<div dir="ltr"><div>'m testing Keycloak LDAP User Federation with FreeIPA iDM Server.<br>I'm using the same environment used by @mposolda [1] with the @adelton's FreeIPA Docker container image [2].<br><br>The integration (KC and FreeIPA) worked fine except for the sync for new users created on KC side (new registrations). When I enable the 'Sync Registrations' on the 'freeipa-ldap' User Federation and then try to add a new user using the KC Web Console I get the following error:<br> <br><img src="cid:ii_ipbrjld60_15541b00dbfbe91c" height="477" width="563"><br><br><br>KC server.log in TRACE mode:<br><br>"<br><font size="1"><span style="font-family:monospace,monospace">2016-06-11 22:33:37,568 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) realm by name cache hit: master<br>2016-06-11 22:33:37,568 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master<br>2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) token active - active: true, issued-at: 1,465,684,397, not-before: 0<br>2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a<br>2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) returning new cache adapter<br>2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by name cache hit: security-admin-console<br>2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: security-admin-console<br>2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) authenticated admin access for: admin<br>2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) No origin returning<br>2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) realm by name cache hit: freeipa<br>2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: freeipa<br>2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master<br>2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master<br>2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master<br>2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: freeipa-realm<br>2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: freeipa-realm<br>2016-06-11 22:33:37,570 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: freeipa-realm<br>2016-06-11 22:33:37,570 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) getUserByUsername: kc_user1<br>2016-06-11 22:33:37,570 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) query null<br>2016-06-11 22:33:37,571 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) model from delegate null<br>2016-06-11 22:33:37,571 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-5) Using filter for LDAP search: (&(uid=kc_user1)(objectclass=person)) . Searching in DN: cn=users,cn=accounts,dc=example,dc=test<br>2016-06-11 22:33:37,575 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-5) Using filter for LDAP search: (&(mail=kc_user1@example.test)(objectclass=person)) . Searching in DN: cn=users,cn=accounts,dc=example,dc=test<br>2016-06-11 22:33:37,577 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getRealmRoles cache hit: freeipa<br>2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClients cache hit: freeipa<br>2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: broker<br>2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: realm-management<br>2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: liferay-saml-idp<br>2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: security-admin-console<br>2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: kitchensink<br>2016-06-11 22:33:37,579 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: admin-cli<br>2016-06-11 22:33:37,579 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: account<br>2016-06-11 22:33:37,579 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: account<br>2016-06-11 22:33:37,580 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: account<br>2016-06-11 22:33:37,581 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5) Creating entry [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [<br>2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5) objectclass = person<br>2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5) givenname = <br>2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5) sn = <br>2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5) cn = <br>2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5) ]<br>2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /auth/admin/realms/freeipa/users: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: Error creating subcontext [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]<br> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)<br> at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)<br> at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)<br> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)<br> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)<br> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)<br> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)<br> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)<br> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)<br> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)<br> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)<br> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)<br> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)<br> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)<br> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)<br> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)<br> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)<br> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)<br> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)<br> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)<br> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)<br> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)<br> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)<br> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)<br> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)<br> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)<br> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)<br> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)<br> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)<br> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)<br> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)<br> at java.lang.Thread.run(Thread.java:745)<br>Caused by: org.keycloak.models.ModelException: Error creating subcontext [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]<br> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:442)<br> at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:92)<br> at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:71)<br> at