6:10 p.m.
I'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
I'm using the same environment used by @mposolda [1] with the @adelton's
FreeIPA Docker container image [2].
The integration (KC and FreeIPA) worked fine except for the sync for new
users created on KC side (new registrations). When I enable the 'Sync
Registrations' on the 'freeipa-ldap' User Federation and then try to add a
new user using the KC Web Console I get the following error:
KC server.log in TRACE mode:
"
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: master
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
token active - active: true, issued-at: 1,465,684,397, not-before: 0
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
returning new cache adapter
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by name cache hit: security-admin-console
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
authenticated admin access for: admin
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) No
origin returning
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: freeipa-realm
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getUserByUsername: kc_user1
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
query null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
model from delegate null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search: (&(uid=kc_user1)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,575 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search:
(&(mail=kc_user1(a)example.test)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,577 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getRealmRoles cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClients cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: broker
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: realm-management
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: liferay-saml-idp
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: kitchensink
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: admin-cli
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: account
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,580 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,581 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) Creating entry
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) objectclass = person
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) givenname =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) sn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) cn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) ]
2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5)
UT005023: Exception handling request to /auth/admin/realms/freeipa/users:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
... 37 more
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error
code 65 - attribute "uid" not allowed
]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
... 57 more"
FreeIPA Server ldap srv log:
""
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors
[11/Jun/2016:22:33:37 +0000] - Entry
"uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute
"uid"
not allowed
""
----
It appears FreeIPA LDAP server is refusing the attribute 'UID'
Interesting is that the FreeIPA 'user_add' API operation states the 'uid'
attributes is required:
I tried to add a new user manually using the FreeIPA CLI and it worked
fine. See the FreeIPA CLI output:
"
[root@ipa /]# ipa help user-add
Usage: ipa [global-options] user-add LOGIN [options]
Add a new user.
Options:
-h, --help show this help message and exit
--first=STR First name
--last=STR Last name
--cn=STR Full name
--displayname=STR Display name
--initials=STR Initials
--homedir=STR Home directory
--gecos=STR GECOS
--shell=STR Login shell
--principal=STR Kerberos principal
--principal-expiration=DATETIME
Kerberos principal expiration
--email=STR Email address
--password Prompt to set the user password
--random Generate a random user password
--uid=INT User ID Number (system will assign one if not
provided)
--gidnumber=INT Group ID Number
--street=STR Street address
--city=STR City
--state=STR State/Province
--postalcode=STR ZIP
--phone=STR Telephone Number
--mobile=STR Mobile Telephone Number
--pager=STR Pager Number
--fax=STR Fax Number
--orgunit=STR Org. Unit
--title=STR Job Title
--manager=STR Manager
--carlicense=STR Car License
--sshpubkey=STR SSH public key
--user-auth-type=['password', 'radius', 'otp']
Types of supported user authentication
--class=STR User category (semantics placed on this attribute
are
for local interpretation)
--radius=STR RADIUS proxy configuration
--radius-username=STR
RADIUS proxy username
--departmentnumber=STR
Department Number
--employeenumber=STR Employee Number
--employeetype=STR Employee Type
--preferredlanguage=STR
Preferred Language
--certificate=BYTES Base-64 encoded server certificate
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is attr=value.
The
attribute must be part of the schema.
--noprivate Don't create user private group
--all Retrieve and print all attributes from the server.
Affects command output.
--raw Print entries as stored on the server. Only affects
output format.
[root@ipa /]# ipa user-add ipa_user3 --first 'IPA
3' --last 'User3' --email 'ipa_user3(a)example.test' --all --raw
----------------------
Added user "ipa_user3"
----------------------
dn:
uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
uid: ipa_user3
givenname: IPA 3
sn: User3
cn: IPA 3 User3
initials: IU
homedirectory: /home/ipa_user3
gecos: IPA 3 User3
loginshell: /bin/sh
mail: ipa_user3(a)example.test
uidnumber: 753200006
gidnumber: 753200006
has_password: FALSE
has_keytab: FALSE
displayName: IPA 3 User3
ipaUniqueID: 65f3f702-3021-11e6-b62c-0242ac110001
krbPrincipalName: ipa_user3(a)EXAMPLE.TEST
memberof:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
mepManagedEntry:
cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
objectClass: ipaSshGroupOfPubKeys
objectClass: ipaobject
objectClass: mepOriginEntry
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
"
Can someone help me find what is wrong on KC side? Maybe the KC mappers
mechanism?
Thanks in advance.
[1] https://github.com/mposolda/keycloak-freeipa-docker
[2] https://hub.docker.com/r/adelton/freeipa-server/
--
___
Rafael T. C. Soares
2:54 a.m.
The "Sync registration" doesn't work with LDAP provider configured
against FreeIPA.
We are currently working on improve FreeIPA integration. It seems the
new users created in Keycloak will be registered to FreeIPA with SSSD,
not with LDAP. Using SSSD seems to be the preferred and more proper way
though.
Marek
On 12/06/16 01:10, Rafael Soares wrote:
I'm testing Keycloak LDAP User Federation with FreeIPA iDM
Server.
I'm using the same environment used by @mposolda [1] with the
@adelton's FreeIPA Docker container image [2].
