[keycloak-user] Error enabling 'Sync Registrations' for LDAP (FreeIPA) User Federation

Marek Posolda mposolda at redhat.com
Mon Jun 13 03:54:48 EDT 2016


The "Sync registration" doesn't work with LDAP provider configured 
against FreeIPA.

We are currently working on improve FreeIPA integration. It seems the 
new users created in Keycloak will be registered to FreeIPA with SSSD, 
not with LDAP. Using SSSD seems to be the preferred and more proper way 
though.

Marek

On 12/06/16 01:10, Rafael Soares wrote:
> I'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
> I'm using the same environment used by @mposolda [1] with the 
> @adelton's FreeIPA Docker container image [2].
>
> The integration (KC and FreeIPA) worked fine except for the sync for 
> new users created on KC side (new registrations). When I enable the 
> 'Sync Registrations' on the 'freeipa-ldap' User Federation and then 
> try to add a new user using the KC Web Console I get the following error:
>
>
>>
> KC server.log in TRACE mode:
>
> "
> 2016-06-11 22:33:37,568 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) realm by name cache hit: master
> 2016-06-11 22:33:37,568 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) 
> token active - active: true, issued-at: 1,465,684,397, not-before: 0
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default 
> task-5) getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default 
> task-5) returning new cache adapter
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by name cache hit: security-admin-console
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: security-admin-console
> 2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) 
> authenticated admin access for: admin
> 2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) 
> No origin returning
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) realm by name cache hit: freeipa
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) by id cache hit: freeipa
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: freeipa-realm
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getClientRoles cache hit: freeipa-realm
> 2016-06-11 22:33:37,570 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getClientRoles cache hit: freeipa-realm
> 2016-06-11 22:33:37,570 TRACE 
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default 
> task-5) getUserByUsername: kc_user1
> 2016-06-11 22:33:37,570 TRACE 
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default 
> task-5) query null
> 2016-06-11 22:33:37,571 TRACE 
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default 
> task-5) model from delegate null
> 2016-06-11 22:33:37,571 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] 
> (default task-5) Using filter for LDAP search: 
> (&(uid=kc_user1)(objectclass=person)) . Searching in DN: 
> cn=users,cn=accounts,dc=example,dc=test
> 2016-06-11 22:33:37,575 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] 
> (default task-5) Using filter for LDAP search: 
> (&(mail=kc_user1 at example.test)(objectclass=person)) . Searching in DN: 
> cn=users,cn=accounts,dc=example,dc=test
> 2016-06-11 22:33:37,577 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getRealmRoles cache hit: freeipa
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getClients cache hit: freeipa
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: broker
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: realm-management
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: liferay-saml-idp
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: security-admin-console
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: kitchensink
> 2016-06-11 22:33:37,579 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: admin-cli
> 2016-06-11 22:33:37,579 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: account
> 2016-06-11 22:33:37,579 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getClientRoles cache hit: account
> 2016-06-11 22:33:37,580 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getClientRoles cache hit: account
> 2016-06-11 22:33:37,581 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5) Creating entry 
> [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
> 2016-06-11 22:33:37,583 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5)   objectclass = person
> 2016-06-11 22:33:37,583 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5)   givenname =
> 2016-06-11 22:33:37,583 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5)   sn =
> 2016-06-11 22:33:37,583 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5)   cn =
> 2016-06-11 22:33:37,583 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5) ]
> 2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5) 
> UT005023: Exception handling request to 
> /auth/admin/realms/freeipa/users: 
> org.jboss.resteasy.spi.UnhandledException: 
> org.keycloak.models.ModelException: Error creating subcontext 
> [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
>     at 
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>     at 
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>     at 
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>
>     ... 37 more
> Caused by: javax.naming.directory.SchemaViolationException: [LDAP: 
> error code 65 - attribute "uid" not allowed
> ]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
>     at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
>     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
>     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
>     at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
>     at 
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
>     at 
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
>     at 
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
>     at 
> javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
>     at 
> javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
>     at 
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
>     at 
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
>     at 
