Is there a way of using users coming from Active Directory in Keycloak?
Cheers, Ronald
SSSD might be the right way to go. I followed this guide
https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/...
but I am not sure what the output of "sssctl user-checks admin -s keycloak" should be.
sssctl user-checks admin -s keycloak user: admin action: acct service: keycloak
SSSD nss user lookup result: - user name: admin - user id: 1246600000 - group id: 1246600000 - gecos: Administrator - home directory: /home/admin - shell: /bin/bash
SSSD InfoPipe user lookup result: - name: admin - uidNumber: 1246600000 - gidNumber: 1246600000 - gecos: Administrator - homeDirectory: /home/admin - loginShell: /bin/bash
testing pam_acct_mgmt
pam_acct_mgmt: Permission denied
PAM Environment: - no env -
I think the "Permission denied" should not pop up...
However, no SSSD-Option shows up when I am trying to configure SSSD as a User Federation Provider.
What am I missing?
Cheers, Ronald
SSSD seems to work now and I can login to Keycloak with an IPA user. Unfortunately, when trying to use an AD user I get an exception:
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: 13:10:46,967 WARN [org.keycloak.services] (default task-52) KC-SERVICES0013: Failed authentication: org.keycloak
.federation.sssd.api.SSSDException: Failed to retrieve user's attributes. Check if SSSD service is active.
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.api.Sssd.getUser(Sssd.java:112)
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.SSSDFederationProvider.importUserToKeycloak(SSSDFederationProvider.java:114)
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.SSSDFederationProvider.findOrCreateAuthenticatedUser(SSSDFederationProvider.java:
109)
SSSD service is active.
On Tue, Aug 20, 2019 at 01:13:09PM +0200, Ronald Wimmer via FreeIPA-users wrote:
SSSD seems to work now and I can login to Keycloak with an IPA user. Unfortunately, when trying to use an AD user I get an exception:
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: 13:10:46,967 WARN [org.keycloak.services] (default task-52) KC-SERVICES0013: Failed authentication: org.keycloak
.federation.sssd.api.SSSDException: Failed to retrieve user's attributes. Check if SSSD service is active.
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.api.Sssd.getUser(Sssd.java:112)
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.SSSDFederationProvider.importUserToKeycloak(SSSDFederationProvider.java:114)
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.SSSDFederationProvider.findOrCreateAuthenticatedUser(SSSDFederationProvider.java:
SSSD service is active.
As far as I remember, Keycloak uses the D-Bus interface of SSSD to retrieve the user's attribute. Can you check if the ifp service is up and running and if there are any helpful logs in the sssd_ifp.log file?
On 22.08.19 15:57, Jakub Hrozek via FreeIPA-users wrote:
[...] As far as I remember, Keycloak uses the D-Bus interface of SSSD to retrieve the user's attribute. Can you check if the ifp service is up and running and if there are any helpful logs in the sssd_ifp.log file?
I do not get AD attributes apart from mail:
(Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_add_ldb_el_to_dict] (0x0400): element [mail] has value [Ronald.Wimmer@mydomain.at] (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute givenname not present or has no values (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute sn not present or has no values (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute telephoneNumber not present or has no values
(Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_dispatch] (0x4000): dbus conn: 0x55a8f4758970 (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_dispatch] (0x4000): Dispatching. (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_handler] (0x2000): Received D-Bus signal org.freedesktop.DBus.NameOwnerChanged (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_handler_got_caller_id] (0x0400): Got a signal from the bus.. (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_name_owner_changed] (0x0400): Clearing UIDs cache (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_dispatch] (0x4000): dbus conn: 0x55a8f4758970 (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_dispatch] (0x4000): Dispatching. (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_handler] (0x2000): Received D-Bus signal org.freedesktop.DBus.NameOwnerChanged (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_handler_got_caller_id] (0x0400): Got a signal from the bus.. (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_name_owner_changed] (0x0400): Clearing UIDs cache
And here a keycloak log snippet:
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: 13:10:46,967 WARN [org.keycloak.services] (default task-52) KC-SERVICES0013: Failed authentication: org.keycloak .federation.sssd.api.SSSDException: Failed to retrieve user's attributes. Check if SSSD service is active. Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.api.Sssd.getUser(Sssd.java:112) Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.SSSDFederationProvider.importUserToKeycloak(SSSDFederationProvider.java:114) Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.SSSDFederationProvider.findOrCreateAuthenticatedUser(SSSDFederationProvider.java: 109)
On Fri, Aug 23, 2019 at 01:07:23PM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 22.08.19 15:57, Jakub Hrozek via FreeIPA-users wrote:
[...] As far as I remember, Keycloak uses the D-Bus interface of SSSD to retrieve the user's attribute. Can you check if the ifp service is up and running and if there are any helpful logs in the sssd_ifp.log file?
