<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">The "Sync registration" doesn't work
with LDAP provider configured against FreeIPA. <br>
<br>
We are currently working on improve FreeIPA integration. It seems
the new users created in Keycloak will be registered to FreeIPA
with SSSD, not with LDAP. Using SSSD seems to be the preferred and
more proper way though.<br>
<br>
Marek<br>
<br>
On 12/06/16 01:10, Rafael Soares wrote:<br>
</div>
<blockquote
cite="mid:CAK6emKNiAtcYo6YCj8fZpy77W+74UqKL7pqKgx4m5mpkrgq3dQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>I'm testing Keycloak LDAP User Federation with FreeIPA iDM
Server.<br>
I'm using the same environment used by @mposolda [1] with the
@adelton's FreeIPA Docker container image [2].<br>
<br>
The integration (KC and FreeIPA) worked fine except for the
sync for new users created on KC side (new registrations).
When I enable the 'Sync Registrations' on the 'freeipa-ldap'
User Federation and then try to add a new user using the KC
Web Console I get the following error:<br>
<br>
<img tabindex="0" class=""
src="cid:part1.01070802.09070208@redhat.com" height="477"
width="563"><br>
<br>
<br>
KC server.log in TRACE mode:<br>
<br>
"<br>
<font size="1"><span style="font-family:monospace,monospace">2016-06-11
22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) realm by name cache hit: master<br>
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) by id cache hit: master<br>
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services]
(default task-5) token active - active: true, issued-at:
1,465,684,397, not-before: 0<br>
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession]
(default task-5) getuserById
6f358dd3-3c20-4a84-b0b5-b02c77747a5a<br>
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession]
(default task-5) returning new cache adapter<br>
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) client by name cache hit:
security-admin-console<br>
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) client by id cache hit:
security-admin-console<br>
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services]
(default task-5) authenticated admin access for: admin<br>
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services]
(default task-5) No origin returning<br>
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) realm by name cache hit: freeipa<br>
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) by id cache hit: freeipa<br>
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) by id cache hit: master<br>
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) by id cache hit: master<br>
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) by id cache hit: master<br>
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) client by id cache hit: freeipa-realm<br>
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) getClientRoles cache hit: freeipa-realm<br>
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) getClientRoles cache hit: freeipa-realm<br>
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession]
(default task-5) getUserByUsername: kc_user1<br>
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession]
(default task-5) query null<br>
2016-06-11 22:33:37,571 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession]
(default task-5) model from delegate null<br>
2016-06-11 22:33:37,571 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
(default task-5) Using filter for LDAP search:
(&(uid=kc_user1)(objectclass=person)) . Searching in
DN: cn=users,cn=accounts,dc=example,dc=test<br>
2016-06-11 22:33:37,575 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
(default task-5) Using filter for LDAP search:
(&(<a class="moz-txt-link-abbreviated" href="mailto:mail=kc_user1@example.test">mail=kc_user1@example.test</a>)(objectclass=person)) .
Searching in DN: cn=users,cn=accounts,dc=example,dc=test<br>
2016-06-11 22:33:37,577 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) getRealmRoles cache hit: freeipa<br>
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) getClients cache hit: freeipa<br>
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) client by id cache hit: broker<br>
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) client by id cache hit: realm-management<br>
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) client by id cache hit: liferay-saml-idp<br>
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) client by id cache hit:
security-admin-console<br>
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) client by id cache hit: kitchensink<br>
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) client by id cache hit: admin-cli<br>
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) client by id cache hit: account<br>
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) getClientRoles cache hit: account<br>
2016-06-11 22:33:37,580 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession]
(default task-5) getClientRoles cache hit: account<br>
2016-06-11 22:33:37,581 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) Creating entry
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
with attributes: [<br>
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) objectclass = person<br>
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) givenname = <br>
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) sn = <br>
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) cn = <br>
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) ]<br>
2016-06-11 22:33:37,607 ERROR [io.undertow.request]
(default task-5) UT005023: Exception handling request to
/auth/admin/realms/freeipa/users:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: Error creating
subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]<br>
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)<br>
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)<br>
<br>
... 37 more<br>
Caused by:
