The "Sync registration" doesn't work with LDAP provider configured against FreeIPA.

We are currently working on improve FreeIPA integration. It seems the new users created in Keycloak will be registered to FreeIPA with SSSD, not with LDAP. Using SSSD seems to be the preferred and more proper way though.

Marek

On 12/06/16 01:10, Rafael Soares wrote:
I'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
I'm using the same environment used by @mposolda [1] with the @adelton's FreeIPA Docker container image [2].

The integration (KC and FreeIPA) worked fine except for the sync for new users created on KC side (new registrations). When I enable the 'Sync Registrations' on the 'freeipa-ldap' User Federation and then try to add a new user using the KC Web Console I get the following error:
 



KC server.log in TRACE mode:

"
2016-06-11 22:33:37,568 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) realm by name cache hit: master
2016-06-11 22:33:37,568 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) token active - active: true, issued-at: 1,465,684,397, not-before: 0
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) returning new cache adapter
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by name cache hit: security-admin-console
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: security-admin-console
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) authenticated admin access for: admin
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) No origin returning
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) realm by name cache hit: freeipa
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: freeipa
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) by id cache hit: master
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: freeipa-realm
2016-06-11 22:33:37,569 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) getUserByUsername: kc_user1
2016-06-11 22:33:37,570 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) query null
2016-06-11 22:33:37,571 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5) model from delegate null
2016-06-11 22:33:37,571 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-5) Using filter for LDAP search: (&(uid=kc_user1)(objectclass=person)) . Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,575 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-5) Using filter for LDAP search: (&(mail=kc_user1@example.test)(objectclass=person)) . Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,577 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getRealmRoles cache hit: freeipa
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClients cache hit: freeipa
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: broker
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: realm-management
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: liferay-saml-idp
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: security-admin-console
2016-06-11 22:33:37,578 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: kitchensink
2016-06-11 22:33:37,579 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: admin-cli
2016-06-11 22:33:37,579 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) client by id cache hit: account
2016-06-11 22:33:37,579 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: account
2016-06-11 22:33:37,580 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5) getClientRoles cache hit: account
2016-06-11 22:33:37,581 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5) Creating entry [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5)   objectclass = person
2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5)   givenname = 
2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5)   sn = 
2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5)   cn = 
2016-06-11 22:33:37,583 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-5) ]
2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /auth/admin/realms/freeipa/users: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: Error creating subcontext [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
    at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
    at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
    at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
   
    ... 37 more
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute "uid" not allowed
]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
    at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
    at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
    at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
    at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
    ... 57 more"


FreeIPA Server ldap srv log:
""
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors

[11/Jun/2016:22:33:37 +0000] - Entry "uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute "uid" not allowed
""

----

It appears FreeIPA LDAP server is refusing the attribute 'UID'

Interesting is that the FreeIPA 'user_add' API operation states the 'uid' attributes is required:





I tried to add a new user manually using the FreeIPA CLI and it worked fine. See the FreeIPA CLI output:

"
[root@ipa /]# ipa help user-add
Usage: ipa [global-options] user-add LOGIN [options]

Add a new user.
Options:
  -h, --help            show this help message and exit
  --first=STR           First name
  --last=STR            Last name
  --cn=STR              Full name
  --displayname=STR     Display name
  --initials=STR        Initials
  --homedir=STR         Home directory
  --gecos=STR           GECOS
  --shell=STR           Login shell
  --principal=STR       Kerberos principal
  --principal-expiration=DATETIME
                        Kerberos principal expiration
  --email=STR           Email address
  --password            Prompt to set the user password
  --random              Generate a random user password
  --uid=INT             User ID Number (system will assign one if not
                        provided)
  --gidnumber=INT       Group ID Number
  --street=STR          Street address
  --city=STR            City
  --state=STR           State/Province
  --postalcode=STR      ZIP
  --phone=STR           Telephone Number
  --mobile=STR          Mobile Telephone Number
  --pager=STR           Pager Number
  --fax=STR             Fax Number
  --orgunit=STR         Org. Unit
  --title=STR           Job Title
  --manager=STR         Manager
  --carlicense=STR      Car License
  --sshpubkey=STR       SSH public key
  --user-auth-type=['password', 'radius', 'otp']
                        Types of supported user authentication
  --class=STR           User category (semantics placed on this attribute are
                        for local interpretation)
  --radius=STR          RADIUS proxy configuration
  --radius-username=STR
                        RADIUS proxy username
  --departmentnumber=STR
                        Department Number
  --employeenumber=STR  Employee Number
  --employeetype=STR    Employee Type
  --preferredlanguage=STR
                        Preferred Language
  --certificate=BYTES   Base-64 encoded server certificate
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --addattr=STR         Add an attribute/value pair. Format is attr=value. The
                        attribute must be part of the schema.
  --noprivate           Don't create user private group
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.

                        [root@ipa /]# ipa user-add ipa_user3  --first 'IPA 3' --last 'User3' --email 'ipa_user3@example.test' --all --raw
                        ----------------------
                        Added user "ipa_user3"
                        ----------------------
                          dn: uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
                          uid: ipa_user3
                          givenname: IPA 3
                          sn: User3
                          cn: IPA 3 User3
                          initials: IU
                          homedirectory: /home/ipa_user3
                          gecos: IPA 3 User3
                          loginshell: /bin/sh
                          mail: ipa_user3@example.test
                          uidnumber: 753200006
                          gidnumber: 753200006
                          has_password: FALSE
                          has_keytab: FALSE
                          displayName: IPA 3 User3
                          ipaUniqueID: 65f3f702-3021-11e6-b62c-0242ac110001
                          krbPrincipalName: ipa_user3@EXAMPLE.TEST
                          memberof: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
                          mepManagedEntry: cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
                          objectClass: ipaSshGroupOfPubKeys
                          objectClass: ipaobject
                          objectClass: mepOriginEntry
                          objectClass: person
                          objectClass: top
                          objectClass: ipasshuser
                          objectClass: inetorgperson
                          objectClass: organizationalperson
                          objectClass: krbticketpolicyaux
                          objectClass: krbprincipalaux
                          objectClass: inetuser
                          objectClass: posixaccount                       
"

Can someone help me find what is wrong on KC side? Maybe the KC mappers mechanism?

Thanks in advance.

[1] https://github.com/mposolda/keycloak-freeipa-docker
[2] https://hub.docker.com/r/adelton/freeipa-server/

-- 
___
Rafael T. C. Soares 


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user