[keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA

Bruno Oliveira bruno at abstractj.org
Fri Dec 2 13:37:32 EST 2016


On 2016-12-02, Scott Poore wrote:
>
>
> ----- Original Message -----
> > From: "Bruno Oliveira" <bruno at abstractj.org>
> > To: "Scott Poore" <spoore at redhat.com>
> > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Sent: Friday, December 2, 2016 1:41:48 AM
> > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
> >
> > Hi Scott, sorry for the late response.
> >
> > From what I noticed, dbus-send works for you right? But I feel like the
> > user running Keycloak process does not have access to
> > /etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true?
>
> Yes, that's one problem.  I was running keycloak as keycloak user but dbus-send as root.  I also found where I had the wrong ownership on a java keystore file for running https.
>
> >
> > If yes, check if user running Keycloak is listed into sssd.conf
> > 'allowed_uids'
> > section. I saw that you managed to run dbus-send, but worth to ask.
> > Is the user running dbus-send, the same starting Keycloak server process?
>
> That I was fixing.  I just wasn't testing dbus-send as keycloak user.
>
> >
> > I included a very simple check to make sure that Windows users don't see the
> > SSSD
> > Federation provider listed — If the user running Keycloak does not have
> > reading rights over /etc/sssd.
>
> By default /etc/sssd is 700 so no one but root can read that.  Should I just be running keycloak as root?  (FYI, that's what I'm trying now).

Do what for now, or add reading permissions to this folder to isolate
the problem.

>
> >
> > For troubleshooting some of these issues (because from time to time, I
> > mess up with my environment), I have this docker image[1].
> >
> > Speaking about KEYCLOAK-3902, I already fixed it. I will just include
> > the integration tests to reproduce this scenario.
>
> I saw that it was at least scheduled to be fixed.  Wasn't sure if the fix was complete.
>
> So, what about my last issue where I cannot seem to authenticate as a normal user I created in the realm from the Keycloak admin console?

What you have at your logs? Have you installed jna and libunix RPMs?

