On 2016-12-05, Marek Posolda wrote:
Yeah, that's my experience too. I've did the Keycloak
integration with
FreeIPA through LDAP FederationProvider a long time ago with the docker
image [1] .
The update of simple attributes of existing users worked (eg. If I
updated firstName of the user "john" in Keycloak, it was propagated
through the LDAP FederationProvider to the FreeIPA LDAP and was updated
correctly).
However registration of new users from Keycloak doesn't work . I assumed
the SSSD interface will be able to register new users from Keycloak as well?
I don't think so. SSSD interface is read-only and the addition of a
registration interface is unlikely to happen on SSSD.
Today to manage or change users, unfortunatelly all you can do
is to go through IPA interface. There's a mention to ipa help
permission, but I haven't tried yet.
Marek
[1]
https://github.com/mposolda/keycloak-freeipa-docker
On 04/12/16 19:58, Marc Boorshtein wrote:
>> Their LDAP front-end doesn't support writes?
>
> FreeIPA doesn't have an "LDAP front-end", it relies on the 389
directory to
> store its objects. For the most part you can use the LDAP interface for
> reads but for writes different rules apply because a single "user" can be
> comprised of multiple objects across the DIT. As an example, if you create
> a user via LDAP you can probably authenticate via LDAP but you won't be
> able to via kerberose. Also, if you provision an sshkey via LDAP it won't
> work.
>
> The only way to reliably create users and add users to groups is through
> the FreeIPA web services, for supported attributes. Not all attributes can
> be provisioned via the webservices. Only if its visible in the webui.
> Otherwise you need to provision via LDAP. So as an example, carLicense can
> be provisioned via the web services but I think roomNumber or
> departmentNumber (I'd need to double check) are NOT supported unless you
> extend the webui (there's a way to do it if you google it).
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
PGP: 0x84DC9914