<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">The "Sync registration" doesn't work
      with LDAP provider configured against FreeIPA. <br>
      <br>
      We are currently working on improve FreeIPA integration. It seems
      the new users created in Keycloak will be registered to FreeIPA
      with SSSD, not with LDAP. Using SSSD seems to be the preferred and
      more proper way though.<br>
      <br>
      Marek<br>
      <br>
      On 12/06/16 01:10, Rafael Soares wrote:<br>
    </div>
    <blockquote
cite="mid:CAK6emKNiAtcYo6YCj8fZpy77W+74UqKL7pqKgx4m5mpkrgq3dQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>I'm testing Keycloak LDAP User Federation with FreeIPA iDM
          Server.<br>
          I'm using the same environment used by @mposolda [1] with the
          @adelton's FreeIPA Docker container image [2].<br>
          <br>
          The integration (KC and FreeIPA) worked fine except for the
          sync for new users created on KC side (new registrations).
          When I enable the 'Sync Registrations' on the 'freeipa-ldap'
          User Federation and then try to add a new user using the KC
          Web Console I get the following error:<br>
           <br>
          <img tabindex="0" class=""
            src="cid:part1.01070802.09070208@redhat.com" height="477"
            width="563"><br>
          ​<br>
          <br>
          KC server.log in TRACE mode:<br>
          <br>
          "<br>
          <font size="1"><span style="font-family:monospace,monospace">2016-06-11
              22:33:37,568 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) realm by name cache hit: master<br>
              2016-06-11 22:33:37,568 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) by id cache hit: master<br>
              2016-06-11 22:33:37,569 DEBUG [org.keycloak.services]
              (default task-5) token active - active: true, issued-at:
              1,465,684,397, not-before: 0<br>
              2016-06-11 22:33:37,569 TRACE
              [org.keycloak.models.cache.infinispan.UserCacheSession]
              (default task-5) getuserById
              6f358dd3-3c20-4a84-b0b5-b02c77747a5a<br>
              2016-06-11 22:33:37,569 TRACE
              [org.keycloak.models.cache.infinispan.UserCacheSession]
              (default task-5) returning new cache adapter<br>
              2016-06-11 22:33:37,569 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) client by name cache hit:
              security-admin-console<br>
              2016-06-11 22:33:37,569 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) client by id cache hit:
              security-admin-console<br>
              2016-06-11 22:33:37,569 DEBUG [org.keycloak.services]
              (default task-5) authenticated admin access for: admin<br>
              2016-06-11 22:33:37,569 DEBUG [org.keycloak.services]
              (default task-5) No origin returning<br>
              2016-06-11 22:33:37,569 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) realm by name cache hit: freeipa<br>
              2016-06-11 22:33:37,569 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) by id cache hit: freeipa<br>
              2016-06-11 22:33:37,569 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) by id cache hit: master<br>
              2016-06-11 22:33:37,569 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) by id cache hit: master<br>
              2016-06-11 22:33:37,569 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) by id cache hit: master<br>
              2016-06-11 22:33:37,569 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) client by id cache hit: freeipa-realm<br>
              2016-06-11 22:33:37,569 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) getClientRoles cache hit: freeipa-realm<br>
              2016-06-11 22:33:37,570 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) getClientRoles cache hit: freeipa-realm<br>
              2016-06-11 22:33:37,570 TRACE
              [org.keycloak.models.cache.infinispan.UserCacheSession]
              (default task-5) getUserByUsername: kc_user1<br>
              2016-06-11 22:33:37,570 TRACE
              [org.keycloak.models.cache.infinispan.UserCacheSession]
              (default task-5) query null<br>
              2016-06-11 22:33:37,571 TRACE
              [org.keycloak.models.cache.infinispan.UserCacheSession]
              (default task-5) model from delegate null<br>
              2016-06-11 22:33:37,571 TRACE
              [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
              (default task-5) Using filter for LDAP search:
              (&amp;(uid=kc_user1)(objectclass=person)) . Searching in
              DN: cn=users,cn=accounts,dc=example,dc=test<br>
              2016-06-11 22:33:37,575 TRACE
              [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
              (default task-5) Using filter for LDAP search:
              (&amp;(<a class="moz-txt-link-abbreviated" href="mailto:mail=kc_user1@example.test">mail=kc_user1@example.test</a>)(objectclass=person)) .