org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:171)<br> at org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:72)<br> at org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:64)<br> at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:213)<br> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<br> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br> at java.lang.reflect.Method.invoke(Method.java:498)<br> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)<br> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)<br> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)<br> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)<br> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)<br> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)<br> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)<br> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)<br> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)<br> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)<br> ... 37 more<br>Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute "uid" not allowed<br>]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'<br> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)<br> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)<br> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)<br> at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)<br> at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)<br> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)<br> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)<br> at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)<br> at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)<br> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)<br> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)<br> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)<br> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)<br> ... 57 more</span></font>"<br><br><br>FreeIPA Server ldap srv log:<br>""<br>tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors<br><br>[11/Jun/2016:22:33:37 +0000] - Entry "uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute "uid" not allowed<br>""<br><br>----<br><br>It appears FreeIPA LDAP server is refusing the attribute 'UID'<br><br></div>Interesting is that the FreeIPA 'user_add' API operation states the 'uid' attributes is required:<br><br><img src="cid:ii_ipbrmy0v2_15541b26e12ff848" height="451" width="563"><br><br><div><br><br>I tried to add a new user manually using the FreeIPA CLI and it worked fine. See the FreeIPA CLI output:<br><br>"<br><font size="1"><span style="font-family:monospace,monospace">[root@ipa /]# ipa help user-add<br>Usage: ipa [global-options] user-add LOGIN [options]<br><br>Add a new user.<br>Options:<br> -h, --help show this help message and exit<br> --first=STR First name<br> --last=STR Last name<br> --cn=STR Full name<br> --displayname=STR Display name<br> --initials=STR Initials<br> --homedir=STR Home directory<br> --gecos=STR GECOS<br> --shell=STR Login shell<br> --principal=STR Kerberos principal<br> --principal-expiration=DATETIME<br> Kerberos principal expiration<br> --email=STR Email address<br> --password Prompt to set the user password<br> --random Generate a random user password<br> --uid=INT User ID Number (system will assign one if not<br> provided)<br> --gidnumber=INT Group ID Number<br> --street=STR Street address<br> --city=STR City<br> --state=STR State/Province<br> --postalcode=STR ZIP<br> --phone=STR Telephone Number<br> --mobile=STR Mobile Telephone Number<br> --pager=STR Pager Number<br> --fax=STR Fax Number<br> --orgunit=STR Org. Unit<br> --title=STR Job Title<br> --manager=STR Manager<br> --carlicense=STR Car License<br> --sshpubkey=STR SSH public key<br> --user-auth-type=['password', 'radius', 'otp']<br> Types of supported user authentication<br> --class=STR User category (semantics placed on this attribute are<br> for local interpretation)<br> --radius=STR RADIUS proxy configuration<br> --radius-username=STR<br> RADIUS proxy username<br> --departmentnumber=STR<br> Department Number<br> --employeenumber=STR Employee Number<br> --employeetype=STR Employee Type<br> --preferredlanguage=STR<br> Preferred Language<br> --certificate=BYTES Base-64 encoded server certificate<br> --setattr=STR Set an attribute to a name/value pair. Format is<br> attr=value. For multi-valued attributes, the command<br> replaces the values already present.<br> --addattr=STR Add an attribute/value pair. Format is attr=value. The<br> attribute must be part of the schema.<br> --noprivate Don't create user private group<br> --all Retrieve and print all attributes from the server.<br> Affects command output.<br> --raw Print entries as stored on the server. Only affects<br> output format.<br><br> [root@ipa /]# ipa user-add ipa_user3 --first 'IPA 3' --last 'User3' --email 'ipa_user3@example.test' --all --raw<br> ----------------------<br> Added user "ipa_user3"<br> ----------------------<br> dn: uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test<br> uid: ipa_user3<br> givenname: IPA 3<br> sn: User3<br> cn: IPA 3 User3<br> initials: IU<br> homedirectory: /home/ipa_user3<br> gecos: IPA 3 User3<br> loginshell: /bin/sh<br> mail: ipa_user3@example.test<br> uidnumber: 753200006<br> gidnumber: 753200006<br> has_password: FALSE<br> has_keytab: FALSE<br> displayName: IPA 3 User3<br> ipaUniqueID: 65f3f702-3021-11e6-b62c-0242ac110001<br> krbPrincipalName: ipa_user3@EXAMPLE.TEST<br> memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test<br> mepManagedEntry: cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test<br> objectClass: ipaSshGroupOfPubKeys<br> objectClass: ipaobject<br> objectClass: mepOriginEntry<br> objectClass: person<br> objectClass: top<br> objectClass: ipasshuser<br> objectClass: inetorgperson<br> objectClass: organizationalperson<br> objectClass: krbticketpolicyaux<br> objectClass: krbprincipalaux<br> objectClass: inetuser<br> objectClass: posixaccount</span></font> <br>"<br><br>Can someone help me find what is wrong on KC side? Maybe the KC mappers mechanism?<br><br><img src="cid:ii_ipbrk9631_15541b084a43cd3d" height="523" width="563"><br><br><br>Thanks in advance.<br><br>[1] <a href="https://github.com/mposolda/keycloak-freeipa-docker">https://github.com/mposolda/keycloak-freeipa-docker</a><br>[2] <a href="https://hub.docker.com/r/adelton/freeipa-server/">https://hub.docker.com/r/adelton/freeipa-server/</a><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><pre cols="72">___
Rafael T. C. Soares</pre>
</div></div>
</div></div>