[keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
Scott Poore
spoore at redhat.com
Thu Dec 1 16:21:23 EST 2016
Hi,
I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using the SSSD Provider. I am following the Server Administration Guide but, I'm hitting some error. I'm not sure if it's a bug or a configuration issue on my part.
This is the link I was following:
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html
The difference in setup though is that I'm not using the docker image. Instead I'm using a separate FreeIPA Master server that I have setup as a separate VM. I have confirmed that SSSD-DBUS is working:
[root at idp ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:testuser
method return time=1480625438.634684 sender=:1.26 -> destination=:1.29 serial=17 reply_serial=2
array [
string "ipausers"
]
For the SP, I setup a basic Apache setup with mod_auth_mellon using
keycloak-httpd-client-install \
--client-originate-method registration \
--keycloak-server-url https://idp.keycloak.test:8443 \
--keycloak-admin-username admin \
--keycloak-admin-password PASSWORD \
--app-name testapp \
--keycloak-realm test_realm \
--mellon-root mroot \
--mellon-protected-locations "/mroot/private" \
--force
When I try to login to the SP, it redirects as expected to the Keycloak server and waits for a while before returning:
Internal Server Error
>From the httpd access log I can see:
192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
>From the admin console, I can see what appears to be an active session for the client.
>From the Keycloak server.log I can see:
2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012108: CheckedAction::check - atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active!
2016-12-01 14:14:31,578 WARN [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCo
mpletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4]
2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f
fffc0a87abf:7c36d3eb:58406454:81e
2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25) ARJUNA012077: Abort called on already aborted atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e
2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-25) RESTEASY002025: Unknown exception while executing POST /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
eption: javax.transaction.RollbackException: ARJUNA016102: The transaction is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
Leaving out the traceback for brevity. I can send that if needed/wanted.
When I logout the session and set SSSD debug_level to 9 and restart sssd, keycloak, and httpd (on the SP), I do see SSSD looking up the user. I can provide the SSSD logs if it helps.
So, how do I go about troubleshooting this issue? Are there any steps missing from the SSSD Provider doc?
Thanks,
Scott
--
Scott Poore <spoore at redhat.com>
Principal Quality Assurance Engineer
Red Hat, Inc.
More information about the keycloak-user
mailing list