[Freeipa-users] Re: FreeIPA <- Keycloak

[Alexander Bokovoy via FreeIPA-users]

On to, 11 elo 2022, Florence Blanc-Renaud via FreeIPA-users wrote:

Hi, On Thu, Aug 11, 2022 at 8:06 AM Yavor Marinov <[1]ymari...@gmail.com> wrote: Hello again Florence, You were right, once the user is created in Keycloak it appears in the LDAP tree, but it's missing a lot of objectclasses. Which attributes should I map into connection in order to have a proper creation of users? I've tried adding the posixaccount into user object classes but creating a new user produces an error that homeDirectory attribute is missing. The LDAP schema defines a set of mandatory attributes for the posixaccount objectclass (the list following the MUST keyword): # ldapsearch -x -b cn=schema -s base -LLL -o ldif-wrap=no objectclasses | grep -i posixaccount objectclasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) This means that if you want to add the posixaccount objectclass, you also need to add the attributes. Keycloak allows you to configure [2]LDAP mappers, I believe it's the functionality you should try to explore.

Existing integrations between FreeIPA and Keycloak are all read-only. So
far, we haven't worked on or supported any write operations, so your
mileage can vary (a lot).

I would also outline two other approaches.

1. FreeIPA has support for so-called user and group life-cycle
   management:
   
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/managing-user-accounts-using-the-command-line_managing-users-groups-hosts#user-life-cycle_managing-idm-users-using-the-command-line
   and
   
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/using-ldapmodify-to-manage-idm-users-externally_managing-users-groups-hosts

   This method allows to create 'barebones' staged accounts through an
   external LDAP tool and then activate them. During activation step IPA
   will add all necessary information (attributes and object classes) it
   expects. The downside is that these accounts will not be immediately
   usable in Keycloak until someone activates them.

2. Recently we have published a new project, ipa-tuura, which implements
   SCIMv2 bridge to FreeIPA. At its initial state it can be coupled with
   yet another recently published project, a plugin for Keycloak to look
   up data in ipa-tuura (implements a subset of SCIMv2 REST API lookups
   and some ipa-tuura-specific API). This gives an alternative to
   existing Keycloak integrations.

   https://github.com/freeipa/ipa-tuura and
   https://github.com/justin-stephenson/scim-keycloak-user-storage-spi

The second part is more or less an adventure right now as these projects
are quite young. You can watch our talk at Nest with Fedora conference
last week for details (Hopin requires a free registration):
https://app.hopin.com/events/nest-with-fedora-2022/replay/Um91bmR0YWJsZVJlY29yZGluZ0FyY2hpdmU6MTM2OTQ3
 (the presentation starts at 8:56 or so into the stream)
and
https://vda.li/talks/2022/2022-Nest-With-Fedora-FreeIPA-and-OAuth2.pdf
(slides, but you really need to watch the talk to see the demos).

flo On Wed, Aug 10, 2022 at 3:12 PM Yavor Marinov <[3]ymari...@gmail.com> wrote: Hey Flo, First of all, thanks for your answer. Unfortunately trying ldapsearch for the created user from Keycloak doesn't return any result at all. Trying from the command line id user.user doesn't return a result either. Do you have any suggestions on how I can achieve the desired result? I suppose it should be something related to the connection, but i really don't know what i could do in order to have a proper flow for creating the user from within Keycloak. Again thanks in advance ;) On Wed, Aug 10, 2022 at 11:21 AM Florence Blanc-Renaud <[4]f...@redhat.com> wrote: Hi, On Tue, Aug 9, 2022 at 6:51 PM Yavor Marinov via FreeIPA-users <[5]freeipa-users@lists.fedorahosted.org> wrote: Hello all, I have an issue configuring both systems Keycloak and FreeIPA to work with User Federation. Configuration on Keycloak side for the ldap (FreeIPA server) is as follows: * LDAPs configuration * Keytab from FreeIPA generated with admin user The below screenshot is from the Keycloak User Federation: [6]image.png [7]image.png Importing users works flawlessly but the problems comes when I try to create user in Keycloak and expect it to be created on FreeIPA side - WRITABLE is on, and keycloak machine is enrolled into FreeIPA as a client (both OSes are Alma). There is no error, and Keycloak indicates that a new user is created. However, in FreeIPA's web interface the user is missing and the most frustrating thing is if i try to create the very same username, FreeIPA returns that it can't add the user, because it already exists. I guess the issue would be somewhere either in Username/RDN LDAP attribute or UUID or even Custom User LDAP filter, but i'm lost a bit. IPA webui is showing IPA users, and it considers that an LDAP entry is an IPA user if it has the posixaccount objectclass. I guess you are able to find the users using ldapsearch but they don't contain this objectclass and that explains why they are not displayed in IPA Web UI. flo In case someone wants to help here what i've tried to play with: * Setting UUID Ldap attribute to ipaUniqueID, but using it, returns 0 user when trying to sync, and creating user from Keycloak returns error * Setting custom ldap filter to match a group from the LDAP - no binding with admin user could be achieved, thus no user could be synced Anyhelp on this will be much appreciated :")  Thank you in advance _______________________________________________ FreeIPA-users mailing list -- [8]freeipa-users@lists.fedorahosted.org To unsubscribe send an email to [9]freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: [10]https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: [11]https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: [12]https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: [13]https://pagure.io/fedora-infrastructure/new_issue

References

  Visible links
  1. mailto:ymari...@gmail.com
  2. https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers
  3. mailto:ymari...@gmail.com
  4. mailto:f...@redhat.com
  5. mailto:freeipa-users@lists.fedorahosted.org
  8. mailto:freeipa-users@lists.fedorahosted.org
  9. mailto:freeipa-users-le...@lists.fedorahosted.org
 10. https://docs.fedoraproject.org/en-US/project/code-of-conduct/
 11. https://fedoraproject.org/wiki/Mailing_list_guidelines
 12. 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
 13. https://pagure.io/fedora-infrastructure/new_issue

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue