[keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA

Scott Poore spoore at redhat.com
Fri Dec 2 13:11:21 EST 2016 


----- Original Message -----
> From: "Bruno Oliveira" <bruno at abstractj.org>
> To: "Scott Poore" <spoore at redhat.com>
> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Friday, December 2, 2016 1:41:48 AM
> Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
> 
> Hi Scott, sorry for the late response.
> 
> From what I noticed, dbus-send works for you right? But I feel like the
> user running Keycloak process does not have access to
> /etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true?

Yes, that's one problem.  I was running keycloak as keycloak user but dbus-send as root.  I also found where I had the wrong ownership on a java keystore file for running https. 

> 
> If yes, check if user running Keycloak is listed into sssd.conf
> 'allowed_uids'
> section. I saw that you managed to run dbus-send, but worth to ask.
> Is the user running dbus-send, the same starting Keycloak server process?

That I was fixing.  I just wasn't testing dbus-send as keycloak user.

> 
> I included a very simple check to make sure that Windows users don't see the
> SSSD
> Federation provider listed — If the user running Keycloak does not have
> reading rights over /etc/sssd.

By default /etc/sssd is 700 so no one but root can read that.  Should I just be running keycloak as root?  (FYI, that's what I'm trying now).

> 
> For troubleshooting some of these issues (because from time to time, I
> mess up with my environment), I have this docker image[1].
> 
> Speaking about KEYCLOAK-3902, I already fixed it. I will just include
> the integration tests to reproduce this scenario.

I saw that it was at least scheduled to be fixed.  Wasn't sure if the fix was complete.

So, what about my last issue where I cannot seem to authenticate as a normal user I created in the realm from the Keycloak admin console?

FYI, I'm trying to set this up on Fedora 24 if that makes any difference.

[root at idp ~]# rpm -q java-1.8.0-openjdk
java-1.8.0-openjdk-1.8.0.111-3.b16.fc24.x86_64

[root at sp1 ~]# rpm -q httpd mod_auth_mellon
httpd-2.4.23-4.fc24.x86_64
mod_auth_mellon-0.12.0-2.fc24.x86_64


I also re-installed the client manually using mellon_create_metadata.sh and importing the metadata file from the admin console.  I see the same thing so I don't think keycloak-httpd-client-install set up anything in a way to cause this.

It looks like it takes almost 12 minutes for something to time out when I try accessing the SP from my browser.

started:  11:53:55 by the clock on my desktop
ended: ~12:05:42 by the clock on my desktop

Not sure if that helps at all but, thought I'd actually document it in case it does help.

When it does finally time out is when I see the "Internal Server Error".  And the location bar is pointing to the keycloak and does not seem to have been redirected back to the SP.

Does any of that sound familar?

