It's impossible with the SSSD integration as SSSD is currently read-only. You can however use FreeIPA as a backend with a LDAP user federation provider instead. On 27 November 2016 at 17:56, James James <jreg2k(a)gmail.com&gt; wrote: > Hello, > > > I want to be able to create user in the FreeIPA backend from keycloak > registration portal .. is it possible ? For me it' impossible but I just > want to be sure. > > http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html > > https://keycloak.gitbooks.io/server-adminstration-guide/cont > ent/topics/user-federation/sssd.html > > Regards. > > James Regis > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

The only way to create users in freeipa is to use their web API. The only provisioning system I know of that does this is our own project openunison. Here's the code for working g with the freeipa web services if you are interested : https://github.com/TremoloSecurity/OpenUnison/blob/master/unison/unison-s... On Sun, Dec 4, 2016, 8:48 AM James James <jreg2k(a)gmail.com&gt; wrote: > Thank for your answer. > > If i use freeipa as LDAP backend for keycloak, users who will register from > the keycloak UI will be created in Freeipa to ? > > In my previous tests, every user I have created from the keycloak UI wasn't > created in the FreeIPA. I was using FreeIPA as LDAP backend. Maybe my > settings were bad. > > I can send some logs to help me troubleshooting. > > Regards. > > 2016-12-02 7:11 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com&gt;: > >> It's impossible with the SSSD integration as SSSD is currently read-only. >> You can however use FreeIPA as a backend with a LDAP user federation >> provider instead. >> >> On 27 November 2016 at 17:56, James James <jreg2k(a)gmail.com&gt; wrote: >> >>> Hello, >>> >>> >>> I want to be able to create user in the FreeIPA backend from keycloak >>> registration portal .. is it possible ? For me it' impossible but I > just >>> want to be sure. >>> >>> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html >>> >>> https://keycloak.gitbooks.io/server-adminstration-guide/cont >>> ent/topics/user-federation/sssd.html >>> >>> Regards. >>> >>> James Regis >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

> Their LDAP front-end doesn't support writes? FreeIPA doesn't have an "LDAP front-end", it relies on the 389 directory to store its objects. For the most part you can use the LDAP interface for reads but for writes different rules apply because a single "user" can be comprised of multiple objects across the DIT. As an example, if you create a user via LDAP you can probably authenticate via LDAP but you won't be able to via kerberose. Also, if you provision an sshkey via LDAP it won't work. The only way to reliably create users and add users to groups is through the FreeIPA web services, for supported attributes. Not all attributes can be provisioned via the webservices. Only if its visible in the webui. Otherwise you need to provision via LDAP. So as an example, carLicense can be provisioned via the web services but I think roomNumber or departmentNumber (I'd need to double check) are NOT supported unless you extend the webui (there's a way to do it if you google it).