> On 15 Jul 2024, at 19:44, Rob Crittenden <[email protected]> wrote: > > Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >> Ok, I am not sure how this works: >> >> I created this user, called biding. I want it to be able to create users on >> FreeIPA, mailing by biding Keycloak to it. >> >> So I created the role: >> [francis@freeipa]~% ipa role-show >> Role name: Keycloak biding >> Role name: Keycloak biding >> Member users: biding >> Privileges: User Administrators, Group Administrators, Stage User >> Administrators, Stage User Provisioning, Modify Users and Reset >> passwords, Modify Group membership, Keycloak admin >> >> Yes, too many roles, because it simply wasn’t doing it. Keycloak would fail >> saying the user didn’t have permissions. >> >> So what I did was to add this user to the admin group. Then it created >> users. But not even my admin user can delete those users created that way. >> >> Why isn’t this working? And why when giving it permissions it is creating >> objects that simply can’t be read by my previous biding users? >
Thanks a lot for replying, Rob. > You haven't described how you integrated Keycloak. Nor what the > "Keycloak admin" privilege consists of. I used LDAP integration to Keycloak. So it uses LDAP queries against FreeIPA. “Keycloak admin”-priviledge repeats some of the permissions of User Administrators. Nothing a lot there. > Note that since your IPA user biding has these permissions have you > tried kinit and use ipa user-add directly (after removal from the admins > group)? If it fails, how does it fail? Look in > /var/log/dirsrv/slapd-REALM/access for the bind and ADD and look to see > how it failed. On the Keycloak side, it says the user didn’t have the permission to add users. I think the error on access logs were similar. And something else: When it is a member of the admin group, it does add the users. But somehow the ACI of the users created by it are a bit weird: - my system account user (created as described here: https://www.freeipa.org/page/HowTo/LDAP#system-accounts) can’t read these users created by my “keycloak”. It can read all users created by ipa user-add, but not those created by “binding”-user. - I can’t modify an attribute with ipa user-mod, even with my admin user! I am a bit lost here. Shouldn’t adding these privileges be enough to create users? And if the user is added to the admin group, shouldn’t users it creates via ldap (not ipa user-add) be modifiable by another admin user? Best, Francis
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