I do not get AD attributes apart from mail:
(Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_add_ldb_el_to_dict] (0x0400): element [mail] has value [Ronald.Wimmer@mydomain.at] (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute givenname not present or has no values (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute sn not present or has no values (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute telephoneNumber not present or has no values
(Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_dispatch] (0x4000): dbus conn: 0x55a8f4758970 (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_dispatch] (0x4000): Dispatching. (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_handler] (0x2000): Received D-Bus signal org.freedesktop.DBus.NameOwnerChanged (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_handler_got_caller_id] (0x0400): Got a signal from the bus.. (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_name_owner_changed] (0x0400): Clearing UIDs cache (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_dispatch] (0x4000): dbus conn: 0x55a8f4758970 (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_dispatch] (0x4000): Dispatching. (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_handler] (0x2000): Received D-Bus signal org.freedesktop.DBus.NameOwnerChanged (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_handler_got_caller_id] (0x0400): Got a signal from the bus.. (Tue Aug 20 14:10:05 2019) [sssd[ifp]] [sbus_signal_name_owner_changed] (0x0400): Clearing UIDs cache
And here a keycloak log snippet:
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: 13:10:46,967 WARN [org.keycloak.services] (default task-52) KC-SERVICES0013: Failed authentication: org.keycloak .federation.sssd.api.SSSDException: Failed to retrieve user's attributes. Check if SSSD service is active. Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.api.Sssd.getUser(Sssd.java:112) Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.SSSDFederationProvider.importUserToKeycloak(SSSDFederationProvider.java:114) Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at org.keycloak.federation.sssd.SSSDFederationProvider.findOrCreateAuthenticatedUser(SSSDFederationProvider.java: 109)
Hmm, I don't remember from the top of my head which attributes does KC try to fetch, but e-mail sounds like what it would need, at least that's what's most commonly used for claims and such.
If you correlate the KC lookup errors with ifp sssd logs, what is the exact lookup that KC is doing but that is failing?
On 23.08.19 15:53, Jakub Hrozek via FreeIPA-users wrote:
[...] Hmm, I don't remember from the top of my head which attributes does KC try to fetch, but e-mail sounds like what it would need, at least that's what's most commonly used for claims and such.
If you correlate the KC lookup errors with ifp sssd logs, what is the exact lookup that KC is doing but that is failing?
The four attributes KC is trying to fetch are mail, givenName, sn and telephoneNumber. The keycloak-sssd-configuration script adds somthing like
ldap_user_extra_attrs = mail:mail, sn:mail, givenname:mail, telephoneNumber:mail
to the domain section of sssd.conf. However, it looks like as if only the mail attribute is retrieved from AD. Everything works fine with a local IPA user.
Cheers, Ronald
On pe, 23 elo 2019, Ronald Wimmer via FreeIPA-users wrote:
On 23.08.19 15:53, Jakub Hrozek via FreeIPA-users wrote:
[...] Hmm, I don't remember from the top of my head which attributes does KC try to fetch, but e-mail sounds like what it would need, at least that's what's most commonly used for claims and such.
If you correlate the KC lookup errors with ifp sssd logs, what is the exact lookup that KC is doing but that is failing?
The four attributes KC is trying to fetch are mail, givenName, sn and telephoneNumber. The keycloak-sssd-configuration script adds somthing like
ldap_user_extra_attrs = mail:mail, sn:mail, givenname:mail, telephoneNumber:mail
to the domain section of sssd.conf. However, it looks like as if only the mail attribute is retrieved from AD. Everything works fine with a local IPA user.
Is this Keycloak installation done separate from IPA master? If yes, then you need to have ldap_user_extra_attrs on both IPA client where Keycloak runs and on IPA masters that SSSD would talk to to obtain information about AD users.
On 23.08.19 18:03, Alexander Bokovoy wrote:
[...] Is this Keycloak installation done separate from IPA master? If yes, then you need to have ldap_user_extra_attrs on both IPA client where Keycloak runs and on IPA masters that SSSD would talk to to obtain information about AD users.
Keycloak runs on a separate machine (as an ipa client). What you are saying is that all IPA masters would need to have sssd.conf tweaked accordingly?
Cheers, Ronald
On pe, 23 elo 2019, Ronald Wimmer wrote:
On 23.08.19 18:03, Alexander Bokovoy wrote:
[...] Is this Keycloak installation done separate from IPA master? If yes, then you need to have ldap_user_extra_attrs on both IPA client where Keycloak runs and on IPA masters that SSSD would talk to to obtain information about AD users.
Keycloak runs on a separate machine (as an ipa client). What you are saying is that all IPA masters would need to have sssd.conf tweaked accordingly?
Yes. Remember that SSSD on IPA client talks to IPA master to query information about AD users. That request (coming by way of a specialized LDAP query to IPA LDAP server) is routed to SSSD running on IPA master. So SSSD on IPA master filters out attributes that aren't allowed in its config.
On Fri, Aug 23, 2019 at 05:48:18PM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 23.08.19 15:53, Jakub Hrozek via FreeIPA-users wrote:
[...] Hmm, I don't remember from the top of my head which attributes does KC try to fetch, but e-mail sounds like what it would need, at least that's what's most commonly used for claims and such.
