[keycloak-user] Create user from keycloak UI with FreeIPA backend

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[keycloak-user] Create user from keycloak UI with FreeIPA backend

James James
Hello,


I want to be able to create user in the FreeIPA backend from keycloak
registration portal  .. is it possible ? For me it' impossible but I just
want to be sure.

http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html

https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/user-federation/sssd.html

Regards.

James Regis
_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] Create user from keycloak UI with FreeIPA backend

stianst
Administrator
It's impossible with the SSSD integration as SSSD is currently read-only.
You can however use FreeIPA as a backend with a LDAP user federation
provider instead.

On 27 November 2016 at 17:56, James James <[hidden email]> wrote:

> Hello,
>
>
> I want to be able to create user in the FreeIPA backend from keycloak
> registration portal  .. is it possible ? For me it' impossible but I just
> want to be sure.
>
> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html
>
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/user-federation/sssd.html
>
> Regards.
>
> James Regis
> _______________________________________________
> keycloak-user mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] Create user from keycloak UI with FreeIPA backend

James James
Thank for your answer.

If i use freeipa as LDAP backend for keycloak, users who will register from
the keycloak UI will be created in Freeipa to ?

In my previous tests, every user I have created from the keycloak UI wasn't
created in the FreeIPA. I was using FreeIPA as LDAP backend. Maybe my
settings were bad.

I can send some logs to help me troubleshooting.

Regards.

2016-12-02 7:11 GMT+01:00 Stian Thorgersen <[hidden email]>:

> It's impossible with the SSSD integration as SSSD is currently read-only.
> You can however use FreeIPA as a backend with a LDAP user federation
> provider instead.
>
> On 27 November 2016 at 17:56, James James <[hidden email]> wrote:
>
>> Hello,
>>
>>
>> I want to be able to create user in the FreeIPA backend from keycloak
>> registration portal  .. is it possible ? For me it' impossible but I just
>> want to be sure.
>>
>> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html
>>
>> https://keycloak.gitbooks.io/server-adminstration-guide/cont
>> ent/topics/user-federation/sssd.html
>>
>> Regards.
>>
>> James Regis
>> _______________________________________________
>> keycloak-user mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] Create user from keycloak UI with FreeIPA backend

Marc Boorshtein
The only way to create users in freeipa is to use their web API. The only
provisioning system I know of that does this is our own project openunison.
Here's the code for working g with the freeipa web services if you are
interested :

https://github.com/TremoloSecurity/OpenUnison/blob/master/unison/unison-services-freeipa/src/main/java/com/tremolosecurity/unison/freeipa/FreeIPATarget.java

On Sun, Dec 4, 2016, 8:48 AM James James <[hidden email]> wrote:

> Thank for your answer.
>
> If i use freeipa as LDAP backend for keycloak, users who will register from
> the keycloak UI will be created in Freeipa to ?
>
> In my previous tests, every user I have created from the keycloak UI wasn't
> created in the FreeIPA. I was using FreeIPA as LDAP backend. Maybe my
> settings were bad.
>
> I can send some logs to help me troubleshooting.
>
> Regards.
>
> 2016-12-02 7:11 GMT+01:00 Stian Thorgersen <[hidden email]>:
>
> > It's impossible with the SSSD integration as SSSD is currently read-only.
> > You can however use FreeIPA as a backend with a LDAP user federation
> > provider instead.
> >
> > On 27 November 2016 at 17:56, James James <[hidden email]> wrote:
> >
> >> Hello,
> >>
> >>
> >> I want to be able to create user in the FreeIPA backend from keycloak
> >> registration portal  .. is it possible ? For me it' impossible but I
> just
> >> want to be sure.
> >>
> >> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html
> >>
> >> https://keycloak.gitbooks.io/server-adminstration-guide/cont
> >> ent/topics/user-federation/sssd.html
> >>
> >> Regards.
> >>
> >> James Regis
> >> _______________________________________________
> >> keycloak-user mailing list
> >> [hidden email]
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Marc Boorshtein
CTO Tremolo Security
[hidden email]
(703) 828-4902
Twitter - @mlbiam / @tremolosecurity
_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] Create user from keycloak UI with FreeIPA backend

Bill Burke
Their LDAP front-end doesn't support writes?


On 12/4/16 10:55 AM, Marc Boorshtein wrote:

> The only way to create users in freeipa is to use their web API. The only
> provisioning system I know of that does this is our own project openunison.
> Here's the code for working g with the freeipa web services if you are
> interested :
>
> https://github.com/TremoloSecurity/OpenUnison/blob/master/unison/unison-services-freeipa/src/main/java/com/tremolosecurity/unison/freeipa/FreeIPATarget.java
>
> On Sun, Dec 4, 2016, 8:48 AM James James <[hidden email]> wrote:
>
>> Thank for your answer.
>>
>> If i use freeipa as LDAP backend for keycloak, users who will register from
>> the keycloak UI will be created in Freeipa to ?
>>
>> In my previous tests, every user I have created from the keycloak UI wasn't
>> created in the FreeIPA. I was using FreeIPA as LDAP backend. Maybe my
>> settings were bad.
>>
>> I can send some logs to help me troubleshooting.
>>
>> Regards.
>>
>> 2016-12-02 7:11 GMT+01:00 Stian Thorgersen <[hidden email]>:
>>
>>> It's impossible with the SSSD integration as SSSD is currently read-only.
>>> You can however use FreeIPA as a backend with a LDAP user federation
>>> provider instead.
>>>
>>> On 27 November 2016 at 17:56, James James <[hidden email]> wrote:
>>>
>>>> Hello,
>>>>
>>>>
>>>> I want to be able to create user in the FreeIPA backend from keycloak
>>>> registration portal  .. is it possible ? For me it' impossible but I
>> just
>>>> want to be sure.
>>>>
>>>> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html
>>>>
>>>> https://keycloak.gitbooks.io/server-adminstration-guide/cont
>>>> ent/topics/user-federation/sssd.html
>>>>
>>>> Regards.
>>>>
>>>> James Regis
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> [hidden email]
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] Create user from keycloak UI with FreeIPA backend

Marc Boorshtein
>
> Their LDAP front-end doesn't support writes?


