[Freeipa-users] Re: How does RBAC work?

Mon, 05 Aug 2024 05:56:52 -0700 

Thanks a lot Florence. I will try that.

---
Francis Augusto Medeiros-Logeay
Oslo, Norway

On 2024-08-02 11:18, Florence Blanc-Renaud via FreeIPA-users wrote:


Hi,
On Fri, Jul 19, 2024 at 4:53 PM Francis Augusto Medeiros-Logeay via FreeIPA-users <[email protected]> wrote:
On 18 Jul 2024, at 22:15, Rob Crittenden <[email protected]> wrote: 

Francis Augusto Medeiros-Logeay wrote:



I am a bit lost here. Shouldn't adding these privileges be enough to
create users? And if the user is added to the admin group, shouldn't
users it creates via ldap (not ipa user-add) be modifiable by another 
admin user?
There isn't enough information to go on. Can you show us more details on 
this Keycloak privilege and permissions and what these unmodifiable
users look like?

rob



Ok, here's a full report:
I created a user called "biding". I then created a role so that this user could add other users and could be used on Keycloak for binding and adding users. 

I gave it the following default roles:

- User administration
- helpdesk
- Keycloak biding (sorry for the typo)

The last one is like this:

✘ ⚡ root@freeipa  /home/francis  ipa privilege-show
Privilege name: Keycloak admin
Privilege name: Keycloak admin
Permissions: System: Add Users, System: Change User password
Granting privilege to roles: Keycloak biding
⚡ root@freeipa  /home/francis  ipa role-show
Role name: Keycloak biding
Role name: Keycloak biding
Member users: biding
Privileges: User Administrators, Group Administrators, Stage User Administrators, Stage User Provisioning, Modify Users and Reset passwords, Modify Group membership, Keycloak admin 

I can't add a user with it on Keyclok. This is what I get on the logs:
{ "date": "[19\/Jul\/2024:14:31:59.636888234 +0200] ", "utc_time": "1721392319.636888234", "event": "AUTHZ_ERROR", "dn": "uid=biding,cn=users,cn=accounts,dc=ipa,dc=med-lo", "bind_method": "SIMPLE", "root_dn": false, "client_ip": "10.10.210.152", "server_ip": "10.10.40.20", "ldap_version": 3, "conn_id": 3722, "op_id": 1, "msg": "target_dn=(uid=testing2,cn=users,cn=accounts,dc=ipa,dc=med-lo)" } 

I then added "biding" to the "admins" group.
I could then create users on keycloak with it. This is how a user looks like: 

testing, users, accounts, ipa.med-lo
dn: uid=testing,cn=users,cn=accounts,dc=ipa,dc=med-lo
sn: TEst
givenName: Test
mail: [email protected]
cn: Test TEst
uid: testing
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: postfixMailBox
objectClass: ipaobject
ipaUniqueID: b203edc0-45c9-11ef-bb0c-00505695d7f7
But, when searching for this user with my read-only system account, it doesn't get it:
ldapsearch -b dc=ipa,dc=med-lo -D uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=med-lo -W uid=testing 
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=med-lo> with scope subtree
# filter: uid=testing
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

So I have two problems:
How to give "biding" permission to add and modify users without adding it to the "admins" group, and how to make the users created by it readable like a normal ipa-user?
IPA assumes that it manages posix users, i.e. users with posixaccount objectclass. Most of the ACIs are written with this assumption (targetfilter = "(objectclass=posixaccount)"). If you create your users with this objectclass I believe user management will be easier and you can rely on the existing role "User Administrator". 

flo


I hope this makes the issue a bit clearer.

Best,

Francis
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue
  • [Freeipa-users] How does... Francis Augusto Medeiros-Logeay via FreeIPA-users
    • [Freeipa-users] Re:... Rob Crittenden via FreeIPA-users
      • [Freeipa-users]... Francis Augusto Medeiros-Logeay via FreeIPA-users
        • [Freeipa-us... Rob Crittenden via FreeIPA-users
          • [Freeip... Francis Augusto Medeiros-Logeay via FreeIPA-users
            • [F... Florence Blanc-Renaud via FreeIPA-users
              • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
              • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                • ... Florence Blanc-Renaud via FreeIPA-users

Reply via email to