[keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA

Scott Poore spoore at redhat.com
Thu Dec 1 20:29:16 EST 2016



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, December 1, 2016 3:35:31 PM
> Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
> 
> Can you run your example without SSSD?  Isolate the problem to make sure
> that its not an SP configuration issue first.  As far as SSSD setup
> goes, you're gonna have to talk to Bruno about that. Hopefully he chimes in.

I tried adding a user to the existing setup from the admin console and I see an error and then I see this in the server.log:

Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to retrieve user's attributes. Check if SSSD service is active.

I can't delete the sssd provider though because of this bug:

https://issues.jboss.org/browse/KEYCLOAK-3902

I started over fresh without the SSSD Provider setup.  It does appear that I'm not able to even authenticate as a user created from the admin console.

I've bumped logging up to info on both Keycloak and httpd on the SP but, I still don't see much there.  Any suggestion on where to go from here?

Thanks,
Scott


> 
> 
> On 12/1/16 4:21 PM, Scott Poore wrote:
> > Hi,
> >
> > I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using
> > the SSSD Provider.  I am following the Server Administration Guide but,
> > I'm hitting some error.  I'm not sure if it's a bug or a configuration
> > issue on my part.
> >
> > This is the link I was following:
> >
> > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html
> >
> > The difference in setup though is that I'm not using the docker image.
> > Instead I'm using a separate FreeIPA Master server that I have setup as a
> > separate VM.  I have confirmed that SSSD-DBUS is working:
> >
> > [root at idp ~]# dbus-send --print-reply --system
> > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
> > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser
> > method return time=1480625438.634684 sender=:1.26 -> destination=:1.29
> > serial=17 reply_serial=2
> >     array [
> >        string "ipausers"
> >     ]
> >
> > For the SP, I setup a basic Apache setup with mod_auth_mellon using
> >
> > keycloak-httpd-client-install   \
> >      --client-originate-method registration \
> >      --keycloak-server-url https://idp.keycloak.test:8443 \
> >      --keycloak-admin-username admin \
> >      --keycloak-admin-password PASSWORD \
> >      --app-name testapp \
> >      --keycloak-realm test_realm \
> >      --mellon-root mroot \
> >      --mellon-protected-locations "/mroot/private" \
> >      --force
> >
> > When I try to login to the SP, it redirects as expected to the Keycloak
> > server and waits for a while before returning:
> >
> > Internal Server Error
> >
> > >From the httpd access log I can see:
> >
> >
> > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private
> > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
> > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
> > /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
> > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
> > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> >
> > >From the admin console, I can see what appears to be an active session for
> > >the client.
> >
> > >From the Keycloak server.log I can see:
> >
> > 2016-12-01 14:14:31,576 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper
> > Worker 0) ARJUNA012108: CheckedAction::check - atomic action
> > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active!
> > 2016-12-01 14:14:31,578 WARN
> > [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo
> > mpletion called by a background thread; delaying afterCompletion processing
> > until the original thread can handle it. [status=4]
> > 2016-12-01 14:14:31,579 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper
> > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker
> > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f
> > fffc0a87abf:7c36d3eb:58406454:81e
> > 2016-12-01 14:15:50,617 WARN  [com.arjuna.ats.arjuna] (default task-25)
> > ARJUNA012077: Abort called on already aborted atomic action
> > 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
> > (default task-25) RESTEASY002025: Unknown exception while executing POST
> > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
> > eption: javax.transaction.RollbackException: ARJUNA016102: The transaction
> > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
> >
> > Leaving out the traceback for brevity.  I can send that if needed/wanted.
> >
> >
> > When I logout the session and set SSSD debug_level to 9 and restart sssd,
> > keycloak, and httpd (on the SP), I do see SSSD looking up the user.  I can
> > provide the SSSD logs if it helps.
> >
> >
> > So, how do I go about troubleshooting this issue?  Are there any steps
> > missing from the SSSD Provider doc?
> >
> > Thanks,
> > Scott
> >
> >
> >
> >
> >
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


More information about the keycloak-user mailing list