Hey guys, thanks a lot for your suggestions, that cleared a lot for me and i think staging users option will be quite viable in our setup. Really appreciate your help and effort on this ;)
@Alex for sure will check both the video and the presentation, thanks a lot for providing them On Thu, Aug 11, 2022 at 10:29 AM Alexander Bokovoy <[email protected]> wrote: > On to, 11 elo 2022, Florence Blanc-Renaud via FreeIPA-users wrote: > > Hi, > > > On Thu, Aug 11, 2022 at 8:06 AM Yavor Marinov <[1][email protected]> > > > wrote: > > > > > > Hello again Florence, > > > You were right, once the user is created in Keycloak it appears in > the > > LDAP tree, but it's missing a lot of objectclasses. Which > attributes > > should I map into connection in order to have a proper creation of > > > users? > > > I've tried adding the posixaccount into user object classes but > creating > > a new user produces an error that homeDirectory attribute is > missing. > > > > > The LDAP schema defines a set of mandatory attributes for the > posixaccount > > objectclass (the list following the MUST keyword): > > > # ldapsearch -x -b cn=schema -s base -LLL -o ldif-wrap=no > objectclasses | > > grep -i posixaccount > > > objectclasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction > of > > an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ > > > uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ > loginShell $ > > gecos $ description ) ) > > > This means that if you want to add the posixaccount objectclass, you > also > > need to add the attributes. Keycloak allows you to configure [2]LDAP > > > mappers, I believe it's the functionality you should try to explore. > > > Existing integrations between FreeIPA and Keycloak are all read-only. So > far, we haven't worked on or supported any write operations, so your > mileage can vary (a lot). > > I would also outline two other approaches. > > 1. FreeIPA has support for so-called user and group life-cycle > management: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/managing-user-accounts-using-the-command-line_managing-users-groups-hosts#user-life-cycle_managing-idm-users-using-the-command-line > and > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/using-ldapmodify-to-manage-idm-users-externally_managing-users-groups-hosts > > This method allows to create 'barebones' staged accounts through an > external LDAP tool and then activate them. During activation step IPA > will add all necessary information (attributes and object classes) it > expects. The downside is that these accounts will not be immediately > usable in Keycloak until someone activates them. > > 2. Recently we have published a new project, ipa-tuura, which implements > SCIMv2 bridge to FreeIPA. At its initial state it can be coupled with > yet another recently published project, a plugin for Keycloak to look > up data in ipa-tuura (implements a subset of SCIMv2 REST API lookups > and some ipa-tuura-specific API). This gives an alternative to > existing Keycloak integrations. > > https://github.com/freeipa/ipa-tuura and > https://github.com/justin-stephenson/scim-keycloak-user-storage-spi > > The second part is more or less an adventure right now as these projects > are quite young. You can watch our talk at Nest with Fedora conference > last week for details (Hopin requires a free registration): > > https://app.hopin.com/events/nest-with-fedora-2022/replay/Um91bmR0YWJsZVJlY29yZGluZ0FyY2hpdmU6MTM2OTQ3 > (the presentation starts at 8:56 or so into the stream) > and > https://vda.li/talks/2022/2022-Nest-With-Fedora-FreeIPA-and-OAuth2.pdf > (slides, but you really need to watch the talk to see the demos). > > > > flo > > > > > > On Wed, Aug 10, 2022 at 3:12 PM Yavor Marinov <[3][email protected]> > > > wrote: > > > > > > Hey Flo, > > > First of all, thanks for your answer. Unfortunately trying > ldapsearch > > for the created user from Keycloak doesn't return any result at > all. > > Trying from the command line id user.user doesn't return a result > > > either. Do you have any suggestions on how I can achieve the > desired > > result? I suppose it should be something related to the > connection, > > but i really don't know what i could do in order to have a proper > flow > > for creating the user from within Keycloak. > > > Again thanks in advance ;) > > > On Wed, Aug 10, 2022 at 11:21 AM Florence Blanc-Renaud > > > <[4][email protected]> wrote: > > > > > > Hi, > > > On Tue, Aug 9, 2022 at 6:51 PM Yavor Marinov via FreeIPA-users > > > <[5][email protected]> wrote: > > > > > > Hello all, > > > I have an issue configuring both systems Keycloak and FreeIPA > to > > work with User Federation. Configuration on Keycloak side for > the > > ldap (FreeIPA server) is as follows: > > > > > > * LDAPs configuration > > > * Keytab from FreeIPA generated with admin user > > > > > > The below screenshot is from the Keycloak User Federation: > > > [6]image.png > > > [7]image.png > > > Importing users works flawlessly but the problems comes when I > try > > to create user in Keycloak and expect it to be created on > FreeIPA > > side - WRITABLE is on, and keycloak machine is enrolled into > > > FreeIPA as a client (both OSes are Alma). There is no error, > and > > Keycloak indicates that a new user is created. > > > However, in FreeIPA's web interface the user is missing and > the > > most frustrating thing is if i try to create the very same > > > username, FreeIPA returns that it can't add the user, because > it > > already exists. I guess the issue would be somewhere either > in > > Username/RDN LDAP attribute or UUID or even Custom User LDAP > > > filter, but i'm lost a bit. > > > > > > IPA webui is showing IPA users, and it considers that an LDAP > entry > > is an IPA user if it has the posixaccount objectclass. I guess > you > > are able to find the users using ldapsearch but they don't > contain > > this objectclass and that explains why they are not displayed in > IPA > > Web UI. > > > flo > > > > > > In case someone wants to help here what i've tried to play > with: > > > > > * Setting UUID Ldap attribute to ipaUniqueID, but using it, > > > returns 0 user when trying to sync, and creating user > from > > Keycloak returns error > > > * Setting custom ldap filter to match a group from the LDAP > - no > > binding with admin user could be achieved, thus no user > could > > be synced > > > > > > Anyhelp on this will be much appreciated :") > > > Thank you in advance > > > _______________________________________________ > > > FreeIPA-users mailing list -- > > > [8][email protected] > > > To unsubscribe send an email to > > > [9][email protected] > > > Fedora Code of Conduct: > > > [10] > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > > [11]https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > [12] > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam, report it: > > > [13]https://pagure.io/fedora-infrastructure/new_issue > > > > >References > > > > Visible links > > 1. mailto:[email protected] > > 2. https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers > > 3. mailto:[email protected] > > 4. mailto:[email protected] > > 5. mailto:[email protected] > > 8. mailto:[email protected] > > 9. mailto:[email protected] > > 10. https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > 11. https://fedoraproject.org/wiki/Mailing_list_guidelines > > 12. > https://lists.fedorahosted.org/archives/list/[email protected] > > 13. https://pagure.io/fedora-infrastructure/new_issue > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