FreeIPA doesn't have an "LDAP front-end", it relies on the 389 directory to
store its objects.  For the most part you can use the LDAP interface for
reads but for writes different rules apply because a single "user" can be
comprised of multiple objects across the DIT.  As an example, if you create
a user via LDAP you can probably authenticate via LDAP but you won't be
able to via kerberose.  Also, if you provision an sshkey via LDAP it won't
work.

The only way to reliably create users and add users to groups is through
the FreeIPA web services, for supported attributes.  Not all attributes can
be provisioned via the webservices.  Only if its visible in the webui.
Otherwise you need to provision via LDAP.  So as an example, carLicense can
be provisioned via the web services but I think roomNumber or
departmentNumber (I'd need to double check) are NOT supported unless you
extend the webui (there's a way to do it if you google it).
--
Marc Boorshtein
CTO Tremolo Security
[hidden email]
(703) 828-4902
Twitter - @mlbiam / @tremolosecurity
_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] Create user from keycloak UI with FreeIPA backend

Marek Posolda
Yeah, that's my experience too. I've did the Keycloak integration with
FreeIPA through LDAP FederationProvider a long time ago with the docker
image [1] .

The update of simple attributes of existing users worked (eg. If I
updated firstName of the user "john" in Keycloak, it was propagated
through the LDAP FederationProvider to the FreeIPA LDAP and was updated
correctly).

However registration of new users from Keycloak doesn't work . I assumed
the SSSD interface will be able to register new users from Keycloak as well?

Marek

[1] https://github.com/mposolda/keycloak-freeipa-docker

On 04/12/16 19:58, Marc Boorshtein wrote:

>> Their LDAP front-end doesn't support writes?
>
> FreeIPA doesn't have an "LDAP front-end", it relies on the 389 directory to
> store its objects.  For the most part you can use the LDAP interface for
> reads but for writes different rules apply because a single "user" can be
> comprised of multiple objects across the DIT.  As an example, if you create
> a user via LDAP you can probably authenticate via LDAP but you won't be
> able to via kerberose.  Also, if you provision an sshkey via LDAP it won't
> work.
>
> The only way to reliably create users and add users to groups is through
> the FreeIPA web services, for supported attributes.  Not all attributes can
> be provisioned via the webservices.  Only if its visible in the webui.
> Otherwise you need to provision via LDAP.  So as an example, carLicense can
> be provisioned via the web services but I think roomNumber or
> departmentNumber (I'd need to double check) are NOT supported unless you
> extend the webui (there's a way to do it if you google it).


_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] Create user from keycloak UI with FreeIPA backend

Bruno Oliveira
On 2016-12-05, Marek Posolda wrote:

> Yeah, that's my experience too. I've did the Keycloak integration with
> FreeIPA through LDAP FederationProvider a long time ago with the docker
> image [1] .
>
> The update of simple attributes of existing users worked (eg. If I
> updated firstName of the user "john" in Keycloak, it was propagated
> through the LDAP FederationProvider to the FreeIPA LDAP and was updated
> correctly).
>
> However registration of new users from Keycloak doesn't work . I assumed
> the SSSD interface will be able to register new users from Keycloak as well?

I don't think so. SSSD interface is read-only and the addition of a
registration interface is unlikely to happen on SSSD.

Today to manage or change users, unfortunatelly all you can do
is to go through IPA interface. There's a mention to ipa help
permission, but I haven't tried yet.

>
> Marek
>
> [1] https://github.com/mposolda/keycloak-freeipa-docker
>
> On 04/12/16 19:58, Marc Boorshtein wrote:
> >> Their LDAP front-end doesn't support writes?
> >
> > FreeIPA doesn't have an "LDAP front-end", it relies on the 389 directory to
> > store its objects.  For the most part you can use the LDAP interface for
> > reads but for writes different rules apply because a single "user" can be
> > comprised of multiple objects across the DIT.  As an example, if you create
> > a user via LDAP you can probably authenticate via LDAP but you won't be
> > able to via kerberose.  Also, if you provision an sshkey via LDAP it won't
> > work.
> >
> > The only way to reliably create users and add users to groups is through
> > the FreeIPA web services, for supported attributes.  Not all attributes can
> > be provisioned via the webservices.  Only if its visible in the webui.
> > Otherwise you need to provision via LDAP.  So as an example, carLicense can
> > be provisioned via the web services but I think roomNumber or
> > departmentNumber (I'd need to double check) are NOT supported unless you
> > extend the webui (there's a way to do it if you google it).
>
>
> _______________________________________________
> keycloak-user mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj
PGP: 0x84DC9914
_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user