Thanks,
Scott

> 
> [1] -
> https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycloak-sssd-integration-tests
> 
> On 2016-12-01, Scott Poore wrote:
> >
> >
> > ----- Original Message -----
> > > From: "Bill Burke" <bburke at redhat.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Thursday, December 1, 2016 3:35:31 PM
> > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
> > >
> > > Can you run your example without SSSD?  Isolate the problem to make sure
> > > that its not an SP configuration issue first.  As far as SSSD setup
> > > goes, you're gonna have to talk to Bruno about that. Hopefully he chimes
> > > in.
> >
> > I tried adding a user to the existing setup from the admin console and I
> > see an error and then I see this in the server.log:
> >
> > Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to
> > retrieve user's attributes. Check if SSSD service is active.
> >
> > I can't delete the sssd provider though because of this bug:
> >
> > https://issues.jboss.org/browse/KEYCLOAK-3902
> >
> > I started over fresh without the SSSD Provider setup.  It does appear that
> > I'm not able to even authenticate as a user created from the admin
> > console.
> >
> > I've bumped logging up to info on both Keycloak and httpd on the SP but, I
> > still don't see much there.  Any suggestion on where to go from here?
> >
> > Thanks,
> > Scott
> >
> >
> > >
> > >
> > > On 12/1/16 4:21 PM, Scott Poore wrote:
> > > > Hi,
> > > >
> > > > I am trying to setup Keycloak version 2.4.0 with FreeIPA integration
> > > > using
> > > > the SSSD Provider.  I am following the Server Administration Guide but,
> > > > I'm hitting some error.  I'm not sure if it's a bug or a configuration
> > > > issue on my part.
> > > >
> > > > This is the link I was following:
> > > >
> > > > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html
> > > >
> > > > The difference in setup though is that I'm not using the docker image.
> > > > Instead I'm using a separate FreeIPA Master server that I have setup as
> > > > a
> > > > separate VM.  I have confirmed that SSSD-DBUS is working:
> > > >
> > > > [root at idp ~]# dbus-send --print-reply --system
> > > > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
> > > > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser
> > > > method return time=1480625438.634684 sender=:1.26 -> destination=:1.29
> > > > serial=17 reply_serial=2
> > > >     array [
> > > >        string "ipausers"
> > > >     ]
> > > >
> > > > For the SP, I setup a basic Apache setup with mod_auth_mellon using
> > > >
> > > > keycloak-httpd-client-install   \
> > > >      --client-originate-method registration \
> > > >      --keycloak-server-url https://idp.keycloak.test:8443 \
> > > >      --keycloak-admin-username admin \
> > > >      --keycloak-admin-password PASSWORD \
> > > >      --app-name testapp \
> > > >      --keycloak-realm test_realm \
> > > >      --mellon-root mroot \
> > > >      --mellon-protected-locations "/mroot/private" \
> > > >      --force
> > > >
> > > > When I try to login to the SP, it redirects as expected to the Keycloak
> > > > server and waits for a while before returning:
> > > >
> > > > Internal Server Error
> > > >
> > > > >From the httpd access log I can see:
> > > >
> > > >
> > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private
> > > > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64)
> > > > AppleWebKit/537.36
> > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
> > > > /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
> > > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64)
> > > > AppleWebKit/537.36
> > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > > >
> > > > >From the admin console, I can see what appears to be an active session
> > > > >for
> > > > >the client.
> > > >
> > > > >From the Keycloak server.log I can see:
> > > >
> > > > 2016-12-01 14:14:31,576 WARN  [com.arjuna.ats.arjuna] (Transaction
> > > > Reaper
> > > > Worker 0) ARJUNA012108: CheckedAction::check - atomic action
> > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active!
> > > > 2016-12-01 14:14:31,578 WARN
> > > > [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> > > > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo
> > > > mpletion called by a background thread; delaying afterCompletion
> > > > processing
> > > > until the original thread can handle it. [status=4]
> > > > 2016-12-01 14:14:31,579 WARN  [com.arjuna.ats.arjuna] (Transaction
> > > > Reaper
> > > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker
> > > > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f
> > > > fffc0a87abf:7c36d3eb:58406454:81e
> > > > 2016-12-01 14:15:50,617 WARN  [com.arjuna.ats.arjuna] (default task-25)
> > > > ARJUNA012077: Abort called on already aborted atomic action
> > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > > > 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
> > > > (default task-25) RESTEASY002025: Unknown exception while executing
> > > > POST
> > > > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
> > > > eption: javax.transaction.RollbackException: ARJUNA016102: The
> > > > transaction
> > > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > > >
> > > > Leaving out the traceback for brevity.  I can send that if
> > > > needed/wanted.
> > > >
> > > >
> > > > When I logout the session and set SSSD debug_level to 9 and restart
> > > > sssd,
> > > > keycloak, and httpd (on the SP), I do see SSSD looking up the user.  I
> > > > can
> > > > provide the SSSD logs if it helps.
> > > >
> > > >
> > > > So, how do I go about troubleshooting this issue?  Are there any steps
> > > > missing from the SSSD Provider doc?
> > > >
> > > > Thanks,
> > > > Scott
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> --
> 
> abstractj
> PGP: 0x84DC9914
>

More information about the keycloak-user mailing list