[keycloak-user] Error enabling 'Sync Registrations' for LDAP (FreeIPA) User Federation
Marek Posolda
mposolda at redhat.com
Mon Jun 13 03:54:48 EDT 2016
The "Sync registration" doesn't work with LDAP provider configured
against FreeIPA.
We are currently working on improve FreeIPA integration. It seems the
new users created in Keycloak will be registered to FreeIPA with SSSD,
not with LDAP. Using SSSD seems to be the preferred and more proper way
though.
Marek
On 12/06/16 01:10, Rafael Soares wrote:
> I'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
> I'm using the same environment used by @mposolda [1] with the
> @adelton's FreeIPA Docker container image [2].
>
> The integration (KC and FreeIPA) worked fine except for the sync for
> new users created on KC side (new registrations). When I enable the
> 'Sync Registrations' on the 'freeipa-ldap' User Federation and then
> try to add a new user using the KC Web Console I get the following error:
>
>
>
>
> KC server.log in TRACE mode:
>
> "
> 2016-06-11 22:33:37,568 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) realm by name cache hit: master
> 2016-06-11 22:33:37,568 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
> token active - active: true, issued-at: 1,465,684,397, not-before: 0
> 2016-06-11 22:33:37,569 TRACE
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
> task-5) getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
> 2016-06-11 22:33:37,569 TRACE
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
> task-5) returning new cache adapter
> 2016-06-11 22:33:37,569 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) client by name cache hit: security-admin-console
> 2016-06-11 22:33:37,569 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) client by id cache hit: security-admin-console
> 2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
> authenticated admin access for: admin
> 2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
> No origin returning
> 2016-06-11 22:33:37,569 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) realm by name cache hit: freeipa
> 2016-06-11 22:33:37,569 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) by id cache hit: freeipa
> 2016-06-11 22:33:37,569 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) client by id cache hit: freeipa-realm
> 2016-06-11 22:33:37,569 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) getClientRoles cache hit: freeipa-realm
> 2016-06-11 22:33:37,570 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) getClientRoles cache hit: freeipa-realm
> 2016-06-11 22:33:37,570 TRACE
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
> task-5) getUserByUsername: kc_user1
> 2016-06-11 22:33:37,570 TRACE
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
> task-5) query null
> 2016-06-11 22:33:37,571 TRACE
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
> task-5) model from delegate null
> 2016-06-11 22:33:37,571 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
> (default task-5) Using filter for LDAP search:
> (&(uid=kc_user1)(objectclass=person)) . Searching in DN:
> cn=users,cn=accounts,dc=example,dc=test
> 2016-06-11 22:33:37,575 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
> (default task-5) Using filter for LDAP search:
> (&(mail=kc_user1 at example.test)(objectclass=person)) . Searching in DN:
> cn=users,cn=accounts,dc=example,dc=test
> 2016-06-11 22:33:37,577 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) getRealmRoles cache hit: freeipa
> 2016-06-11 22:33:37,578 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) getClients cache hit: freeipa
> 2016-06-11 22:33:37,578 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) client by id cache hit: broker
> 2016-06-11 22:33:37,578 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) client by id cache hit: realm-management
> 2016-06-11 22:33:37,578 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) client by id cache hit: liferay-saml-idp
> 2016-06-11 22:33:37,578 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) client by id cache hit: security-admin-console
> 2016-06-11 22:33:37,578 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) client by id cache hit: kitchensink
> 2016-06-11 22:33:37,579 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) client by id cache hit: admin-cli
> 2016-06-11 22:33:37,579 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) client by id cache hit: account
> 2016-06-11 22:33:37,579 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) getClientRoles cache hit: account
> 2016-06-11 22:33:37,580 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-5) getClientRoles cache hit: account
> 2016-06-11 22:33:37,581 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
> (default task-5) Creating entry
> [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
> 2016-06-11 22:33:37,583 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
> (default task-5) objectclass = person
> 2016-06-11 22:33:37,583 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
> (default task-5) givenname =
> 2016-06-11 22:33:37,583 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
> (default task-5) sn =
> 2016-06-11 22:33:37,583 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
> (default task-5) cn =
> 2016-06-11 22:33:37,583 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
> (default task-5) ]
> 2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5)
> UT005023: Exception handling request to
> /auth/admin/realms/freeipa/users:
> org.jboss.resteasy.spi.UnhandledException:
> org.keycloak.models.ModelException: Error creating subcontext
> [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>
> ... 37 more
> Caused by: javax.naming.directory.SchemaViolationException: [LDAP:
> error code 65 - attribute "uid" not allowed
> ]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
> at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
> at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
> at
> javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
> at
> javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
> ... 57 more"
>
>
> FreeIPA Server ldap srv log:
> ""
> tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors
>
> [11/Jun/2016:22:33:37 +0000] - Entry
> "uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute
> "uid" not allowed
> ""
>
> ----
>
> It appears FreeIPA LDAP server is refusing the attribute 'UID'
>
> Interesting is that the FreeIPA 'user_add' API operation states the
> 'uid' attributes is required:
>
>
>
>
>
> I tried to add a new user manually using the FreeIPA CLI and it worked
> fine. See the FreeIPA CLI output:
>
> "
> [root at ipa /]# ipa help user-add
> Usage: ipa [global-options] user-add LOGIN [options]
>
> Add a new user.
