Hey guys,
thanks a lot for your suggestions, that cleared a lot for me and i think
staging users option will be quite viable in our setup. Really appreciate
your help and effort on this ;)
@Alex for sure will check both the video and the presentation, thanks a lot
for providing them
On Thu, Aug 11, 2022 at 10:29 AM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On to, 11 elo 2022, Florence Blanc-Renaud via FreeIPA-users wrote:
> Hi,
> On Thu, Aug 11, 2022 at 8:06 AM Yavor Marinov <[1]ymarinov(a)gmail.com>
> wrote:
>
> Hello again Florence,
> You were right, once the user is created in Keycloak it appears in
the
> LDAP tree, but it's missing a lot of objectclasses. Which
attributes
> should I map into connection in order to have a proper creation of
> users?
> I've tried adding the posixaccount into user object classes but
creating
> a new user produces an error that homeDirectory attribute is
missing.
>
> The LDAP schema defines a set of mandatory attributes for the
posixaccount
> objectclass (the list following the MUST keyword):
> # ldapsearch -x -b cn=schema -s base -LLL -o ldif-wrap=no
objectclasses |
> grep -i posixaccount
> objectclasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC
'Abstraction
of
> an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $
> uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $
loginShell $
> gecos $ description ) )
> This means that if you want to add the posixaccount objectclass, you
also
> need to add the attributes. Keycloak allows you to configure [2]LDAP
> mappers, I believe it's the functionality you should try to explore.
Existing integrations between FreeIPA and Keycloak are all read-only. So
far, we haven't worked on or supported any write operations, so your
mileage can vary (a lot).
I would also outline two other approaches.
1. FreeIPA has support for so-called user and group life-cycle
management:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
and
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
This method allows to create 'barebones' staged accounts through an
external LDAP tool and then activate them. During activation step IPA
will add all necessary information (attributes and object classes) it
expects. The downside is that these accounts will not be immediately
usable in Keycloak until someone activates them.
2. Recently we have published a new project, ipa-tuura, which implements
SCIMv2 bridge to FreeIPA. At its initial state it can be coupled with
yet another recently published project, a plugin for Keycloak to look
up data in ipa-tuura (implements a subset of SCIMv2 REST API lookups
and some ipa-tuura-specific API). This gives an alternative to
existing Keycloak integrations.
https://github.com/freeipa/ipa-tuura and
https://github.com/justin-stephenson/scim-keycloak-user-storage-spi
The second part is more or less an adventure right now as these projects
are quite young. You can watch our talk at Nest with Fedora conference
last week for details (Hopin requires a free registration):
https://app.hopin.com/events/nest-with-fedora-2022/replay/Um91bmR0YWJsZVJ...
(the presentation starts at 8:56 or so into the stream)
and
https://vda.li/talks/2022/2022-Nest-With-Fedora-FreeIPA-and-OAuth2.pdf
(slides, but you really need to watch the talk to see the demos).
> flo
>
> On Wed, Aug 10, 2022 at 3:12 PM Yavor Marinov <[3]ymarinov(a)gmail.com>
> wrote:
>
> Hey Flo,
> First of all, thanks for your answer. Unfortunately trying
ldapsearch
> for the created user from Keycloak doesn't return any result at
all.
> Trying from the command line id user.user doesn't return a result
> either. Do you have any suggestions on how I can achieve the
desired
> result? I suppose it should be something related to the
connection,
> but i really don't know what i could do in order to have a proper
flow
> for creating the user from within Keycloak.
> Again thanks in advance ;)
> On Wed, Aug 10, 2022 at 11:21 AM Florence Blanc-Renaud
> <[4]flo(a)redhat.com> wrote:
>
> Hi,
> On Tue, Aug 9, 2022 at 6:51 PM Yavor Marinov via FreeIPA-users
> <[5]freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Hello all,
> I have an issue configuring both systems Keycloak and FreeIPA
to
> work with User Federation. Configuration on Keycloak side for
the
> ldap (FreeIPA server) is as follows:
>
> * LDAPs configuration
> * Keytab from FreeIPA generated with admin user
>
> The below screenshot is from the Keycloak User Federation:
> [6]image.png
> [7]image.png
> Importing users works flawlessly but the problems comes when I
try
> to create user in Keycloak and expect it to be created on
FreeIPA
> side - WRITABLE is on, and keycloak machine is enrolled into
> FreeIPA as a client (both OSes are Alma). There is no error,
and
> Keycloak indicates that a new user is created.
> However, in FreeIPA's web interface the user is missing and
the
> most frustrating thing is if i try to create the very same
> username, FreeIPA returns that it can't add the user, because
it
> already exists. I guess the issue would be somewhere either
in
> Username/RDN LDAP attribute or UUID or even Custom User LDAP
> filter, but i'm lost a bit.
>
> IPA webui is showing IPA users, and it considers that an LDAP
entry
> is an IPA user if it has the posixaccount objectclass. I guess
you
> are able to find the users using ldapsearch but they don't
contain
> this objectclass and that explains why they are not displayed in
IPA
> Web UI.
> flo
>
> In case someone wants to help here what i've tried to play
with:
>
> * Setting UUID Ldap attribute to ipaUniqueID, but using it,
> returns 0 user when trying to sync, and creating user
from
> Keycloak returns error
> * Setting custom ldap filter to match a group from the LDAP
- no
> binding with admin user could be achieved, thus no user
could
> be synced
>
> Anyhelp on this will be much appreciated :")
> Thank you in advance
> _______________________________________________
> FreeIPA-users mailing list --
> [8]freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> [9]freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> [10]
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> [
11]https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> [12]
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
> [13]https://pagure.io/fedora-infrastructure/new_issue
>
>References
>
> Visible links
> 1. mailto:ymarinov@gmail.com
> 2.
https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers
> 3. mailto:ymarinov@gmail.com
> 4. mailto:flo@redhat.com
> 5. mailto:freeipa-users@lists.fedorahosted.org
> 8. mailto:freeipa-users@lists.fedorahosted.org
> 9. mailto:freeipa-users-leave@lists.fedorahosted.org
> 10.
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> 11.
https://fedoraproject.org/wiki/Mailing_list_guidelines
> 12.
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> 13.
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland