Ok, I am not sure how this works:
I created this user, called biding. I want it to be able to create users on FreeIPA, mailing by biding Keycloak to it.
So I created the role: [francis@freeipa]~% ipa role-show Role name: Keycloak biding Role name: Keycloak biding Member users: biding Privileges: User Administrators, Group Administrators, Stage User Administrators, Stage User Provisioning, Modify Users and Reset passwords, Modify Group membership, Keycloak admin
Yes, too many roles, because it simply wasn’t doing it. Keycloak would fail saying the user didn’t have permissions.
So what I did was to add this user to the admin group. Then it created users. But not even my admin user can delete those users created that way.
Why isn’t this working? And why when giving it permissions it is creating objects that simply can’t be read by my previous biding users?
Best,
Francis
Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Ok, I am not sure how this works:
I created this user, called biding. I want it to be able to create users on FreeIPA, mailing by biding Keycloak to it.
So I created the role: [francis@freeipa]~% ipa role-show Role name: Keycloak biding Role name: Keycloak biding Member users: biding Privileges: User Administrators, Group Administrators, Stage User Administrators, Stage User Provisioning, Modify Users and Reset passwords, Modify Group membership, Keycloak admin
Yes, too many roles, because it simply wasn’t doing it. Keycloak would fail saying the user didn’t have permissions.
So what I did was to add this user to the admin group. Then it created users. But not even my admin user can delete those users created that way.
Why isn’t this working? And why when giving it permissions it is creating objects that simply can’t be read by my previous biding users?
You haven't described how you integrated Keycloak. Nor what the "Keycloak admin" privilege consists of.
Note that since your IPA user biding has these permissions have you tried kinit and use ipa user-add directly (after removal from the admins group)? If it fails, how does it fail? Look in /var/log/dirsrv/slapd-REALM/access for the bind and ADD and look to see how it failed.
rob
On 15 Jul 2024, at 19:44, Rob Crittenden rcritten@redhat.com wrote:
Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Ok, I am not sure how this works:
I created this user, called biding. I want it to be able to create users on FreeIPA, mailing by biding Keycloak to it.
So I created the role: [francis@freeipa]~% ipa role-show Role name: Keycloak biding Role name: Keycloak biding Member users: biding Privileges: User Administrators, Group Administrators, Stage User Administrators, Stage User Provisioning, Modify Users and Reset passwords, Modify Group membership, Keycloak admin
Yes, too many roles, because it simply wasn’t doing it. Keycloak would fail saying the user didn’t have permissions.
So what I did was to add this user to the admin group. Then it created users. But not even my admin user can delete those users created that way.
Why isn’t this working? And why when giving it permissions it is creating objects that simply can’t be read by my previous biding users?
Thanks a lot for replying, Rob.
You haven't described how you integrated Keycloak. Nor what the "Keycloak admin" privilege consists of.
I used LDAP integration to Keycloak. So it uses LDAP queries against FreeIPA.
“Keycloak admin”-priviledge repeats some of the permissions of User Administrators. Nothing a lot there.
Note that since your IPA user biding has these permissions have you tried kinit and use ipa user-add directly (after removal from the admins group)? If it fails, how does it fail? Look in /var/log/dirsrv/slapd-REALM/access for the bind and ADD and look to see how it failed.
On the Keycloak side, it says the user didn’t have the permission to add users. I think the error on access logs were similar.
And something else: When it is a member of the admin group, it does add the users. But somehow the ACI of the users created by it are a bit weird:
- my system account user (created as described here: https://www.freeipa.org/page/HowTo/LDAP#system-accounts) can’t read these users created by my “keycloak”. It can read all users created by ipa user-add, but not those created by “binding”-user. - I can’t modify an attribute with ipa user-mod, even with my admin user!
I am a bit lost here. Shouldn’t adding these privileges be enough to create users? And if the user is added to the admin group, shouldn’t users it creates via ldap (not ipa user-add) be modifiable by another admin user?
Best,
Francis
Francis Augusto Medeiros-Logeay wrote:
On 15 Jul 2024, at 19:44, Rob Crittenden rcritten@redhat.com wrote:
Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Ok, I am not sure how this works:
I created this user, called biding. I want it to be able to create users on FreeIPA, mailing by biding Keycloak to it.
So I created the role: [francis@freeipa]~% ipa role-show Role name: Keycloak biding Role name: Keycloak biding Member users: biding Privileges: User Administrators, Group Administrators, Stage User Administrators, Stage User Provisioning, Modify Users and Reset passwords, Modify Group membership, Keycloak admin
Yes, too many roles, because it simply wasn’t doing it. Keycloak would fail saying the user didn’t have permissions.
So what I did was to add this user to the admin group. Then it created users. But not even my admin user can delete those users created that way.
Why isn’t this working? And why when giving it permissions it is creating objects that simply can’t be read by my previous biding users?
Thanks a lot for replying, Rob.
You haven't described how you integrated Keycloak. Nor what the "Keycloak admin" privilege consists of.
I used LDAP integration to Keycloak. So it uses LDAP queries against FreeIPA.
“Keycloak admin”-priviledge repeats some of the permissions of User Administrators. Nothing a lot there.
Note that since your IPA user biding has these permissions have you tried kinit and use ipa user-add directly (after removal from the admins group)? If it fails, how does it fail? Look in /var/log/dirsrv/slapd-REALM/access for the bind and ADD and look to see how it failed.
On the Keycloak side, it says the user didn’t have the permission to add users. I think the error on access logs were similar.
And something else: When it is a member of the admin group, it does add the users. But somehow the ACI of the users created by it are a bit weird:
- my system account user (created as described
here: https://www.freeipa.org/page/HowTo/LDAP#system-accounts) can’t read these users created by my “keycloak”. It can read all users created by ipa user-add, but not those created by “binding”-user.
- I can’t modify an attribute with ipa user-mod, even with my admin user!
I am a bit lost here. Shouldn’t adding these privileges be enough to create users? And if the user is added to the admin group, shouldn’t users it creates via ldap (not ipa user-add) be modifiable by another admin user?
There isn't enough information to go on. Can you show us more details on this Keycloak privilege and permissions and what these unmodifiable users look like?
rob
On 18 Jul 2024, at 22:15, Rob Crittenden rcritten@redhat.com wrote:
Francis Augusto Medeiros-Logeay wrote:
I am a bit lost here. Shouldn’t adding these privileges be enough to create users? And if the user is added to the admin group, shouldn’t users it creates via ldap (not ipa user-add) be modifiable by another admin user?
There isn't enough information to go on. Can you show us more details on this Keycloak privilege and permissions and what these unmodifiable users look like?
rob
Ok, here’s a full report:
I created a user called “biding”. I then created a role so that this user could add other users and could be used on Keycloak for binding and adding users.
I gave it the following default roles:
- User administration - helpdesk - Keycloak biding (sorry for the typo)
The last one is like this:
✘ ⚡ root@freeipa /home/francis ipa privilege-show Privilege name: Keycloak admin Privilege name: Keycloak admin Permissions: System: Add Users, System: Change User password Granting privilege to roles: Keycloak biding ⚡ root@freeipa /home/francis ipa role-show Role name: Keycloak biding Role name: Keycloak biding Member users: biding Privileges: User Administrators, Group Administrators, Stage User Administrators, Stage User Provisioning, Modify Users and Reset passwords, Modify Group membership, Keycloak admin
I can’t add a user with it on Keyclok. This is what I get on the logs:
{ "date": "[19/Jul/2024:14:31:59.636888234 +0200] ", "utc_time": "1721392319.636888234", "event": "AUTHZ_ERROR", "dn": "uid=biding,cn=users,cn=accounts,dc=ipa,dc=med-lo", "bind_method": "SIMPLE", "root_dn": false, "client_ip": "10.10.210.152", "server_ip": "10.10.40.20", "ldap_version": 3, "conn_id": 3722, "op_id": 1, "msg": "target_dn=(uid=testing2,cn=users,cn=accounts,dc=ipa,dc=med-lo)” }
I then added “biding” to the “admins” group.
I could then create users on keycloak with it. This is how a user looks like:
testing, users, accounts, ipa.med-lo dn: uid=testing,cn=users,cn=accounts,dc=ipa,dc=med-lo sn: TEst givenName: Test mail: testing@med-lo.eu cn: Test TEst uid: testing objectClass: top objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: postfixMailBox objectClass: ipaobject ipaUniqueID: b203edc0-45c9-11ef-bb0c-00505695d7f7
But, when searching for this user with my read-only system account, it doesn’t get it:
ldapsearch -b dc=ipa,dc=med-lo -D uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=med-lo -W uid=testing Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=ipa,dc=med-lo> with scope subtree # filter: uid=testing # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
So I have two problems:
How to give “biding” permission to add and modify users without adding it to the “admins” group, and how to make the users created by it readable like a normal ipa-user?
I hope this makes the issue a bit clearer.
Best,
Francis
Hi,
On Fri, Jul 19, 2024 at 4:53 PM Francis Augusto Medeiros-Logeay via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 18 Jul 2024, at 22:15, Rob Crittenden rcritten@redhat.com wrote:
Francis Augusto Medeiros-Logeay wrote:
I am a bit lost here. Shouldn’t adding these privileges be enough to create users? And if the user is added to the admin group, shouldn’t users it creates via ldap (not ipa user-add) be modifiable by another admin user?
