[keycloak-user] SSSD plugin to write to freeIPA

Bruno Oliveira bruno at abstractj.org
Wed Apr 4 16:42:21 EDT 2018


Hi Matthew,

The SSSD federation provider on Keycloak is read-only, this is because
the SSSD D-Bus interface is read-only. In order to do the automatic 
provisioning of users from Keycloak to IPA I see two alternatives:

1. Provide a writeable SSSD interface
2. Provide RESTful endpoints on IPA server for it

I'd guess that the option 2 would be the easiest path to pursue, but
honestly, I have no clue if there are endpoints for it. I would suggest
to first check if there's any way to provision users on IPA server
through RESTful endpoints, later take a look at our documentation 
about how to implement a custom provider[1]. We also have some examples
here[2].

Does it help?

[1] - http://www.keycloak.org/docs/latest/server_development/index.html#provider-interfaces
[2] - https://github.com/keycloak/keycloak/tree/master/examples/providers/user-storage-simple


On 2018-04-04, Matthew Beliveau wrote:
> Hello,
> 
> I need to write a plug-in to write to a freeIPA server when logging in through Keycloak. I was looking through the SSSD code on the Keycloak Github to try and find a place where I could place a plug-in. Although, I am not quite sure where to begin or how to implement it. It would be great if you could point me in the right direction and give me a couple of tips to help me begin this process. The goal of the whole effort is to do automatic provisioning of the users into IPA when Keycloak is used for federation
> 
> My current environment:
> Keycloak-A connected to IPA-A with an Apache App connected to the keycloak server and Keycloak-B connected to IPA-B. I have the Keycloak-A connected to Keycloak-B and I want to write a user from IPA-B to IPA-A when I try to log into my app with a user from IPA-B.
> 
> Where I have already looked:
> https://github.com/keycloak/keycloak/pull/3761/files
> https://github.com/keycloak/keycloak/blob/master/federation/sssd/src/main/java/org/keycloak/federation/sssd/ReadonlySSSDUserModelDelegate.java
> https://github.com/keycloak/keycloak/blob/master/federation/sssd/src/main/java/org/keycloak/federation/sssd/SSSDFederationProvider.java
> 
> Any help would be gratefully appreciated
> Thank you,
> 
> Matthew Beliveau
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj


More information about the keycloak-user mailing list