'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
I'm using the same environment used by @mposolda [1] with the @adelton's
FreeIPA Docker container image [2].
The integration (KC and FreeIPA) worked fine except for the sync for new
users created on KC side (new registrations). When I enable the 'Sync
Registrations' on the 'freeipa-ldap' User Federation and then try to add a
new user using the KC Web Console I get the following error:
KC server.log in TRACE mode:
"
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: master
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
token active - active: true, issued-at: 1,465,684,397, not-before: 0
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
returning new cache adapter
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by name cache hit: security-admin-console
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
authenticated admin access for: admin
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) No
origin returning
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: freeipa-realm
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getUserByUsername: kc_user1
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
query null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
model from delegate null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search: (&(uid=kc_user1)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,575 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search:
(&(mail=kc_user1(a)example.test)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,577 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getRealmRoles cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClients cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: broker
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: realm-management
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: liferay-saml-idp
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: kitchensink
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: admin-cli
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: account
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,580 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,581 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) Creating entry
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) objectclass = person
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) givenname =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) sn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) cn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) ]
2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5)
UT005023: Exception handling request to /auth/admin/realms/freeipa/users:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:442)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:92)
at
org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:71)
at
org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:171)
at
org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:72)
at
org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:64)
at
org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:213)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error
code 65 - attribute "uid" not allowed
]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
... 57 more"
FreeIPA Server ldap srv log:
""
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors
[11/Jun/2016:22:33:37 +0000] - Entry
"uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute
"uid"
not allowed
""
----
It appears FreeIPA LDAP server is refusing the attribute 'UID'
Interesting is that the FreeIPA 'user_add' API operation states the 'uid'
attributes is required:
I tried to add a new user manually using the FreeIPA CLI and it worked
fine. See the FreeIPA CLI output:
"
[root@ipa /]# ipa help user-add
Usage: ipa [global-options] user-add LOGIN [options]
Add a new user.
Options:
-h, --help show this help message and exit
--first=STR First name
--last=STR Last name
--cn=STR Full name
--displayname=STR Display name
--initials=STR Initials
--homedir=STR Home directory
--gecos=STR GECOS
--shell=STR Login shell
--principal=STR Kerberos principal
--principal-expiration=DATETIME
Kerberos principal expiration
--email=STR Email address
--password Prompt to set the user password
--random Generate a random user password
--uid=INT User ID Number (system will assign one if not
provided)
--gidnumber=INT Group ID Number
--street=STR Street address
--city=STR City
--state=STR State/Province
--postalcode=STR ZIP
--phone=STR Telephone Number
--mobile=STR Mobile Telephone Number
--pager=STR Pager Number
--fax=STR Fax Number
--orgunit=STR Org. Unit
--title=STR Job Title
--manager=STR Manager
--carlicense=STR Car License
--sshpubkey=STR SSH public key
--user-auth-type=['password', 'radius', 'otp']
Types of supported user authentication
--class=STR User category (semantics placed on this attribute
are
for local interpretation)
--radius=STR RADIUS proxy configuration
--radius-username=STR
RADIUS proxy username
--departmentnumber=STR
Department Number
--employeenumber=STR Employee Number
--employeetype=STR Employee Type
--preferredlanguage=STR
Preferred Language
--certificate=BYTES Base-64 encoded server certificate
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is attr=value.
The
attribute must be part of the schema.
--noprivate Don't create user private group
--all Retrieve and print all attributes from the server.
Affects command output.
--raw Print entries as stored on the server. Only affects
output format.
[root@ipa /]# ipa user-add ipa_user3 --first 'IPA
3' --last 'User3' --email 'ipa_user3(a)example.test' --all --raw
----------------------
Added user "ipa_user3"
----------------------
dn:
uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
uid: ipa_user3
givenname: IPA 3
sn: User3
cn: IPA 3 User3
initials: IU
homedirectory: /home/ipa_user3
gecos: IPA 3 User3
loginshell: /bin/sh
mail: ipa_user3(a)example.test
uidnumber: 753200006
gidnumber: 753200006
has_password: FALSE
has_keytab: FALSE
displayName: IPA 3 User3
ipaUniqueID: 65f3f702-3021-11e6-b62c-0242ac110001
krbPrincipalName: ipa_user3(a)EXAMPLE.TEST
memberof:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
mepManagedEntry:
cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
objectClass: ipaSshGroupOfPubKeys
objectClass: ipaobject
objectClass: mepOriginEntry
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
"
Can someone help me find what is wrong on KC side? Maybe the KC mappers
mechanism?
Thanks in advance.
[1]
https://github.com/mposolda/keycloak-freeipa-docker
[2]
https://hub.docker.com/r/adelton/freeipa-server/
--
___
Rafael T. C. Soares