The integration (KC and FreeIPA) worked fine except for the sync for
new users created on KC side (new registrations). When I enable the
'Sync Registrations' on the 'freeipa-ldap' User Federation and then
try to add a new user using the KC Web Console I get the following error:
KC server.log in TRACE mode:
"
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) realm by name cache hit: master
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) by id cache hit: master
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
token active - active: true, issued-at: 1,465,684,397, not-before: 0
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default
task-5) getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default
task-5) returning new cache adapter
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) client by name cache hit: security-admin-console
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) client by id cache hit: security-admin-console
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
authenticated admin access for: admin
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
No origin returning
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) realm by name cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) by id cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) client by id cache hit: freeipa-realm
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default
task-5) getUserByUsername: kc_user1
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default
task-5) query null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default
task-5) model from delegate null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
(default task-5) Using filter for LDAP search:
(&(uid=kc_user1)(objectclass=person)) . Searching in DN:
cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,575 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
(default task-5) Using filter for LDAP search:
(&(mail=kc_user1(a)example.test)(objectclass=person)) . Searching in DN:
cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,577 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) getRealmRoles cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) getClients cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) client by id cache hit: broker
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) client by id cache hit: realm-management
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) client by id cache hit: liferay-saml-idp
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) client by id cache hit: security-admin-console
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) client by id cache hit: kitchensink
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) client by id cache hit: admin-cli
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) client by id cache hit: account
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) getClientRoles cache hit: account
2016-06-11 22:33:37,580 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-5) getClientRoles cache hit: account
2016-06-11 22:33:37,581 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) Creating entry
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) objectclass = person
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) givenname =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) sn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) cn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager]
(default task-5) ]
2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5)
UT005023: Exception handling request to
/auth/admin/realms/freeipa/users:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
... 37 more
Caused by: javax.naming.directory.SchemaViolationException: [LDAP:
error code 65 - attribute "uid" not allowed
]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
... 57 more"
FreeIPA Server ldap srv log:
""
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors
[11/Jun/2016:22:33:37 +0000] - Entry
"uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute
"uid" not allowed
""
----
It appears FreeIPA LDAP server is refusing the attribute 'UID'
Interesting is that the FreeIPA 'user_add' API operation states the
'uid' attributes is required:
I tried to add a new user manually using the FreeIPA CLI and it worked
fine. See the FreeIPA CLI output:
"
[root@ipa /]# ipa help user-add
Usage: ipa [global-options] user-add LOGIN [options]
Add a new user.
Options:
-h, --help show this help message and exit
--first=STR First name
--last=STR Last name
--cn=STR Full name
--displayname=STR Display name
--initials=STR Initials
--homedir=STR Home directory
--gecos=STR GECOS
--shell=STR Login shell
--principal=STR Kerberos principal
--principal-expiration=DATETIME
Kerberos principal expiration
--email=STR Email address
--password Prompt to set the user password
--random Generate a random user password
--uid=INT User ID Number (system will assign one if not
provided)
--gidnumber=INT Group ID Number
--street=STR Street address
--city=STR City
--state=STR State/Province
--postalcode=STR ZIP
--phone=STR Telephone Number
--mobile=STR Mobile Telephone Number
--pager=STR Pager Number
--fax=STR Fax Number
--orgunit=STR Org. Unit
--title=STR Job Title
--manager=STR Manager
--carlicense=STR Car License
--sshpubkey=STR SSH public key
--user-auth-type=['password', 'radius', 'otp']
Types of supported user authentication
--class=STR User category (semantics placed on this
attribute are
for local interpretation)
--radius=STR RADIUS proxy configuration
--radius-username=STR
RADIUS proxy username
--departmentnumber=STR
Department Number
--employeenumber=STR Employee Number
--employeetype=STR Employee Type
--preferredlanguage=STR
Preferred Language
--certificate=BYTES Base-64 encoded server certificate
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the
command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is
attr=value. The
attribute must be part of the schema.
--noprivate Don't create user private group
--all Retrieve and print all attributes from the server.
Affects command output.
--raw Print entries as stored on the server. Only
affects
output format.
[root@ipa /]# ipa user-add ipa_user3 --first
'IPA 3' --last 'User3' --email 'ipa_user3(a)example.test' --all
--raw
----------------------
Added user "ipa_user3"
----------------------
dn:
uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
uid: ipa_user3
givenname: IPA 3
sn: User3
cn: IPA 3 User3
initials: IU
homedirectory: /home/ipa_user3
gecos: IPA 3 User3
loginshell: /bin/sh
mail: ipa_user3(a)example.test
uidnumber: 753200006
gidnumber: 753200006
has_password: FALSE
has_keytab: FALSE
displayName: IPA 3 User3
ipaUniqueID:
65f3f702-3021-11e6-b62c-0242ac110001
krbPrincipalName: ipa_user3(a)EXAMPLE.TEST
memberof:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
mepManagedEntry:
cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
objectClass: ipaSshGroupOfPubKeys
objectClass: ipaobject
objectClass: mepOriginEntry
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
"
Can someone help me find what is wrong on KC side? Maybe the KC
mappers mechanism?
Thanks in advance.
[1] https://github.com/mposolda/keycloak-freeipa-docker
[2] https://hub.docker.com/r/adelton/freeipa-server/
--
___
Rafael T. C. Soares
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:20 a.m.
On 13/06/16 15:47, Rafael T. C. Soares wrote:
___
Rafael T. C. Soares
On 06/13/2016 04:54 AM, Marek Posolda wrote:
> The "Sync registration" doesn't work with LDAP provider configured
> against FreeIPA.
>
Is this issue specific for FreeIPA? Is it supposed to work for other
LDAP Impl and MS AD?
Yes, it should work for other LDAP Impl.
The FreeIPA is a bit special, as the registration of user needs to be
done properly through SSSD or something, not through calling LDAP API
directly. SSSD updates LDAP and do some other required things to have
user account in correct state. That's what FreeIPA CLI is doing as well
AFAIK.
Marek
Thanks!
3137
days inactive
3139
days old
3 comments
3 participants
participants (3)
-
Marek Posolda -
Rafael Soares -
Rafael T. C. Soares