There isn't enough information to go on. Can you show us more details on this Keycloak privilege and permissions and what these unmodifiable users look like?
rob
Ok, here’s a full report:
I created a user called “biding”. I then created a role so that this user could add other users and could be used on Keycloak for binding and adding users.
I gave it the following default roles:
- User administration
- helpdesk
- Keycloak biding (sorry for the typo)
The last one is like this:
✘ ⚡ root@freeipa /home/francis ipa privilege-show Privilege name: Keycloak admin Privilege name: Keycloak admin Permissions: System: Add Users, System: Change User password Granting privilege to roles: Keycloak biding ⚡ root@freeipa /home/francis ipa role-show Role name: Keycloak biding Role name: Keycloak biding Member users: biding Privileges: User Administrators, Group Administrators, Stage User Administrators, Stage User Provisioning, Modify Users and Reset passwords, Modify Group membership, Keycloak admin
I can’t add a user with it on Keyclok. This is what I get on the logs:
{ "date": "[19/Jul/2024:14:31:59.636888234 +0200] ", "utc_time": "1721392319.636888234", "event": "AUTHZ_ERROR", "dn": "uid=biding,cn=users,cn=accounts,dc=ipa,dc=med-lo", "bind_method": "SIMPLE", "root_dn": false, "client_ip": "10.10.210.152", "server_ip": "10.10.40.20", "ldap_version": 3, "conn_id": 3722, "op_id": 1, "msg": "target_dn=(uid=testing2,cn=users,cn=accounts,dc=ipa,dc=med-lo)” }
I then added “biding” to the “admins” group.
I could then create users on keycloak with it. This is how a user looks like:
testing, users, accounts, ipa.med-lo dn: uid=testing,cn=users,cn=accounts,dc=ipa,dc=med-lo sn: TEst givenName: Test mail: testing@med-lo.eu cn: Test TEst uid: testing objectClass: top objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: postfixMailBox objectClass: ipaobject ipaUniqueID: b203edc0-45c9-11ef-bb0c-00505695d7f7
But, when searching for this user with my read-only system account, it doesn’t get it:
ldapsearch -b dc=ipa,dc=med-lo -D uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=med-lo -W uid=testing Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=ipa,dc=med-lo> with scope subtree # filter: uid=testing # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
So I have two problems:
How to give “biding” permission to add and modify users without adding it to the “admins” group, and how to make the users created by it readable like a normal ipa-user?
IPA assumes that it manages posix users, i.e. users with posixaccount objectclass. Most of the ACIs are written with this assumption (targetfilter = "(objectclass=posixaccount)"). If you create your users with this objectclass I believe user management will be easier and you can rely on the existing role "User Administrator".
flo
I hope this makes the issue a bit clearer.
Best,
Francis
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thanks a lot Florence. I will try that.
--- Francis Augusto Medeiros-Logeay Oslo, Norway
On 2024-08-02 11:18, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
On Fri, Jul 19, 2024 at 4:53 PM Francis Augusto Medeiros-Logeay via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 18 Jul 2024, at 22:15, Rob Crittenden rcritten@redhat.com wrote:
Francis Augusto Medeiros-Logeay wrote:
I am a bit lost here. Shouldn't adding these privileges be enough to create users? And if the user is added to the admin group, shouldn't users it creates via ldap (not ipa user-add) be modifiable by another admin user?
There isn't enough information to go on. Can you show us more details on this Keycloak privilege and permissions and what these unmodifiable users look like?
rob
Ok, here's a full report:
I created a user called "biding". I then created a role so that this user could add other users and could be used on Keycloak for binding and adding users.
I gave it the following default roles:
- User administration
- helpdesk
- Keycloak biding (sorry for the typo)
The last one is like this:
✘ ⚡ root@freeipa /home/francis ipa privilege-show Privilege name: Keycloak admin Privilege name: Keycloak admin Permissions: System: Add Users, System: Change User password Granting privilege to roles: Keycloak biding ⚡ root@freeipa /home/francis ipa role-show Role name: Keycloak biding Role name: Keycloak biding Member users: biding Privileges: User Administrators, Group Administrators, Stage User Administrators, Stage User Provisioning, Modify Users and Reset passwords, Modify Group membership, Keycloak admin
I can't add a user with it on Keyclok. This is what I get on the logs:
{ "date": "[19/Jul/2024:14:31:59.636888234 +0200] ", "utc_time": "1721392319.636888234", "event": "AUTHZ_ERROR", "dn": "uid=biding,cn=users,cn=accounts,dc=ipa,dc=med-lo", "bind_method": "SIMPLE", "root_dn": false, "client_ip": "10.10.210.152", "server_ip": "10.10.40.20", "ldap_version": 3, "conn_id": 3722, "op_id": 1, "msg": "target_dn=(uid=testing2,cn=users,cn=accounts,dc=ipa,dc=med-lo)" }
I then added "biding" to the "admins" group.
