2:29 a.m.
On to, 11 elo 2022, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
On Thu, Aug 11, 2022 at 8:06 AM Yavor Marinov <[1]ymarinov(a)gmail.com>
wrote:
Hello again Florence,
You were right, once the user is created in Keycloak it appears in the
LDAP tree, but it's missing a lot of objectclasses. Which attributes
should I map into connection in order to have a proper creation of
users?
I've tried adding the posixaccount into user object classes but creating
a new user produces an error that homeDirectory attribute is missing.
The LDAP schema defines a set of mandatory attributes for the posixaccount
objectclass (the list following the MUST keyword):
# ldapsearch -x -b cn=schema -s base -LLL -o ldif-wrap=no objectclasses |
grep -i posixaccount
objectclasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of
an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $
uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $
gecos $ description ) )
This means that if you want to add the posixaccount objectclass, you also
need to add the attributes. Keycloak allows you to configure [2]LDAP
mappers, I believe it's the functionality you should try to explore.
Existing integrations between FreeIPA and Keycloak are all read-only. So
far, we haven't worked on or supported any write operations, so your
mileage can vary (a lot).
I would also outline two other approaches.
1. FreeIPA has support for so-called user and group life-cycle
management:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
and
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
This method allows to create 'barebones' staged accounts through an
external LDAP tool and then activate them. During activation step IPA
will add all necessary information (attributes and object classes) it
expects. The downside is that these accounts will not be immediately
usable in Keycloak until someone activates them.
2. Recently we have published a new project, ipa-tuura, which implements
SCIMv2 bridge to FreeIPA. At its initial state it can be coupled with
yet another recently published project, a plugin for Keycloak to look
up data in ipa-tuura (implements a subset of SCIMv2 REST API lookups
and some ipa-tuura-specific API). This gives an alternative to
existing Keycloak integrations.
https://github.com/freeipa/ipa-tuura and
https://github.com/justin-stephenson/scim-keycloak-user-storage-spi
The second part is more or less an adventure right now as these projects
are quite young. You can watch our talk at Nest with Fedora conference
last week for details (Hopin requires a free registration):
https://app.hopin.com/events/nest-with-fedora-2022/replay/Um91bmR0YWJsZVJ...
(the presentation starts at 8:56 or so into the stream)
and
https://vda.li/talks/2022/2022-Nest-With-Fedora-FreeIPA-and-OAuth2.pdf
(slides, but you really need to watch the talk to see the demos).
flo
On Wed, Aug 10, 2022 at 3:12 PM Yavor Marinov <[3]ymarinov(a)gmail.com>
wrote:
Hey Flo,
First of all, thanks for your answer. Unfortunately trying ldapsearch
for the created user from Keycloak doesn't return any result at all.
Trying from the command line id user.user doesn't return a result
either. Do you have any suggestions on how I can achieve the desired
result? I suppose it should be something related to the connection,
but i really don't know what i could do in order to have a proper flow
for creating the user from within Keycloak.
Again thanks in advance ;)
On Wed, Aug 10, 2022 at 11:21 AM Florence Blanc-Renaud
<[4]flo(a)redhat.com> wrote:
Hi,
On Tue, Aug 9, 2022 at 6:51 PM Yavor Marinov via FreeIPA-users
<[5]freeipa-users(a)lists.fedorahosted.org> wrote:
Hello all,
I have an issue configuring both systems Keycloak and FreeIPA to
work with User Federation. Configuration on Keycloak side for the
ldap (FreeIPA server) is as follows:
* LDAPs configuration
* Keytab from FreeIPA generated with admin user
The below screenshot is from the Keycloak User Federation:
[6]image.png
[7]image.png
Importing users works flawlessly but the problems comes when I try
to create user in Keycloak and expect it to be created on FreeIPA
side - WRITABLE is on, and keycloak machine is enrolled into
FreeIPA as a client (both OSes are Alma). There is no error, and
Keycloak indicates that a new user is created.
However, in FreeIPA's web interface the user is missing and the
most frustrating thing is if i try to create the very same
username, FreeIPA returns that it can't add the user, because it
already exists. I guess the issue would be somewhere either in
Username/RDN LDAP attribute or UUID or even Custom User LDAP
filter, but i'm lost a bit.
IPA webui is showing IPA users, and it considers that an LDAP entry
is an IPA user if it has the posixaccount objectclass. I guess you
are able to find the users using ldapsearch but they don't contain
this objectclass and that explains why they are not displayed in IPA
Web UI.
flo
In case someone wants to help here what i've tried to play with:
* Setting UUID Ldap attribute to ipaUniqueID, but using it,
returns 0 user when trying to sync, and creating user from
Keycloak returns error
* Setting custom ldap filter to match a group from the LDAP - no
binding with admin user could be achieved, thus no user could
be synced
Anyhelp on this will be much appreciated :")
Thank you in advance
_______________________________________________
FreeIPA-users mailing list --
[8]freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
[9]freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
[10]https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
[11]https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
[12]https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor...
Do not reply to spam, report it:
[13]https://pagure.io/fedora-infrastructure/new_issue
References
Visible links
1. mailto:ymarinov@gmail.com
2. https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers
3. mailto:ymarinov@gmail.com
4. mailto:flo@redhat.com
5. mailto:freeipa-users@lists.fedorahosted.org
8. mailto:freeipa-users@lists.fedorahosted.org
9. mailto:freeipa-users-leave@lists.fedorahosted.org
10. https://docs.fedoraproject.org/en-US/project/code-of-conduct/
11. https://fedoraproject.org/wiki/Mailing_list_guidelines
12. https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
13. https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland