[keycloak-user] Keycloak 4.3 could not use sssd federation after upgrade to Fedora 30

Patrick Dung patdung100 at gmail.com
Sat May 18 14:59:31 EDT 2019


Hi Bruno,

When I run dbus-send, it returned the correct group of a IPA user:
$ sudo dbus-send --print-reply --system
--dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
org.freedesktop.sssd.infopipe.GetUserGroups string:user1
method return time=1558205517.749921 sender=:1.18 -> destination=:1.50475
serial=8 reply_serial=2
   array [
      string "ipausers"
   ]

It also passed pamtester:

# pamtester keycloak user1 authenticate
Password:
pamtester: successfully authenticated

I had no problem using the sssd federation in keycloak 4.3 with Fedora 29.
It only have problem after I upgraded to Fedora 30. There are no changes
for the keycloak 4.3 application server.
Please note the sssd option is missing from the list for user federation.
Other options are ldap and kerberos.

Thanks and regards,
Patrick

On Sat, 18 May 2019 at 04:30, Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Patrick, sssctl user-checks will help you to make sure that
> everything is working as expected for SSSD. Although, the communication
> between Keycloak and SSSD happens over DBus and we rely on other
> packages like described here[1]. Some troubleshooting might be
> necessary. I'd try dbus-send and pamtester to validate the setup.
>
> Another thing that might be helpful is to isolate the problem. I'd
> recommend to try Fedora 29 + Keycloak 4.3 and later Fedora 30 + Keycloak
> 4.3.
>
> [1] - https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
>
> On 2019-05-12, Patrick Dung wrote:
> > Hello,
> >
> > I was using Fedora 29 with Keycloak, FreeIPA and sssd on the same
> machine.
> > After upgrading to Fedora 30. All service can start normally but sssd
> > federation is not loaded when Keycloak is started. It is missing from the
> > list for user federation. It only have LDAP and Kerberos authentication
> to
> > choose from.
> >
> > On the problem local machine, I can run "sssctl user-checks admin -s
> > keycloak" without problem.
> >
> > Any help would be appreciated, thanks.
> >
> > Patrick
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>


More information about the keycloak-user mailing list