----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Thursday, December 1, 2016 3:35:31 PM
Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
Can you run your example without SSSD? Isolate the problem to make sure
that its not an SP configuration issue first. As far as SSSD setup
goes, you're gonna have to talk to Bruno about that. Hopefully he chimes in.
I tried adding a user to the existing setup from the admin console and I see an error and
then I see this in the server.log:
Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to retrieve user's
attributes. Check if SSSD service is active.
I can't delete the sssd provider though because of this bug:
https://issues.jboss.org/browse/KEYCLOAK-3902
I started over fresh without the SSSD Provider setup. It does appear that I'm not
able to even authenticate as a user created from the admin console.
I've bumped logging up to info on both Keycloak and httpd on the SP but, I still
don't see much there. Any suggestion on where to go from here?
Thanks,
Scott
On 12/1/16 4:21 PM, Scott Poore wrote:
> Hi,
>
> I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using
> the SSSD Provider. I am following the Server Administration Guide but,
> I'm hitting some error. I'm not sure if it's a bug or a configuration
> issue on my part.
>
> This is the link I was following:
>
>
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/top...
>
> The difference in setup though is that I'm not using the docker image.
> Instead I'm using a separate FreeIPA Master server that I have setup as a
> separate VM. I have confirmed that SSSD-DBUS is working:
>
> [root@idp ~]# dbus-send --print-reply --system
> --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
> org.freedesktop.sssd.infopipe.GetUserGroups string:testuser
> method return time=1480625438.634684 sender=:1.26 -> destination=:1.29
> serial=17 reply_serial=2
> array [
> string "ipausers"
> ]
>
> For the SP, I setup a basic Apache setup with mod_auth_mellon using
>
> keycloak-httpd-client-install \
> --client-originate-method registration \
> --keycloak-server-url
https://idp.keycloak.test:8443 \
> --keycloak-admin-username admin \
> --keycloak-admin-password PASSWORD \
> --app-name testapp \
> --keycloak-realm test_realm \
> --mellon-root mroot \
> --mellon-protected-locations "/mroot/private" \
> --force
>
> When I try to login to the SP, it redirects as expected to the Keycloak
> server and waits for a while before returning:
>
> Internal Server Error
>
> >From the httpd access log I can see:
>
>
> 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private
> HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
>
/mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
> HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
>
> >From the admin console, I can see what appears to be an active session for
> >the client.
>
> >From the Keycloak server.log I can see:
>
> 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction Reaper
> Worker 0) ARJUNA012108: CheckedAction::check - atomic action
> 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active!
> 2016-12-01 14:14:31,578 WARN
>
[org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> (Transaction Reaper Worker 0) HHH000451: Transaction afterCo
> mpletion called by a background thread; delaying afterCompletion processing
> until the original thread can handle it. [status=4]
> 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction Reaper
> Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker
> Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f
> fffc0a87abf:7c36d3eb:58406454:81e
> 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25)
> ARJUNA012077: Abort called on already aborted atomic action
> 0:ffffc0a87abf:7c36d3eb:58406454:81e
> 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (default task-25) RESTEASY002025: Unknown exception while executing POST
> /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
> eption: javax.transaction.RollbackException: ARJUNA016102: The transaction
> is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
>
> Leaving out the traceback for brevity. I can send that if needed/wanted.
>
>
> When I logout the session and set SSSD debug_level to 9 and restart sssd,
> keycloak, and httpd (on the SP), I do see SSSD looking up the user. I can
> provide the SSSD logs if it helps.
>
>
> So, how do I go about troubleshooting this issue? Are there any steps
> missing from the SSSD Provider doc?
>
> Thanks,
> Scott
>
>
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user