[keycloak-user] Create user from keycloak UI with FreeIPA backend

Marc Boorshtein marc.boorshtein at tremolosecurity.com
Sun Dec 4 13:58:38 EST 2016


>
> Their LDAP front-end doesn't support writes?


FreeIPA doesn't have an "LDAP front-end", it relies on the 389 directory to
store its objects.  For the most part you can use the LDAP interface for
reads but for writes different rules apply because a single "user" can be
comprised of multiple objects across the DIT.  As an example, if you create
a user via LDAP you can probably authenticate via LDAP but you won't be
able to via kerberose.  Also, if you provision an sshkey via LDAP it won't
work.

The only way to reliably create users and add users to groups is through
the FreeIPA web services, for supported attributes.  Not all attributes can
be provisioned via the webservices.  Only if its visible in the webui.
Otherwise you need to provision via LDAP.  So as an example, carLicense can
be provisioned via the web services but I think roomNumber or
departmentNumber (I'd need to double check) are NOT supported unless you
extend the webui (there's a way to do it if you google it).
-- 
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
(703) 828-4902
Twitter - @mlbiam / @tremolosecurity


More information about the keycloak-user mailing list