'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
I'm using the same environment used by @mposolda [1] with the @adelton's FreeIPA Docker container image [2].

The integration (KC and FreeIPA) worked fine except for the sync for new users created on KC side (new registrations). When I enable the 'Sync Registrations' on the 'freeipa-ldap' User Federation and then try to add a new user using the KC Web Console I get the following error:
 



KC server.log in TRACE mode:

"
2016-06-11 22:33:37,568 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) realm by name cache hit: master
2016-06-11 22:33:37,568 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) token active - active: true, issued-at: 1,465,684,397, not-before: 0
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) returning new cache adapter
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by name cache hit: security-admin-console
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: security-admin-console
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) authenticated admin access for: admin
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) No origin returning
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) realm by name cache hit: freeipa
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: freeipa
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: freeipa-realm
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) getUserByUsername: kc_user1
2016-06-11 22:33:37,570 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) query null
2016-06-11 22:33:37,571 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) model from delegate null
2016-06-11 22:33:37,571 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-5) Using filter for LDAP search: (&(uid=kc_user1)(objectclass=person)) . Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,575 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-5) Using filter for LDAP search: (&(mail=kc_user1@example.test)(objectclass=person)) . Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,577 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getRealmRoles cache hit: freeipa
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClients cache hit: freeipa
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: broker
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: realm-management
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: liferay-saml-idp
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: security-admin-console
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: kitchensink
2016-06-11 22:33:37,579 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: admin-cli
2016-06-11 22:33:37,579 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: account
2016-06-11 22:33:37,579 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: account
2016-06-11 22:33:37,580 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: account
2016-06-11 22:33:37,581 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5) Creating entry [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5)   objectclass = person
2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5)   givenname = 
2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5)   sn = 
2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5)   cn = 
2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5) ]
2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /auth/admin/realms/freeipa/users: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: Error creating subcontext [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
    at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
    at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
    at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
    at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.models.ModelException: Error creating subcontext [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
    at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:442)
    at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:92)
    at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:71)
    at org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:171)
    at org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:72)
    at org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:64)
    at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:213)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
    ... 37 more
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute "uid" not allowed
]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
    at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
    at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
    at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
    at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
    ... 57 more"


FreeIPA Server ldap srv log:
""
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors

[11/Jun/2016:22:33:37 +0000] - Entry "uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute "uid" not allowed
""

----

It appears FreeIPA LDAP server is refusing the attribute 'UID'

Interesting is that the FreeIPA 'user_add' API operation states the 'uid' attributes is required:





I tried to add a new user manually using the FreeIPA CLI and it worked fine. See the FreeIPA CLI output:

"
[root@ipa /]# ipa help user-add
Usage: ipa [global-options] user-add LOGIN [options]

Add a new user.
Options:
  -h, --help            show this help message and exit
  --first=STR           First name
  --last=STR            Last name
  --cn=STR              Full name
  --displayname=STR     Display name
  --initials=STR        Initials
  --homedir=STR         Home directory
  --gecos=STR           GECOS
  --shell=STR           Login shell
  --principal=STR       Kerberos principal
  --principal-expiration=DATETIME
                        Kerberos principal expiration
  --email=STR           Email address
  --password            Prompt to set the user password
  --random              Generate a random user password
  --uid=INT             User ID Number (system will assign one if not
                        provided)
  --gidnumber=INT       Group ID Number
  --street=STR          Street address
  --city=STR            City
  --state=STR           State/Province
  --postalcode=STR      ZIP
  --phone=STR           Telephone Number
  --mobile=STR          Mobile Telephone Number
  --pager=STR           Pager Number
  --fax=STR             Fax Number
  --orgunit=STR         Org. Unit
  --title=STR           Job Title
  --manager=STR         Manager
  --carlicense=STR      Car License
  --sshpubkey=STR       SSH public key
  --user-auth-type=['password', 'radius', 'otp']
                        Types of supported user authentication
  --class=STR           User category (semantics placed on this attribute are
                        for local interpretation)
  --radius=STR          RADIUS proxy configuration
  --radius-username=STR
                        RADIUS proxy username
  --departmentnumber=STR
                        Department Number
  --employeenumber=STR  Employee Number
  --employeetype=STR    Employee Type
  --preferredlanguage=STR
                        Preferred Language
  --certificate=BYTES   Base-64 encoded server certificate
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --addattr=STR         Add an attribute/value pair. Format is attr=value. The
                        attribute must be part of the schema.
  --noprivate           Don't create user private group
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.

                        [root@ipa /]# ipa user-add ipa_user3  --first 'IPA 3' --last 'User3' --email 'ipa_user3@example.test' --all --raw
                        ----------------------
                        Added user "ipa_user3"
                        ----------------------
                          dn: uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
                          uid: ipa_user3
                          givenname: IPA 3
                          sn: User3
                          cn: IPA 3 User3
                          initials: IU
                          homedirectory: /home/ipa_user3
                          gecos: IPA 3 User3
                          loginshell: /bin/sh
                          mail: ipa_user3@example.test
                          uidnumber: 753200006
                          gidnumber: 753200006
                          has_password: FALSE
                          has_keytab: FALSE
                          displayName: IPA 3 User3
                          ipaUniqueID: 65f3f702-3021-11e6-b62c-0242ac110001
                          krbPrincipalName: ipa_user3@EXAMPLE.TEST
                          memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
                          mepManagedEntry: cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
                          objectClass: ipaSshGroupOfPubKeys
                          objectClass: ipaobject
                          objectClass: mepOriginEntry
                          objectClass: person
                          objectClass: top
                          objectClass: ipasshuser
                          objectClass: inetorgperson
                          objectClass: organizationalperson
                          objectClass: krbticketpolicyaux
                          objectClass: krbprincipalaux
                          objectClass: inetuser
                          objectClass: posixaccount                       
"

Can someone help me find what is wrong on KC side? Maybe the KC mappers mechanism?




Thanks in advance.

[1] https://github.com/mposolda/keycloak-freeipa-docker
[2] https://hub.docker.com/r/adelton/freeipa-server/

-- 
___
Rafael T. C. Soares