> Options:
> -h, --help show this help message and exit
> --first=STR First name
> --last=STR Last name
> --cn=STR Full name
> --displayname=STR Display name
> --initials=STR Initials
> --homedir=STR Home directory
> --gecos=STR GECOS
> --shell=STR Login shell
> --principal=STR Kerberos principal
> --principal-expiration=DATETIME
> Kerberos principal expiration
> --email=STR Email address
> --password Prompt to set the user password
> --random Generate a random user password
> --uid=INT User ID Number (system will assign one if not
> provided)
> --gidnumber=INT Group ID Number
> --street=STR Street address
> --city=STR City
> --state=STR State/Province
> --postalcode=STR ZIP
> --phone=STR Telephone Number
> --mobile=STR Mobile Telephone Number
> --pager=STR Pager Number
> --fax=STR Fax Number
> --orgunit=STR Org. Unit
> --title=STR Job Title
> --manager=STR Manager
> --carlicense=STR Car License
> --sshpubkey=STR SSH public key
> --user-auth-type=['password', 'radius', 'otp']
> Types of supported user authentication
> --class=STR User category (semantics placed on this
> attribute are
> for local interpretation)
> --radius=STR RADIUS proxy configuration
> --radius-username=STR
> RADIUS proxy username
> --departmentnumber=STR
> Department Number
> --employeenumber=STR Employee Number
> --employeetype=STR Employee Type
> --preferredlanguage=STR
> Preferred Language
> --certificate=BYTES Base-64 encoded server certificate
> --setattr=STR Set an attribute to a name/value pair. Format is
> attr=value. For multi-valued attributes, the
> command
> replaces the values already present.
> --addattr=STR Add an attribute/value pair. Format is
> attr=value. The
> attribute must be part of the schema.
> --noprivate Don't create user private group
> --all Retrieve and print all attributes from the server.
> Affects command output.
> --raw Print entries as stored on the server. Only
> affects
> output format.
>
> [root at ipa /]# ipa user-add ipa_user3 --first
> 'IPA 3' --last 'User3' --email 'ipa_user3 at example.test' --all --raw
> ----------------------
> Added user "ipa_user3"
> ----------------------
> dn:
> uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
> uid: ipa_user3
> givenname: IPA 3
> sn: User3
> cn: IPA 3 User3
> initials: IU
> homedirectory: /home/ipa_user3
> gecos: IPA 3 User3
> loginshell: /bin/sh
> mail: ipa_user3 at example.test
> uidnumber: 753200006
> gidnumber: 753200006
> has_password: FALSE
> has_keytab: FALSE
> displayName: IPA 3 User3
> ipaUniqueID:
> 65f3f702-3021-11e6-b62c-0242ac110001
> krbPrincipalName: ipa_user3 at EXAMPLE.TEST
> memberof:
> cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
> mepManagedEntry:
> cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
> objectClass: ipaSshGroupOfPubKeys
> objectClass: ipaobject
> objectClass: mepOriginEntry
> objectClass: person
> objectClass: top
> objectClass: ipasshuser
> objectClass: inetorgperson
> objectClass: organizationalperson
> objectClass: krbticketpolicyaux
> objectClass: krbprincipalaux
> objectClass: inetuser
> objectClass: posixaccount
> "
>
> Can someone help me find what is wrong on KC side? Maybe the KC
> mappers mechanism?
>
> Thanks in advance.
>
> [1] https://github.com/mposolda/keycloak-freeipa-docker
> [2] https://hub.docker.com/r/adelton/freeipa-server/
>
> --
> ___
> Rafael T. C. Soares
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/5f9dc64c/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 52000 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/5f9dc64c/attachment-0002.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 78772 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/5f9dc64c/attachment-0003.png
More information about the keycloak-user
mailing list