Hi, On Fri, Jul 19, 2024 at 4:53 PM Francis Augusto Medeiros-Logeay via FreeIPA-users <[email protected]> wrote:
> > > >> On 18 Jul 2024, at 22:15, Rob Crittenden <[email protected]> wrote: > >> > >> Francis Augusto Medeiros-Logeay wrote: > >> > >> > >> > >> I am a bit lost here. Shouldn’t adding these privileges be enough to > >> create users? And if the user is added to the admin group, shouldn’t > >> users it creates via ldap (not ipa user-add) be modifiable by another > >> admin user? > > > > There isn't enough information to go on. Can you show us more details on > > this Keycloak privilege and permissions and what these unmodifiable > > users look like? > > > > rob > > > > > Ok, here’s a full report: > > I created a user called “biding”. I then created a role so that this user > could add other users and could be used on Keycloak for binding and adding > users. > > I gave it the following default roles: > > - User administration > - helpdesk > - Keycloak biding (sorry for the typo) > > The last one is like this: > > ✘ ⚡ root@freeipa /home/francis ipa privilege-show > Privilege name: Keycloak admin > Privilege name: Keycloak admin > Permissions: System: Add Users, System: Change User password > Granting privilege to roles: Keycloak biding > ⚡ root@freeipa /home/francis ipa role-show > Role name: Keycloak biding > Role name: Keycloak biding > Member users: biding > Privileges: User Administrators, Group Administrators, Stage User > Administrators, Stage User Provisioning, > Modify Users and Reset passwords, Modify Group membership, > Keycloak admin > > > I can’t add a user with it on Keyclok. This is what I get on the logs: > > { "date": "[19\/Jul\/2024:14:31:59.636888234 +0200] ", "utc_time": > "1721392319.636888234", "event": "AUTHZ_ERROR", "dn": > "uid=biding,cn=users,cn=accounts,dc=ipa,dc=med-lo", "bind_method": > "SIMPLE", "root_dn": false, "client_ip": "10.10.210.152", "server_ip": > "10.10.40.20", "ldap_version": 3, "conn_id": 3722, "op_id": 1, "msg": > "target_dn=(uid=testing2,cn=users,cn=accounts,dc=ipa,dc=med-lo)” } > > I then added “biding” to the “admins” group. > > I could then create users on keycloak with it. This is how a user looks > like: > > testing, users, accounts, ipa.med-lo > dn: uid=testing,cn=users,cn=accounts,dc=ipa,dc=med-lo > sn: TEst > givenName: Test > mail: [email protected] > cn: Test TEst > uid: testing > objectClass: top > objectClass: inetOrgPerson > objectClass: organizationalPerson > objectClass: person > objectClass: postfixMailBox > objectClass: ipaobject > ipaUniqueID: b203edc0-45c9-11ef-bb0c-00505695d7f7 > > But, when searching for this user with my read-only system account, it > doesn’t get it: > > ldapsearch -b dc=ipa,dc=med-lo -D > uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=med-lo -W uid=testing > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=ipa,dc=med-lo> with scope subtree > # filter: uid=testing > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > So I have two problems: > > How to give “biding” permission to add and modify users without adding it > to the “admins” group, and how to make the users created by it readable > like a normal ipa-user? > IPA assumes that it manages posix users, i.e. users with posixaccount objectclass. Most of the ACIs are written with this assumption (targetfilter = "(objectclass=posixaccount)"). If you create your users with this objectclass I believe user management will be easier and you can rely on the existing role "User Administrator". flo > > I hope this makes the issue a bit clearer. > > Best, > > Francis > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
