. It also gets mad when you try to reverse proxy it, so I deemed it not worth my time and effort. I stumbled upon glauth and deemed it good enough for my purposes of homelab use and found it extremely easy to deploy in a Ubuntu VM.  

Installing and Setting Up glauth

The developer of glauth is an absolute G. It is super simple and he puts pre-compiled builds up on the Github Releases tab.

Download glauth to your home directory

wget https://github.com/glauth/glauth/releases/download/v1.1.1/glauth64

Download my sample config file

wget https://nussman.us/files/sample-simple.cfg
Important: Make changes to the config file to match your credentials. To make a sha256 password, use the command below and replace "mysecret" with your desired password. You will also want to change the IP address to match the IP of your server.
echo -n "mysecret" | openssl dgst -sha256 

Make a glauth service file

sudo nano /etc/systemd/system/glauth.service

Put this into that file

Note: make sure you replace "banks" with your username
Description=glauth LDAP Server

ExecStart=/home/banks/glauth64 -c /home/banks/sample-simple.cfg


Enable glauth service so it will start on boot of your server

sudo systemctl enable glauth

Reload systemctl

sudo systemctl daemon-reload

Start glauth

sudo service glauth start

Linking glauth and Keycloak

You can now use glauth credentials to authenticate all things Keycloak. Navigate to "User Federation" and create a LDAP entry that is similar to below.

If all works correctly, you should be able to use the "test connection" and "test authorization" buttons successfully. You can now "Syncronize all users" and turn on "perodic full sync" to sync users all of the time from LDAP to Keycloak.  

Note: The "Synchronize changed users" option will not work with glauth as far as I know so use "Syncronize all users" to sync your LDAP users with your Keyclock server. With that being said, turning on "Periodic Changed Users Sync" is pointless.