Francis Augusto Medeiros-Logeay wrote: > > >> On 15 Jul 2024, at 19:44, Rob Crittenden <[email protected]> wrote: >> >> Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>> Ok, I am not sure how this works: >>> >>> I created this user, called biding. I want it to be able to create >>> users on FreeIPA, mailing by biding Keycloak to it. >>> >>> So I created the role: >>> [francis@freeipa]~% ipa role-show >>> Role name: Keycloak biding >>> Role name: Keycloak biding >>> Member users: biding >>> Privileges: User Administrators, Group Administrators, Stage User >>> Administrators, Stage User Provisioning, Modify Users >>> and Reset >>> passwords, Modify Group membership, Keycloak admin >>> >>> Yes, too many roles, because it simply wasn’t doing it. Keycloak >>> would fail saying the user didn’t have permissions. >>> >>> So what I did was to add this user to the admin group. Then it >>> created users. But not even my admin user can delete those users >>> created that way. >>> >>> Why isn’t this working? And why when giving it permissions it is >>> creating objects that simply can’t be read by my previous biding users? >> > > Thanks a lot for replying, Rob. > >> You haven't described how you integrated Keycloak. Nor what the >> "Keycloak admin" privilege consists of. > > I used LDAP integration to Keycloak. So it uses LDAP queries against > FreeIPA. > > “Keycloak admin”-priviledge repeats some of the permissions of User > Administrators. Nothing a lot there. > >> Note that since your IPA user biding has these permissions have you >> tried kinit and use ipa user-add directly (after removal from the admins >> group)? If it fails, how does it fail? Look in >> /var/log/dirsrv/slapd-REALM/access for the bind and ADD and look to see >> how it failed. > > On the Keycloak side, it says the user didn’t have the permission to add > users. I think the error on access logs were similar. > > And something else: > When it is a member of the admin group, it does add the users. But > somehow the ACI of the users created by it are a bit weird: > > - my system account user (created as described > here: https://www.freeipa.org/page/HowTo/LDAP#system-accounts) can’t > read these users created by my “keycloak”. It can read all users created > by ipa user-add, but not those created by “binding”-user. > - I can’t modify an attribute with ipa user-mod, even with my admin user! > > I am a bit lost here. Shouldn’t adding these privileges be enough to > create users? And if the user is added to the admin group, shouldn’t > users it creates via ldap (not ipa user-add) be modifiable by another > admin user?
There isn't enough information to go on. Can you show us more details on this Keycloak privilege and permissions and what these unmodifiable users look like? rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