If you correlate the KC lookup errors with ifp sssd logs, what is the exact lookup that KC is doing but that is failing?
The four attributes KC is trying to fetch are mail, givenName, sn and telephoneNumber. The keycloak-sssd-configuration script adds somthing like
ldap_user_extra_attrs = mail:mail, sn:mail, givenname:mail, telephoneNumber:mail
Wait, do they really map all these attributes to mail? This seems wrong, the format is externalname:ldapname and IIRC the last one wins, so the last one is applied and stores mail as telephoneNumber.
So given the LDAP server is IPA, could you change the config to fetch the proper LDAP attributes? Actually all the attribute names they use for the cachename are the same in LDAP, so you could just use: ldap_user_extra_attrs = mail, sn, givenname, telephonenumber
(Unless they also reversed the order of attrs..)
On 23.08.19 20:18, Jakub Hrozek via FreeIPA-users wrote:
[...] Wait, do they really map all these attributes to mail? This seems wrong, the format is externalname:ldapname and IIRC the last one wins, so the last one is applied and stores mail as telephoneNumber.
Sorry. I pasted a config snippet we used to try if somthing would be mapped. (because mail attribute was mapped and the others not)
Why is the mail attribute mapped by default (without defining anything in sssd.conf) and the other attributes are not?
Cheers, Ronald
On Mon, Aug 26, 2019 at 09:19:36AM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 23.08.19 20:18, Jakub Hrozek via FreeIPA-users wrote:
[...] Wait, do they really map all these attributes to mail? This seems wrong, the format is externalname:ldapname and IIRC the last one wins, so the last one is applied and stores mail as telephoneNumber.
Sorry. I pasted a config snippet we used to try if somthing would be mapped. (because mail attribute was mapped and the others not)
So how did the original config look like?
Why is the mail attribute mapped by default (without defining anything in sssd.conf) and the other attributes are not?
Sorry, it's not totally clear to me if all the attributes were mapped to mail by the KC installer or by your snippet?
Does everything work if you remove the mappings?
On 26.08.19 09:26, Jakub Hrozek via FreeIPA-users wrote:
[...] Sorry, it's not totally clear to me if all the attributes were mapped to mail by the KC installer or by your snippet?
The original config looked like it should after executing keycloak's federation-sssd-setup.sh:
[domain section] ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber
[ifp] user_attributes = +mail, +telephoneNumber, +givenname, +sn
Does everything work if you remove the mappings?
Unfortunately not. Only "mail" is mapped for an AD user. The other three attributes are not.
Cheers, Ronald
On Mon, Aug 26, 2019 at 02:17:29PM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 26.08.19 09:26, Jakub Hrozek via FreeIPA-users wrote:
[...] Sorry, it's not totally clear to me if all the attributes were mapped to mail by the KC installer or by your snippet?
The original config looked like it should after executing keycloak's federation-sssd-setup.sh:
[domain section] ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber
[ifp] user_attributes = +mail, +telephoneNumber, +givenname, +sn
OK, this is what I would have expected. Is it possible to enable debugging and run the KC operation to see exactly what is being looked up and what fails?
Does everything work if you remove the mappings?
Unfortunately not. Only "mail" is mapped for an AD user. The other three attributes are not.
Cheers, Ronald _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 28.08.19 08:39, Jakub Hrozek via FreeIPA-users wrote:
[...] OK, this is what I would have expected. Is it possible to enable debugging and run the KC operation to see exactly what is being looked up and what fails?
(Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_add_ldb_el_to_dict] (0x0400): element [mail] has value [Ronald.Wimmer@mydomain.at] (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute givenname not present or has no values (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute sn not present or has no values (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute telephoneNumber not present or has no values
This shows up in the logs without further configuration (no additional configuration on the IPA servers themselves). Why is the mail attribute showing up but the others do not?
Cheers, Ronald
On Wed, Aug 28, 2019 at 12:29:14PM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 28.08.19 08:39, Jakub Hrozek via FreeIPA-users wrote:
[...] OK, this is what I would have expected. Is it possible to enable debugging and run the KC operation to see exactly what is being looked up and what fails?
(Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_add_ldb_el_to_dict] (0x0400): element [mail] has value [Ronald.Wimmer@mydomain.at] (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute givenname not present or has no values (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute sn not present or has no values (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_user_get_attr_handle_reply] (0x0080): Attribute telephoneNumber not present or has no values
This shows up in the logs without further configuration (no additional configuration on the IPA servers themselves). Why is the mail attribute showing up but the others do not?
Apparently then are not defined on the server side. btw is Ronald.Wimmer@mydomain.at a user in the trusted domain or the IPA domain?
On 29.08.19 08:59, Jakub Hrozek via FreeIPA-users wrote:
[...]
Apparently then are not defined on the server side. btw is Ronald.Wimmer@mydomain.at a user in the trusted domain or the IPA domain?
The user comes from a trusted domain where all four attributes exist and have values.
When using a user from the IPA domain all four attributes show up in keycloak.
Cheers, Ronald
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Jakub Hrozek -
Ronald Wimmer