> On 28 Aug 2024, at 16:18, Alexander Bokovoy <[email protected]
> <mailto:[email protected]>> wrote:
>
> On Срд, 28 жні 2024, Francis Augusto Medeiros-Logeay wrote:
>>
>>> On 28 Aug 2024, at 15:37, Alexander Bokovoy <[email protected]> wrote:
>>>
>>> On Срд, 28 жні 2024, Francis Augusto Medeiros-Logeay via FreeIPA-users
>>> wrote:
>>>>
>>>>
>>>>>> On 28 Aug 2024, at 15:02, Rob Crittenden <[email protected]> wrote:
>>>>>
>>>>> Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have configured Keycloak with FreeIPA for kerberos authentication.
>>>>>>
>>>>>> It has worked fine, but today I noticed something:
>>>>>>
>>>>>> Keycloak seems to look up krb5PrincipalName attribute to look for the
>>>>>> user principal. However, I don't see that attribute when I perform an
>>>>>> ldapsearch. Is it there at all?
>>>>>>
>>>>>> I also tried to remove this from keycloak, because it says that when
>>>>>> this is empty it will just look for the username instead of user@domain.
>>>>>> But somehow it adds krb5PrincipalName again.
>>>>>>
>>>>>> Is it keycloak that has a problem by not allowing me to remove
>>>>>> krb5PrincipalName, or is it FreeIPA that somehow lost that attribute?
>>>>>>
>>>>>> Best,
>>>>>> Francis
>>>>>>
>>>>>
>>>>> Looks like a Keycloak issue. Check out
>>>>> https://github.com/keycloak/keycloak/issues/25294
>>>>>
>>>> Thanks. But should I have this atteibute in Freeipa? I dont see it when
>>>> performance en ldapsearch.
>>>
>>> Keycloak allows you to configure what LDAP attributes correspond to what
>>> properties. Use proper LDAP attribute for FreeIPA, in this case it is
>>> krbPrincipalName. This can be chosen by setting LDAP vendor to 'rhds'.
>>
>> I tried that. But I don’t see that attribute either on ldapsearch.
>> Maybe I am not using the right permissions when searching.
>
> Most likely you are searching without authentication. The basic ACI we
> have to allow krbprincipalname read/search/compare to all authenticated
> LDAP binds:
>
> aci: (targetattr = "krbcanonicalname || krblastpwdchange ||
> krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration ||
> krbprincipalname || krbprincipaltype || nsaccountlock")(targetfilter =
> "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User
> Kerberos Attributes";allow (compare,read,search) userdn = "ldap:///all”;That
> <ldap:///all%E2%80%9D;That> must)
>
It was probably that. When I changed to RedHat Directory server, it changed to
krbPrincipalName and everything worked again. (But then Keycloak lost all the
2FA that the users configured… :().
Best,
Francis
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
