[keycloak-user] Error enabling 'Sync Registrations' for LDAP (FreeIPA) User Federation

Rafael Soares rsoares at redhat.com
Sat Jun 11 19:10:45 EDT 2016


I'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
I'm using the same environment used by @mposolda [1] with the @adelton's
FreeIPA Docker container image [2].

The integration (KC and FreeIPA) worked fine except for the sync for new
users created on KC side (new registrations). When I enable the 'Sync
Registrations' on the 'freeipa-ldap' User Federation and then try to add a
new user using the KC Web Console I get the following error:


​

KC server.log in TRACE mode:

"
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: master
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
token active - active: true, issued-at: 1,465,684,397, not-before: 0
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
returning new cache adapter
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by name cache hit: security-admin-console
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
authenticated admin access for: admin
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) No
origin returning
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: freeipa-realm
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getUserByUsername: kc_user1
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
query null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
model from delegate null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search: (&(uid=kc_user1)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,575 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search:
(&(mail=kc_user1 at example.test)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,577 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getRealmRoles cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClients cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: broker
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: realm-management
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: liferay-saml-idp
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: kitchensink
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: admin-cli
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: account
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,580 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,581 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) Creating entry
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   objectclass = person
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   givenname =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   sn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   cn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) ]
2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5)
UT005023: Exception handling request to /auth/admin/realms/freeipa/users:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
    at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
    at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
    at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)

    ... 37 more
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error
code 65 - attribute "uid" not allowed
]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
    at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
    at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
    at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
    at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
    at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
    ... 57 more"


FreeIPA Server ldap srv log:
""
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors

[11/Jun/2016:22:33:37 +0000] - Entry
"uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute "uid"
not allowed
""

----

It appears FreeIPA LDAP server is refusing the attribute 'UID'

Interesting is that the FreeIPA 'user_add' API operation states the 'uid'
attributes is required:


​


I tried to add a new user manually using the FreeIPA CLI and it worked
fine. See the FreeIPA CLI output:

"
[root at ipa /]# ipa help user-add
Usage: ipa [global-options] user-add LOGIN [options]

Add a new user.
Options:
  -h, --help            show this help message and exit
  --first=STR           First name
  --last=STR            Last name
  --cn=STR              Full name
  --displayname=STR     Display name
  --initials=STR        Initials
  --homedir=STR         Home directory
  --gecos=STR           GECOS
  --shell=STR           Login shell
  --principal=STR       Kerberos principal
  --principal-expiration=DATETIME
                        Kerberos principal expiration
  --email=STR           Email address
  --password            Prompt to set the user password
  --random              Generate a random user password
  --uid=INT             User ID Number (system will assign one if not
                        provided)
  --gidnumber=INT       Group ID Number
  --street=STR          Street address
  --city=STR            City
  --state=STR           State/Province
  --postalcode=STR      ZIP
  --phone=STR           Telephone Number
  --mobile=STR          Mobile Telephone Number
  --pager=STR           Pager Number
  --fax=STR             Fax Number
  --orgunit=STR         Org. Unit
  --title=STR           Job Title
  --manager=STR         Manager
  --carlicense=STR      Car License
  --sshpubkey=STR       SSH public key
  --user-auth-type=['password', 'radius', 'otp']
                        Types of supported user authentication
  --class=STR           User category (semantics placed on this attribute
are
                        for local interpretation)
  --radius=STR          RADIUS proxy configuration
  --radius-username=STR
                        RADIUS proxy username
  --departmentnumber=STR
                        Department Number
  --employeenumber=STR  Employee Number
  --employeetype=STR    Employee Type
  --preferredlanguage=STR
                        Preferred Language
  --certificate=BYTES   Base-64 encoded server certificate
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --addattr=STR         Add an attribute/value pair. Format is attr=value.
The
                        attribute must be part of the schema.
  --noprivate           Don't create user private group
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.

                        [root at ipa /]# ipa user-add ipa_user3  --first 'IPA
3' --last 'User3' --email 'ipa_user3 at example.test' --all --raw
                        ----------------------
                        Added user "ipa_user3"
                        ----------------------
                          dn:
uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
                          uid: ipa_user3
                          givenname: IPA 3
                          sn: User3
                          cn: IPA 3 User3
                          initials: IU
                          homedirectory: /home/ipa_user3
                          gecos: IPA 3 User3
                          loginshell: /bin/sh
                          mail: ipa_user3 at example.test
                          uidnumber: 753200006
                          gidnumber: 753200006
                          has_password: FALSE
                          has_keytab: FALSE
                          displayName: IPA 3 User3
                          ipaUniqueID: 65f3f702-3021-11e6-b62c-0242ac110001
                          krbPrincipalName: ipa_user3 at EXAMPLE.TEST
                          memberof:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
                          mepManagedEntry:
cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
                          objectClass: ipaSshGroupOfPubKeys
                          objectClass: ipaobject
                          objectClass: mepOriginEntry
                          objectClass: person
                          objectClass: top
                          objectClass: ipasshuser
                          objectClass: inetorgperson
                          objectClass: organizationalperson
                          objectClass: krbticketpolicyaux
                          objectClass: krbprincipalaux
                          objectClass: inetuser
                          objectClass: posixaccount
"

Can someone help me find what is wrong on KC side? Maybe the KC mappers
mechanism?

Thanks in advance.

[1] https://github.com/mposolda/keycloak-freeipa-docker
[2] https://hub.docker.com/r/adelton/freeipa-server/

-- 

___
Rafael T. C. Soares
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/32abfc6f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kc_add_new_user_error.png
Type: image/png
Size: 52000 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/32abfc6f/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa_api_user_add.png
Type: image/png
Size: 78772 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/32abfc6f/attachment-0003.png 


More information about the keycloak-user mailing list