>
> FYI, I'm trying to set this up on Fedora 24 if that makes any difference.
>
> [root at idp ~]# rpm -q java-1.8.0-openjdk
> java-1.8.0-openjdk-1.8.0.111-3.b16.fc24.x86_64
>
> [root at sp1 ~]# rpm -q httpd mod_auth_mellon
> httpd-2.4.23-4.fc24.x86_64
> mod_auth_mellon-0.12.0-2.fc24.x86_64
>
>
> I also re-installed the client manually using mellon_create_metadata.sh and importing the metadata file from the admin console.  I see the same thing so I don't think keycloak-httpd-client-install set up anything in a way to cause this.
>
> It looks like it takes almost 12 minutes for something to time out when I try accessing the SP from my browser.
>
> started:  11:53:55 by the clock on my desktop
> ended: ~12:05:42 by the clock on my desktop
>
> Not sure if that helps at all but, thought I'd actually document it in case it does help.
>
> When it does finally time out is when I see the "Internal Server Error".  And the location bar is pointing to the keycloak and does not seem to have been redirected back to the SP.
>
> Does any of that sound familar?
>
> Thanks,
> Scott
>
> >
> > [1] -
> > https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycloak-sssd-integration-tests
> >
> > On 2016-12-01, Scott Poore wrote:
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Bill Burke" <bburke at redhat.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Thursday, December 1, 2016 3:35:31 PM
> > > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA
> > > >
> > > > Can you run your example without SSSD?  Isolate the problem to make sure
> > > > that its not an SP configuration issue first.  As far as SSSD setup
> > > > goes, you're gonna have to talk to Bruno about that. Hopefully he chimes
> > > > in.
> > >
> > > I tried adding a user to the existing setup from the admin console and I
> > > see an error and then I see this in the server.log:
> > >
> > > Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to
> > > retrieve user's attributes. Check if SSSD service is active.
> > >
> > > I can't delete the sssd provider though because of this bug:
> > >
> > > https://issues.jboss.org/browse/KEYCLOAK-3902
> > >
> > > I started over fresh without the SSSD Provider setup.  It does appear that
> > > I'm not able to even authenticate as a user created from the admin
> > > console.
> > >
> > > I've bumped logging up to info on both Keycloak and httpd on the SP but, I
> > > still don't see much there.  Any suggestion on where to go from here?
> > >
> > > Thanks,
> > > Scott
> > >
> > >
> > > >
> > > >
> > > > On 12/1/16 4:21 PM, Scott Poore wrote:
> > > > > Hi,
> > > > >
> > > > > I am trying to setup Keycloak version 2.4.0 with FreeIPA integration
> > > > > using
> > > > > the SSSD Provider.  I am following the Server Administration Guide but,
> > > > > I'm hitting some error.  I'm not sure if it's a bug or a configuration
> > > > > issue on my part.
> > > > >
> > > > > This is the link I was following:
> > > > >
> > > > > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html
> > > > >
> > > > > The difference in setup though is that I'm not using the docker image.
> > > > > Instead I'm using a separate FreeIPA Master server that I have setup as
> > > > > a
> > > > > separate VM.  I have confirmed that SSSD-DBUS is working:
> > > > >
> > > > > [root at idp ~]# dbus-send --print-reply --system
> > > > > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
> > > > > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser
> > > > > method return time=1480625438.634684 sender=:1.26 -> destination=:1.29
> > > > > serial=17 reply_serial=2
> > > > >     array [
> > > > >        string "ipausers"
> > > > >     ]
> > > > >
> > > > > For the SP, I setup a basic Apache setup with mod_auth_mellon using
> > > > >
> > > > > keycloak-httpd-client-install   \
> > > > >      --client-originate-method registration \
> > > > >      --keycloak-server-url https://idp.keycloak.test:8443 \
> > > > >      --keycloak-admin-username admin \
> > > > >      --keycloak-admin-password PASSWORD \
> > > > >      --app-name testapp \
> > > > >      --keycloak-realm test_realm \
> > > > >      --mellon-root mroot \
> > > > >      --mellon-protected-locations "/mroot/private" \
> > > > >      --force
> > > > >
> > > > > When I try to login to the SP, it redirects as expected to the Keycloak
> > > > > server and waits for a while before returning:
> > > > >
> > > > > Internal Server Error
> > > > >
> > > > > >From the httpd access log I can see:
> > > > >
> > > > >
> > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private
> > > > > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64)
> > > > > AppleWebKit/537.36
> > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET
> > > > > /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm
> > > > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64)
> > > > > AppleWebKit/537.36
> > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"
> > > > >
> > > > > >From the admin console, I can see what appears to be an active session
> > > > > >for
> > > > > >the client.
> > > > >
> > > > > >From the Keycloak server.log I can see:
> > > > >
> > > > > 2016-12-01 14:14:31,576 WARN  [com.arjuna.ats.arjuna] (Transaction
> > > > > Reaper
> > > > > Worker 0) ARJUNA012108: CheckedAction::check - atomic action
> > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active!
> > > > > 2016-12-01 14:14:31,578 WARN
> > > > > [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> > > > > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo
> > > > > mpletion called by a background thread; delaying afterCompletion
> > > > > processing
> > > > > until the original thread can handle it. [status=4]
> > > > > 2016-12-01 14:14:31,579 WARN  [com.arjuna.ats.arjuna] (Transaction
> > > > > Reaper
> > > > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker
> > > > > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f
> > > > > fffc0a87abf:7c36d3eb:58406454:81e
> > > > > 2016-12-01 14:15:50,617 WARN  [com.arjuna.ats.arjuna] (default task-25)
> > > > > ARJUNA012077: Abort called on already aborted atomic action
> > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > > > > 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
> > > > > (default task-25) RESTEASY002025: Unknown exception while executing
> > > > > POST
> > > > > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc
> > > > > eption: javax.transaction.RollbackException: ARJUNA016102: The
> > > > > transaction
> > > > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e
> > > > >
> > > > > Leaving out the traceback for brevity.  I can send that if
> > > > > needed/wanted.
> > > > >
> > > > >
> > > > > When I logout the session and set SSSD debug_level to 9 and restart
> > > > > sssd,
> > > > > keycloak, and httpd (on the SP), I do see SSSD looking up the user.  I
> > > > > can
> > > > > provide the SSSD logs if it helps.
> > > > >
> > > > >
> > > > > So, how do I go about troubleshooting this issue?  Are there any steps
> > > > > missing from the SSSD Provider doc?
> > > > >
> > > > > Thanks,
> > > > > Scott
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> >

--

abstractj
PGP: 0x84DC9914


More information about the keycloak-user mailing list