[keycloak-user] Create user from keycloak UI with FreeIPA backend
Marek Posolda
mposolda at redhat.com
Mon Dec 5 06:25:53 EST 2016
Yeah, that's my experience too. I've did the Keycloak integration with
FreeIPA through LDAP FederationProvider a long time ago with the docker
image [1] .
The update of simple attributes of existing users worked (eg. If I
updated firstName of the user "john" in Keycloak, it was propagated
through the LDAP FederationProvider to the FreeIPA LDAP and was updated
correctly).
However registration of new users from Keycloak doesn't work . I assumed
the SSSD interface will be able to register new users from Keycloak as well?
Marek
[1] https://github.com/mposolda/keycloak-freeipa-docker
On 04/12/16 19:58, Marc Boorshtein wrote:
>> Their LDAP front-end doesn't support writes?
>
> FreeIPA doesn't have an "LDAP front-end", it relies on the 389 directory to
> store its objects. For the most part you can use the LDAP interface for
> reads but for writes different rules apply because a single "user" can be
> comprised of multiple objects across the DIT. As an example, if you create
> a user via LDAP you can probably authenticate via LDAP but you won't be
> able to via kerberose. Also, if you provision an sshkey via LDAP it won't
> work.
>
> The only way to reliably create users and add users to groups is through
> the FreeIPA web services, for supported attributes. Not all attributes can
> be provisioned via the webservices. Only if its visible in the webui.
> Otherwise you need to provision via LDAP. So as an example, carLicense can
> be provisioned via the web services but I think roomNumber or
> departmentNumber (I'd need to double check) are NOT supported unless you
> extend the webui (there's a way to do it if you google it).
More information about the keycloak-user
mailing list