I was almost giving up on this, but hey, maybe someone have a clue on how to do 
it? 

I order to use some of the RBAC ACL’s, Florence suggested a while ago that I 
use objectclass=posixaccount on my users created on keycloak.

The problem is that doing so, I have to provide some attributes such as UID/GID 
when creating the user.

Is there a way around this, like f ex having freeipa to automatically assign 
those? 

My whole problem is that I want to have a binding user that can add users, and 
it seems that that granularity doesn’t work so well unless the user is an 
ipauser and a posixaccount.


Best,

Francis
> On 28 Aug 2024, at 22:21, Francis Augusto Medeiros-Logeay via FreeIPA-users 
> <[email protected]> wrote:
> 
> 
> 
>> On 2 Aug 2024, at 13:18, Florence Blanc-Renaud via FreeIPA-users 
>> <[email protected]> wrote:
>> 
>> Hi,
>> 
>> On Fri, Jul 19, 2024 at 4:53 PM Francis Augusto Medeiros-Logeay via 
>> FreeIPA-users <[email protected] 
>> <mailto:[email protected]>> wrote:
>>> 
>>> 
>>> >> On 18 Jul 2024, at 22:15, Rob Crittenden <[email protected] 
>>> >> <mailto:[email protected]>> wrote:
>>> >> 
>>> >> Francis Augusto Medeiros-Logeay wrote:
>>> >> 
>>> >> 
>>> >> 
>>> >> I am a bit lost here. Shouldn’t adding these privileges be enough to
>>> >> create users? And if the user is added to the admin group, shouldn’t
>>> >> users it creates via ldap (not ipa user-add) be modifiable by another
>>> >> admin user? 
>>> > 
>>> > There isn't enough information to go on. Can you show us more details on
>>> > this Keycloak privilege and permissions and what these unmodifiable
>>> > users look like?
>>> > 
>>> > rob
>>> > 
>>> 
>>> 
>>> Ok, here’s a full report:
>>> 
>>> I created a user called “biding”. I then created a role so that this user 
>>> could add other users and could be used on Keycloak for binding and adding 
>>> users.
>>> 
>>> I gave it the following default roles: 
>>> 
>>> - User administration
>>> - helpdesk
>>> - Keycloak biding (sorry for the typo)
>>> 
>>> The last one is like this: 
>>> 
>>> ✘ ⚡ root@freeipa  /home/francis  ipa privilege-show
>>> Privilege name: Keycloak admin
>>>  Privilege name: Keycloak admin
>>>  Permissions: System: Add Users, System: Change User password
>>>  Granting privilege to roles: Keycloak biding
>>> ⚡ root@freeipa  /home/francis  ipa role-show
>>> Role name: Keycloak biding
>>>  Role name: Keycloak biding
>>>  Member users: biding
>>>  Privileges: User Administrators, Group Administrators, Stage User 
>>> Administrators, Stage User Provisioning,
>>>              Modify Users and Reset passwords, Modify Group membership, 
>>> Keycloak admin
>>> 
>>> 
>>> I can’t add a user with it on Keyclok. This is what I get on the logs:
>>> 
>>> { "date": "[19\/Jul\/2024:14:31:59.636888234 +0200] ", "utc_time": 
>>> "1721392319.636888234", "event": "AUTHZ_ERROR", "dn": 
>>> "uid=biding,cn=users,cn=accounts,dc=ipa,dc=med-lo", "bind_method": 
>>> "SIMPLE", "root_dn": false, "client_ip": "10.10.210.152", "server_ip": 
>>> "10.10.40.20", "ldap_version": 3, "conn_id": 3722, "op_id": 1, "msg": 
>>> "target_dn=(uid=testing2,cn=users,cn=accounts,dc=ipa,dc=med-lo)” }
>>> 
>>> I then added “biding” to the “admins” group.
>>> 
>>> I could then create users on keycloak with it. This is how a user looks 
>>> like:
>>> 
>>> testing, users, accounts, ipa.med-lo
>>> dn: uid=testing,cn=users,cn=accounts,dc=ipa,dc=med-lo
>>> sn: TEst
>>> givenName: Test
>>> mail: [email protected] <mailto:[email protected]>
>>> cn: Test TEst
>>> uid: testing
>>> objectClass: top
>>> objectClass: inetOrgPerson
>>> objectClass: organizationalPerson
>>> objectClass: person
>>> objectClass: postfixMailBox
>>> objectClass: ipaobject
>>> ipaUniqueID: b203edc0-45c9-11ef-bb0c-00505695d7f7
>>> 
>>> But, when searching for this user with my read-only system account, it 
>>> doesn’t get it: 
>>> 
>>> ldapsearch -b dc=ipa,dc=med-lo -D 
>>> uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=med-lo -W uid=testing
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <dc=ipa,dc=med-lo> with scope subtree
>>> # filter: uid=testing
>>> # requesting: ALL
>>> #
>>> 
>>> # search result
>>> search: 2
>>> result: 0 Success
>>> 
>>> # numResponses: 1
>>> 
>>> So I have two problems:
>>> 
>>> How to give “biding” permission to add and modify users without adding it 
>>> to the “admins” group, and how to make the users created by it readable 
>>> like a normal ipa-user?
>> IPA assumes that it manages posix users, i.e. users with posixaccount 
>> objectclass. Most of the ACIs are written with this assumption (targetfilter 
>> = "(objectclass=posixaccount)").
>> If you create your users with this objectclass I believe user management 
>> will be easier and you can rely on the existing role "User Administrator".
>> 
>> flo
>>> 
> 
> I tried that today. The problem is that if the user is created by Keycloak, 
> than I need to send all the attributes a posixAccount requires, such as 
> uidNumber and gidNumber. Keycloak can’t create those by default, which makes 
> it a bit harder to delegate user creation to Keycloak.
> 
> Any tips on a possible workaround?
> 
> Best,
> Francis
> 
> -- 
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue

-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue
  • [Freeipa-users] How does... Francis Augusto Medeiros-Logeay via FreeIPA-users
    • [Freeipa-users] Re:... Rob Crittenden via FreeIPA-users
      • [Freeipa-users]... Francis Augusto Medeiros-Logeay via FreeIPA-users
        • [Freeipa-us... Rob Crittenden via FreeIPA-users
          • [Freeip... Francis Augusto Medeiros-Logeay via FreeIPA-users
            • [F... Florence Blanc-Renaud via FreeIPA-users
              • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
              • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                • ... Florence Blanc-Renaud via FreeIPA-users

Reply via email to