javax.naming.directory.SchemaViolationException: [LDAP:
error code 65 - attribute "uid" not allowed<br>
]; remaining name
'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'<br>
at
com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)<br>
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)<br>
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)<br>
at
com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)<br>
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)<br>
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)<br>
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)<br>
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)<br>
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)<br>
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)<br>
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)<br>
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)<br>
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)<br>
... 57 more</span></font>"<br>
<br>
<br>
FreeIPA Server ldap srv log:<br>
""<br>
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors<br>
<br>
[11/Jun/2016:22:33:37 +0000] - Entry
"uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" --
attribute "uid" not allowed<br>
""<br>
<br>
----<br>
<br>
It appears FreeIPA LDAP server is refusing the attribute 'UID'<br>
<br>
</div>
Interesting is that the FreeIPA 'user_add' API operation states
the 'uid' attributes is required:<br>
<br>
<img tabindex="0" class=""
src="cid:part2.09080907.08080009@redhat.com" height="451"
width="563"><br>
<br>
<br>
<br>
I tried to add a new user manually using the FreeIPA CLI and it
worked fine. See the FreeIPA CLI output:<br>
<br>
"<br>
<font size="1"><span style="font-family:monospace,monospace">[root@ipa
/]# ipa help user-add<br>
Usage: ipa [global-options] user-add LOGIN [options]<br>
<br>
Add a new user.<br>
Options:<br>
-h, --help show this help message and exit<br>
--first=STR First name<br>
--last=STR Last name<br>
--cn=STR Full name<br>
--displayname=STR Display name<br>
--initials=STR Initials<br>
--homedir=STR Home directory<br>
--gecos=STR GECOS<br>
--shell=STR Login shell<br>
--principal=STR Kerberos principal<br>
--principal-expiration=DATETIME<br>
Kerberos principal expiration<br>
--email=STR Email address<br>
--password Prompt to set the user password<br>
--random Generate a random user password<br>
--uid=INT User ID Number (system will assign
one if not<br>
provided)<br>
--gidnumber=INT Group ID Number<br>
--street=STR Street address<br>
--city=STR City<br>
--state=STR State/Province<br>
--postalcode=STR ZIP<br>
--phone=STR Telephone Number<br>
--mobile=STR Mobile Telephone Number<br>
--pager=STR Pager Number<br>
--fax=STR Fax Number<br>
--orgunit=STR Org. Unit<br>
--title=STR Job Title<br>
--manager=STR Manager<br>
--carlicense=STR Car License<br>
--sshpubkey=STR SSH public key<br>
--user-auth-type=['password', 'radius', 'otp']<br>
Types of supported user
authentication<br>
--class=STR User category (semantics placed on
this attribute are<br>
for local interpretation)<br>
--radius=STR RADIUS proxy configuration<br>
--radius-username=STR<br>
RADIUS proxy username<br>
--departmentnumber=STR<br>
Department Number<br>
--employeenumber=STR Employee Number<br>
--employeetype=STR Employee Type<br>
--preferredlanguage=STR<br>
Preferred Language<br>
--certificate=BYTES Base-64 encoded server certificate<br>
--setattr=STR Set an attribute to a name/value
pair. Format is<br>
attr=value. For multi-valued
attributes, the command<br>
replaces the values already present.<br>
--addattr=STR Add an attribute/value pair. Format
is attr=value. The<br>
attribute must be part of the
schema.<br>
--noprivate Don't create user private group<br>
--all Retrieve and print all attributes
from the server.<br>
Affects command output.<br>
--raw Print entries as stored on the
server. Only affects<br>
output format.<br>
<br>
[root@ipa /]# ipa user-add
ipa_user3 --first 'IPA 3' --last 'User3' --email
'<a class="moz-txt-link-abbreviated" href="mailto:ipa_user3@example.test">ipa_user3@example.test</a>' --all --raw<br>
----------------------<br>
Added user "ipa_user3"<br>
----------------------<br>
dn:
uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test<br>
uid: ipa_user3<br>
givenname: IPA 3<br>
sn: User3<br>
cn: IPA 3 User3<br>
initials: IU<br>
homedirectory: /home/ipa_user3<br>
gecos: IPA 3 User3<br>
loginshell: /bin/sh<br>
mail: <a class="moz-txt-link-abbreviated" href="mailto:ipa_user3@example.test">ipa_user3@example.test</a><br>
uidnumber: 753200006<br>
gidnumber: 753200006<br>
has_password: FALSE<br>
has_keytab: FALSE<br>
displayName: IPA 3 User3<br>
ipaUniqueID:
65f3f702-3021-11e6-b62c-0242ac110001<br>
krbPrincipalName:
<a class="moz-txt-link-abbreviated" href="mailto:ipa_user3@EXAMPLE.TEST">ipa_user3@EXAMPLE.TEST</a><br>
memberof:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test<br>
mepManagedEntry:
cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test<br>
objectClass: ipaSshGroupOfPubKeys<br>
objectClass: ipaobject<br>
objectClass: mepOriginEntry<br>
objectClass: person<br>
objectClass: top<br>
objectClass: ipasshuser<br>
objectClass: inetorgperson<br>
objectClass: organizationalperson<br>
objectClass: krbticketpolicyaux<br>
objectClass: krbprincipalaux<br>
objectClass: inetuser<br>
objectClass: posixaccount</span></font>
<br>
"<br>
<br>
Can someone help me find what is wrong on KC side? Maybe the KC
mappers mechanism?<br>
<br>
Thanks in advance.<br>
<br>
[1] <a moz-do-not-send="true"
href="https://github.com/mposolda/keycloak-freeipa-docker"
target="_blank">https://github.com/mposolda/keycloak-freeipa-docker</a><br>
[2] <a moz-do-not-send="true"
href="https://hub.docker.com/r/adelton/freeipa-server/"
target="_blank">https://hub.docker.com/r/adelton/freeipa-server/</a><br
clear="all">
<br>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<pre cols="72">___
Rafael T. C. Soares </pre>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>