I could then create users on keycloak with it. This is how a user looks like:
testing, users, accounts, ipa.med-lo dn: uid=testing,cn=users,cn=accounts,dc=ipa,dc=med-lo sn: TEst givenName: Test mail: testing@med-lo.eu cn: Test TEst uid: testing objectClass: top objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: postfixMailBox objectClass: ipaobject ipaUniqueID: b203edc0-45c9-11ef-bb0c-00505695d7f7
But, when searching for this user with my read-only system account, it doesn't get it:
ldapsearch -b dc=ipa,dc=med-lo -D uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=med-lo -W uid=testing Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=ipa,dc=med-lo> with scope subtree # filter: uid=testing # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
So I have two problems:
How to give "biding" permission to add and modify users without adding it to the "admins" group, and how to make the users created by it readable like a normal ipa-user?
IPA assumes that it manages posix users, i.e. users with posixaccount objectclass. Most of the ACIs are written with this assumption (targetfilter = "(objectclass=posixaccount)"). If you create your users with this objectclass I believe user management will be easier and you can rely on the existing role "User Administrator".
flo
I hope this makes the issue a bit clearer.
Best,
Francis
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 2 Aug 2024, at 13:18, Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi,
On Fri, Jul 19, 2024 at 4:53 PM Francis Augusto Medeiros-Logeay via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
On 18 Jul 2024, at 22:15, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Francis Augusto Medeiros-Logeay wrote:
I am a bit lost here. Shouldn’t adding these privileges be enough to create users? And if the user is added to the admin group, shouldn’t users it creates via ldap (not ipa user-add) be modifiable by another admin user?
There isn't enough information to go on. Can you show us more details on this Keycloak privilege and permissions and what these unmodifiable users look like?
rob
Ok, here’s a full report:
I created a user called “biding”. I then created a role so that this user could add other users and could be used on Keycloak for binding and adding users.
I gave it the following default roles:
- User administration
- helpdesk
- Keycloak biding (sorry for the typo)
The last one is like this:
✘ ⚡ root@freeipa /home/francis ipa privilege-show Privilege name: Keycloak admin Privilege name: Keycloak admin Permissions: System: Add Users, System: Change User password Granting privilege to roles: Keycloak biding ⚡ root@freeipa /home/francis ipa role-show Role name: Keycloak biding Role name: Keycloak biding Member users: biding Privileges: User Administrators, Group Administrators, Stage User Administrators, Stage User Provisioning, Modify Users and Reset passwords, Modify Group membership, Keycloak admin
I can’t add a user with it on Keyclok. This is what I get on the logs:
{ "date": "[19/Jul/2024:14:31:59.636888234 +0200] ", "utc_time": "1721392319.636888234", "event": "AUTHZ_ERROR", "dn": "uid=biding,cn=users,cn=accounts,dc=ipa,dc=med-lo", "bind_method": "SIMPLE", "root_dn": false, "client_ip": "10.10.210.152", "server_ip": "10.10.40.20", "ldap_version": 3, "conn_id": 3722, "op_id": 1, "msg": "target_dn=(uid=testing2,cn=users,cn=accounts,dc=ipa,dc=med-lo)” }
I then added “biding” to the “admins” group.
I could then create users on keycloak with it. This is how a user looks like:
testing, users, accounts, ipa.med-lo dn: uid=testing,cn=users,cn=accounts,dc=ipa,dc=med-lo sn: TEst givenName: Test mail: testing@med-lo.eu mailto:testing@med-lo.eu cn: Test TEst uid: testing objectClass: top objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: postfixMailBox objectClass: ipaobject ipaUniqueID: b203edc0-45c9-11ef-bb0c-00505695d7f7
But, when searching for this user with my read-only system account, it doesn’t get it:
ldapsearch -b dc=ipa,dc=med-lo -D uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=med-lo -W uid=testing Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=ipa,dc=med-lo> with scope subtree # filter: uid=testing # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
So I have two problems:
How to give “biding” permission to add and modify users without adding it to the “admins” group, and how to make the users created by it readable like a normal ipa-user?
IPA assumes that it manages posix users, i.e. users with posixaccount objectclass. Most of the ACIs are written with this assumption (targetfilter = "(objectclass=posixaccount)"). If you create your users with this objectclass I believe user management will be easier and you can rely on the existing role "User Administrator".
flo
I tried that today. The problem is that if the user is created by Keycloak, than I need to send all the attributes a posixAccount requires, such as uidNumber and gidNumber. Keycloak can’t create those by default, which makes it a bit harder to delegate user creation to Keycloak.
Any tips on a possible workaround?
Best, Francis
freeipa-users@lists.fedorahosted.org