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
>     at 
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
>     ... 57 more"
>
>
> FreeIPA Server ldap srv log:
> ""
> tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors
>
> [11/Jun/2016:22:33:37 +0000] - Entry 
> "uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute 
> "uid" not allowed
> ""
>
> ----
>
> It appears FreeIPA LDAP server is refusing the attribute 'UID'
>
> Interesting is that the FreeIPA 'user_add' API operation states the 
> 'uid' attributes is required:
>
>
>>
>
> I tried to add a new user manually using the FreeIPA CLI and it worked 
> fine. See the FreeIPA CLI output:
>
> "
> [root at ipa /]# ipa help user-add
> Usage: ipa [global-options] user-add LOGIN [options]
>
> Add a new user.
> Options:
>   -h, --help            show this help message and exit
>   --first=STR           First name
>   --last=STR            Last name
>   --cn=STR              Full name
>   --displayname=STR     Display name
>   --initials=STR        Initials
>   --homedir=STR         Home directory
>   --gecos=STR           GECOS
>   --shell=STR           Login shell
>   --principal=STR       Kerberos principal
>   --principal-expiration=DATETIME
>                         Kerberos principal expiration
>   --email=STR           Email address
>   --password            Prompt to set the user password
>   --random              Generate a random user password
>   --uid=INT             User ID Number (system will assign one if not
>                         provided)
>   --gidnumber=INT       Group ID Number
>   --street=STR          Street address
>   --city=STR            City
>   --state=STR           State/Province
>   --postalcode=STR      ZIP
>   --phone=STR           Telephone Number
>   --mobile=STR          Mobile Telephone Number
>   --pager=STR           Pager Number
>   --fax=STR             Fax Number
>   --orgunit=STR         Org. Unit
>   --title=STR           Job Title
>   --manager=STR         Manager
>   --carlicense=STR      Car License
>   --sshpubkey=STR       SSH public key
>   --user-auth-type=['password', 'radius', 'otp']
>                         Types of supported user authentication
>   --class=STR           User category (semantics placed on this 
> attribute are
>                         for local interpretation)
>   --radius=STR          RADIUS proxy configuration
>   --radius-username=STR
>                         RADIUS proxy username
>   --departmentnumber=STR
>                         Department Number
>   --employeenumber=STR  Employee Number
>   --employeetype=STR    Employee Type
>   --preferredlanguage=STR
>                         Preferred Language
>   --certificate=BYTES   Base-64 encoded server certificate
>   --setattr=STR         Set an attribute to a name/value pair. Format is
>                         attr=value. For multi-valued attributes, the 
> command
>                         replaces the values already present.
>   --addattr=STR         Add an attribute/value pair. Format is 
> attr=value. The
>                         attribute must be part of the schema.
>   --noprivate           Don't create user private group
>   --all                 Retrieve and print all attributes from the server.
>                         Affects command output.
>   --raw                 Print entries as stored on the server. Only 
> affects
>                         output format.
>
>                         [root at ipa /]# ipa user-add ipa_user3  --first 
> 'IPA 3' --last 'User3' --email 'ipa_user3 at example.test' --all --raw
>                         ----------------------
>                         Added user "ipa_user3"
>                         ----------------------
>                           dn: 
> uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
>                           uid: ipa_user3
>                           givenname: IPA 3
>                           sn: User3
>                           cn: IPA 3 User3
>                           initials: IU
>                           homedirectory: /home/ipa_user3
>                           gecos: IPA 3 User3
>                           loginshell: /bin/sh
>                           mail: ipa_user3 at example.test
>                           uidnumber: 753200006
>                           gidnumber: 753200006
>                           has_password: FALSE
>                           has_keytab: FALSE
>                           displayName: IPA 3 User3
>                           ipaUniqueID: 
> 65f3f702-3021-11e6-b62c-0242ac110001
>                           krbPrincipalName: ipa_user3 at EXAMPLE.TEST
>                           memberof: 
> cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
>                           mepManagedEntry: 
> cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
>                           objectClass: ipaSshGroupOfPubKeys
>                           objectClass: ipaobject
>                           objectClass: mepOriginEntry
>                           objectClass: person
>                           objectClass: top
>                           objectClass: ipasshuser
>                           objectClass: inetorgperson
>                           objectClass: organizationalperson
>                           objectClass: krbticketpolicyaux
>                           objectClass: krbprincipalaux
>                           objectClass: inetuser
>                           objectClass: posixaccount
> "
>
> Can someone help me find what is wrong on KC side? Maybe the KC 
> mappers mechanism?
>
> Thanks in advance.
>
> [1] https://github.com/mposolda/keycloak-freeipa-docker
> [2] https://hub.docker.com/r/adelton/freeipa-server/
>
> -- 
> ___
> Rafael T. C. Soares
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/5f9dc64c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 52000 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/5f9dc64c/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 78772 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/5f9dc64c/attachment-0003.png 


More information about the keycloak-user mailing list