[keycloak-user] Create user from keycloak UI with FreeIPA backend
Bruno Oliveira
bruno at abstractj.org
Mon Dec 5 08:39:14 EST 2016
On 2016-12-05, Marek Posolda wrote:
> Yeah, that's my experience too. I've did the Keycloak integration with
> FreeIPA through LDAP FederationProvider a long time ago with the docker
> image [1] .
>
> The update of simple attributes of existing users worked (eg. If I
> updated firstName of the user "john" in Keycloak, it was propagated
> through the LDAP FederationProvider to the FreeIPA LDAP and was updated
> correctly).
>
> However registration of new users from Keycloak doesn't work . I assumed
> the SSSD interface will be able to register new users from Keycloak as well?
I don't think so. SSSD interface is read-only and the addition of a
registration interface is unlikely to happen on SSSD.
Today to manage or change users, unfortunatelly all you can do
is to go through IPA interface. There's a mention to ipa help
permission, but I haven't tried yet.
>
> Marek
>
> [1] https://github.com/mposolda/keycloak-freeipa-docker
>
> On 04/12/16 19:58, Marc Boorshtein wrote:
> >> Their LDAP front-end doesn't support writes?
> >
> > FreeIPA doesn't have an "LDAP front-end", it relies on the 389 directory to
> > store its objects. For the most part you can use the LDAP interface for
> > reads but for writes different rules apply because a single "user" can be
> > comprised of multiple objects across the DIT. As an example, if you create
> > a user via LDAP you can probably authenticate via LDAP but you won't be
> > able to via kerberose. Also, if you provision an sshkey via LDAP it won't
> > work.
> >
> > The only way to reliably create users and add users to groups is through
> > the FreeIPA web services, for supported attributes. Not all attributes can
> > be provisioned via the webservices. Only if its visible in the webui.
> > Otherwise you need to provision via LDAP. So as an example, carLicense can
> > be provisioned via the web services but I think roomNumber or
> > departmentNumber (I'd need to double check) are NOT supported unless you
> > extend the webui (there's a way to do it if you google it).
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
PGP: 0x84DC9914
More information about the keycloak-user
mailing list