> On 2 Aug 2024, at 13:18, Florence Blanc-Renaud via FreeIPA-users > <[email protected]> wrote: > > Hi, > > On Fri, Jul 19, 2024 at 4:53 PM Francis Augusto Medeiros-Logeay via > FreeIPA-users <[email protected] > <mailto:[email protected]>> wrote: >> >> >> >> On 18 Jul 2024, at 22:15, Rob Crittenden <[email protected] >> >> <mailto:[email protected]>> wrote: >> >> >> >> Francis Augusto Medeiros-Logeay wrote: >> >> >> >> >> >> >> >> I am a bit lost here. Shouldn’t adding these privileges be enough to >> >> create users? And if the user is added to the admin group, shouldn’t >> >> users it creates via ldap (not ipa user-add) be modifiable by another >> >> admin user? >> > >> > There isn't enough information to go on. Can you show us more details on >> > this Keycloak privilege and permissions and what these unmodifiable >> > users look like? >> > >> > rob >> > >> >> >> Ok, here’s a full report: >> >> I created a user called “biding”. I then created a role so that this user >> could add other users and could be used on Keycloak for binding and adding >> users. >> >> I gave it the following default roles: >> >> - User administration >> - helpdesk >> - Keycloak biding (sorry for the typo) >> >> The last one is like this: >> >> ✘ ⚡ root@freeipa /home/francis ipa privilege-show >> Privilege name: Keycloak admin >> Privilege name: Keycloak admin >> Permissions: System: Add Users, System: Change User password >> Granting privilege to roles: Keycloak biding >> ⚡ root@freeipa /home/francis ipa role-show >> Role name: Keycloak biding >> Role name: Keycloak biding >> Member users: biding >> Privileges: User Administrators, Group Administrators, Stage User >> Administrators, Stage User Provisioning, >> Modify Users and Reset passwords, Modify Group membership, >> Keycloak admin >> >> >> I can’t add a user with it on Keyclok. This is what I get on the logs: >> >> { "date": "[19\/Jul\/2024:14:31:59.636888234 +0200] ", "utc_time": >> "1721392319.636888234", "event": "AUTHZ_ERROR", "dn": >> "uid=biding,cn=users,cn=accounts,dc=ipa,dc=med-lo", "bind_method": "SIMPLE", >> "root_dn": false, "client_ip": "10.10.210.152", "server_ip": "10.10.40.20", >> "ldap_version": 3, "conn_id": 3722, "op_id": 1, "msg": >> "target_dn=(uid=testing2,cn=users,cn=accounts,dc=ipa,dc=med-lo)” } >> >> I then added “biding” to the “admins” group. >> >> I could then create users on keycloak with it. This is how a user looks like: >> >> testing, users, accounts, ipa.med-lo >> dn: uid=testing,cn=users,cn=accounts,dc=ipa,dc=med-lo >> sn: TEst >> givenName: Test >> mail: [email protected] <mailto:[email protected]> >> cn: Test TEst >> uid: testing >> objectClass: top >> objectClass: inetOrgPerson >> objectClass: organizationalPerson >> objectClass: person >> objectClass: postfixMailBox >> objectClass: ipaobject >> ipaUniqueID: b203edc0-45c9-11ef-bb0c-00505695d7f7 >> >> But, when searching for this user with my read-only system account, it >> doesn’t get it: >> >> ldapsearch -b dc=ipa,dc=med-lo -D >> uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=med-lo -W uid=testing >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=ipa,dc=med-lo> with scope subtree >> # filter: uid=testing >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 1 >> >> So I have two problems: >> >> How to give “biding” permission to add and modify users without adding it to >> the “admins” group, and how to make the users created by it readable like a >> normal ipa-user? > IPA assumes that it manages posix users, i.e. users with posixaccount > objectclass. Most of the ACIs are written with this assumption (targetfilter > = "(objectclass=posixaccount)"). > If you create your users with this objectclass I believe user management will > be easier and you can rely on the existing role "User Administrator". > > flo >>
I tried that today. The problem is that if the user is created by Keycloak, than I need to send all the attributes a posixAccount requires, such as uidNumber and gidNumber. Keycloak can’t create those by default, which makes it a bit harder to delegate user creation to Keycloak. Any tips on a possible workaround? Best, Francis
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