              Searching in DN: cn=users,cn=accounts,dc=example,dc=test<br>
              2016-06-11 22:33:37,577 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) getRealmRoles cache hit: freeipa<br>
              2016-06-11 22:33:37,578 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) getClients cache hit: freeipa<br>
              2016-06-11 22:33:37,578 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) client by id cache hit: broker<br>
              2016-06-11 22:33:37,578 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) client by id cache hit: realm-management<br>
              2016-06-11 22:33:37,578 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) client by id cache hit: liferay-saml-idp<br>
              2016-06-11 22:33:37,578 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) client by id cache hit:
              security-admin-console<br>
              2016-06-11 22:33:37,578 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) client by id cache hit: kitchensink<br>
              2016-06-11 22:33:37,579 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) client by id cache hit: admin-cli<br>
              2016-06-11 22:33:37,579 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) client by id cache hit: account<br>
              2016-06-11 22:33:37,579 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) getClientRoles cache hit: account<br>
              2016-06-11 22:33:37,580 TRACE
              [org.keycloak.models.cache.infinispan.RealmCacheSession]
              (default task-5) getClientRoles cache hit: account<br>
              2016-06-11 22:33:37,581 TRACE
              [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
              (default task-5) Creating entry
              [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
              with attributes: [<br>
              2016-06-11 22:33:37,583 TRACE
              [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
              (default task-5)   objectclass = person<br>
              2016-06-11 22:33:37,583 TRACE
              [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
              (default task-5)   givenname =  <br>
              2016-06-11 22:33:37,583 TRACE
              [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
              (default task-5)   sn =  <br>
              2016-06-11 22:33:37,583 TRACE
              [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
              (default task-5)   cn =  <br>
              2016-06-11 22:33:37,583 TRACE
              [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
              (default task-5) ]<br>
              2016-06-11 22:33:37,607 ERROR [io.undertow.request]
              (default task-5) UT005023: Exception handling request to
              /auth/admin/realms/freeipa/users:
              org.jboss.resteasy.spi.UnhandledException:
              org.keycloak.models.ModelException: Error creating
              subcontext
              [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]<br>
                  at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)<br>
                  at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)<br>
                  at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)<br>
                  <br>
                  ... 37 more<br>
              Caused by:
              javax.naming.directory.SchemaViolationException: [LDAP:
              error code 65 - attribute "uid" not allowed<br>
              ]; remaining name
              'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'<br>
                  at
              com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)<br>
                  at
              com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)<br>
                  at
              com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)<br>
                  at
              com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)<br>
                  at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)<br>
                  at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)<br>
                  at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)<br>
                  at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)<br>
                  at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)<br>
                  at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)<br>
                  at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)<br>
                  at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)<br>
                  at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)<br>
                  ... 57 more</span></font>"<br>
          <br>
          <br>
          FreeIPA Server ldap srv log:<br>
          ""<br>
          tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors<br>
          <br>
          [11/Jun/2016:22:33:37 +0000] - Entry
          "uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" --
          attribute "uid" not allowed<br>
          ""<br>
          <br>
          ----<br>
          <br>
          It appears FreeIPA LDAP server is refusing the attribute 'UID'<br>
          <br>
        </div>
        Interesting is that the FreeIPA 'user_add' API operation states
        the 'uid' attributes is required:<br>
        <br>
        <img tabindex="0" class=""
          src="cid:part2.09080907.08080009@redhat.com" height="451"
          width="563"><br>
        ​<br>
        <br>
        <br>
        I tried to add a new user manually using the FreeIPA CLI and it
        worked fine. See the FreeIPA CLI output:<br>
        <br>
        "<br>
        <font size="1"><span style="font-family:monospace,monospace">[root@ipa
            /]# ipa help user-add<br>
            Usage: ipa [global-options] user-add LOGIN [options]<br>
            <br>
            Add a new user.<br>
            Options:<br>
              -h, --help            show this help message and exit<br>
              --first=STR           First name<br>
              --last=STR            Last name<br>
              --cn=STR              Full name<br>
              --displayname=STR     Display name<br>
              --initials=STR        Initials<br>
              --homedir=STR         Home directory<br>
              --gecos=STR           GECOS<br>
              --shell=STR           Login shell<br>
              --principal=STR       Kerberos principal<br>
              --principal-expiration=DATETIME<br>
                                    Kerberos principal expiration<br>
