I was almost giving up on this, but hey, maybe someone have a clue on how to do it?
I order to use some of the RBAC ACL’s, Florence suggested a while ago that I use objectclass=posixaccount on my users created on keycloak. The problem is that doing so, I have to provide some attributes such as UID/GID when creating the user. Is there a way around this, like f ex having freeipa to automatically assign those? My whole problem is that I want to have a binding user that can add users, and it seems that that granularity doesn’t work so well unless the user is an ipauser and a posixaccount. Best, Francis > On 28 Aug 2024, at 22:21, Francis Augusto Medeiros-Logeay via FreeIPA-users > <[email protected]> wrote: > > > >> On 2 Aug 2024, at 13:18, Florence Blanc-Renaud via FreeIPA-users >> <[email protected]> wrote: >> >> Hi, >> >> On Fri, Jul 19, 2024 at 4:53 PM Francis Augusto Medeiros-Logeay via >> FreeIPA-users <[email protected] >> <mailto:[email protected]>> wrote: >>> >>> >>> >> On 18 Jul 2024, at 22:15, Rob Crittenden <[email protected] >>> >> <mailto:[email protected]>> wrote: >>> >> >>> >> Francis Augusto Medeiros-Logeay wrote: >>> >> >>> >> >>> >> >>> >> I am a bit lost here. Shouldn’t adding these privileges be enough to >>> >> create users? And if the user is added to the admin group, shouldn’t >>> >> users it creates via ldap (not ipa user-add) be modifiable by another >>> >> admin user? >>> > >>> > There isn't enough information to go on. Can you show us more details on >>> > this Keycloak privilege and permissions and what these unmodifiable >>> > users look like? >>> > >>> > rob >>> > >>> >>> >>> Ok, here’s a full report: >>> >>> I created a user called “biding”. I then created a role so that this user >>> could add other users and could be used on Keycloak for binding and adding >>> users. >>> >>> I gave it the following default roles: >>> >>> - User administration >>> - helpdesk >>> - Keycloak biding (sorry for the typo) >>> >>> The last one is like this: >>> >>> ✘ ⚡ root@freeipa /home/francis ipa privilege-show >>> Privilege name: Keycloak admin >>> Privilege name: Keycloak admin >>> Permissions: System: Add Users, System: Change User password >>> Granting privilege to roles: Keycloak biding >>> ⚡ root@freeipa /home/francis ipa role-show >>> Role name: Keycloak biding >>> Role name: Keycloak biding >>> Member users: biding >>> Privileges: User Administrators, Group Administrators, Stage User >>> Administrators, Stage User Provisioning, >>> Modify Users and Reset passwords, Modify Group membership, >>> Keycloak admin >>> >>> >>> I can’t add a user with it on Keyclok. This is what I get on the logs: >>> >>> { "date": "[19\/Jul\/2024:14:31:59.636888234 +0200] ", "utc_time": >>> "1721392319.636888234", "event": "AUTHZ_ERROR", "dn": >>> "uid=biding,cn=users,cn=accounts,dc=ipa,dc=med-lo", "bind_method": >>> "SIMPLE", "root_dn": false, "client_ip": "10.10.210.152", "server_ip": >>> "10.10.40.20", "ldap_version": 3, "conn_id": 3722, "op_id": 1, "msg": >>> "target_dn=(uid=testing2,cn=users,cn=accounts,dc=ipa,dc=med-lo)” } >>> >>> I then added “biding” to the “admins” group. >>> >>> I could then create users on keycloak with it. This is how a user looks >>> like: >>> >>> testing, users, accounts, ipa.med-lo >>> dn: uid=testing,cn=users,cn=accounts,dc=ipa,dc=med-lo >>> sn: TEst >>> givenName: Test >>> mail: [email protected] <mailto:[email protected]> >>> cn: Test TEst >>> uid: testing >>> objectClass: top >>> objectClass: inetOrgPerson >>> objectClass: organizationalPerson >>> objectClass: person >>> objectClass: postfixMailBox >>> objectClass: ipaobject >>> ipaUniqueID: b203edc0-45c9-11ef-bb0c-00505695d7f7 >>> >>> But, when searching for this user with my read-only system account, it >>> doesn’t get it: >>> >>> ldapsearch -b dc=ipa,dc=med-lo -D >>> uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=med-lo -W uid=testing >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <dc=ipa,dc=med-lo> with scope subtree >>> # filter: uid=testing >>> # requesting: ALL >>> # >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 1 >>> >>> So I have two problems: >>> >>> How to give “biding” permission to add and modify users without adding it >>> to the “admins” group, and how to make the users created by it readable >>> like a normal ipa-user? >> IPA assumes that it manages posix users, i.e. users with posixaccount >> objectclass. Most of the ACIs are written with this assumption (targetfilter >> = "(objectclass=posixaccount)"). >> If you create your users with this objectclass I believe user management >> will be easier and you can rely on the existing role "User Administrator". >> >> flo >>> > > I tried that today. The problem is that if the user is created by Keycloak, > than I need to send all the attributes a posixAccount requires, such as > uidNumber and gidNumber. Keycloak can’t create those by default, which makes > it a bit harder to delegate user creation to Keycloak. > > Any tips on a possible workaround? > > Best, > Francis > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