              --email=STR           Email address<br>
              --password            Prompt to set the user password<br>
              --random              Generate a random user password<br>
              --uid=INT             User ID Number (system will assign
            one if not<br>
                                    provided)<br>
              --gidnumber=INT       Group ID Number<br>
              --street=STR          Street address<br>
              --city=STR            City<br>
              --state=STR           State/Province<br>
              --postalcode=STR      ZIP<br>
              --phone=STR           Telephone Number<br>
              --mobile=STR          Mobile Telephone Number<br>
              --pager=STR           Pager Number<br>
              --fax=STR             Fax Number<br>
              --orgunit=STR         Org. Unit<br>
              --title=STR           Job Title<br>
              --manager=STR         Manager<br>
              --carlicense=STR      Car License<br>
              --sshpubkey=STR       SSH public key<br>
              --user-auth-type=['password', 'radius', 'otp']<br>
                                    Types of supported user
            authentication<br>
              --class=STR           User category (semantics placed on
            this attribute are<br>
                                    for local interpretation)<br>
              --radius=STR          RADIUS proxy configuration<br>
              --radius-username=STR<br>
                                    RADIUS proxy username<br>
              --departmentnumber=STR<br>
                                    Department Number<br>
              --employeenumber=STR  Employee Number<br>
              --employeetype=STR    Employee Type<br>
              --preferredlanguage=STR<br>
                                    Preferred Language<br>
              --certificate=BYTES   Base-64 encoded server certificate<br>
              --setattr=STR         Set an attribute to a name/value
            pair. Format is<br>
                                    attr=value. For multi-valued
            attributes, the command<br>
                                    replaces the values already present.<br>
              --addattr=STR         Add an attribute/value pair. Format
            is attr=value. The<br>
                                    attribute must be part of the
            schema.<br>
              --noprivate           Don't create user private group<br>
              --all                 Retrieve and print all attributes
            from the server.<br>
                                    Affects command output.<br>
              --raw                 Print entries as stored on the
            server. Only affects<br>
                                    output format.<br>
            <br>
                                    [root@ipa /]# ipa user-add
            ipa_user3  --first 'IPA 3' --last 'User3' --email
            '<a class="moz-txt-link-abbreviated" href="mailto:ipa_user3@example.test">ipa_user3@example.test</a>' --all --raw<br>
                                    ----------------------<br>
                                    Added user "ipa_user3"<br>
                                    ----------------------<br>
                                      dn:
            uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test<br>
                                      uid: ipa_user3<br>
                                      givenname: IPA 3<br>
                                      sn: User3<br>
                                      cn: IPA 3 User3<br>
                                      initials: IU<br>
                                      homedirectory: /home/ipa_user3<br>
                                      gecos: IPA 3 User3<br>
                                      loginshell: /bin/sh<br>
                                      mail: <a class="moz-txt-link-abbreviated" href="mailto:ipa_user3@example.test">ipa_user3@example.test</a><br>
                                      uidnumber: 753200006<br>
                                      gidnumber: 753200006<br>
                                      has_password: FALSE<br>
                                      has_keytab: FALSE<br>
                                      displayName: IPA 3 User3<br>
                                      ipaUniqueID:
            65f3f702-3021-11e6-b62c-0242ac110001<br>
                                      krbPrincipalName:
            <a class="moz-txt-link-abbreviated" href="mailto:ipa_user3@EXAMPLE.TEST">ipa_user3@EXAMPLE.TEST</a><br>
                                      memberof:
            cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test<br>
                                      mepManagedEntry:
            cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test<br>
                                      objectClass: ipaSshGroupOfPubKeys<br>
                                      objectClass: ipaobject<br>
                                      objectClass: mepOriginEntry<br>
                                      objectClass: person<br>
                                      objectClass: top<br>
                                      objectClass: ipasshuser<br>
                                      objectClass: inetorgperson<br>
                                      objectClass: organizationalperson<br>
                                      objectClass: krbticketpolicyaux<br>
                                      objectClass: krbprincipalaux<br>
                                      objectClass: inetuser<br>
                                      objectClass: posixaccount</span></font>
                               <br>
        "<br>
        <br>
        Can someone help me find what is wrong on KC side? Maybe the KC
        mappers mechanism?<br>
        <br>
        Thanks in advance.<br>
        <br>
        [1] <a moz-do-not-send="true"
          href="https://github.com/mposolda/keycloak-freeipa-docker"
          target="_blank">https://github.com/mposolda/keycloak-freeipa-docker</a><br>
        [2] <a moz-do-not-send="true"
          href="https://hub.docker.com/r/adelton/freeipa-server/"
          target="_blank">https://hub.docker.com/r/adelton/freeipa-server/</a><br
          clear="all">
        <br>
        -- <br>
        <div class="gmail_signature" data-smartmail="gmail_signature">
          <div dir="ltr">
            <pre cols="72">___
Rafael T. C. Soares </pre>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
    </blockquote>
    <br>
  </body>
</html>