Hi, On Tue, Oct 8, 2024 at 12:25 PM Francis Augusto Medeiros-Logeay via FreeIPA-users <[email protected]> wrote:
> I was almost giving up on this, but hey, maybe someone have a clue on how > to do it? > > I order to use some of the RBAC ACL’s, Florence suggested a while ago that > I use objectclass=posixaccount on my users created on keycloak. > > The problem is that doing so, I have to provide some attributes such as > UID/GID when creating the user. > If I recall correctly, if you provide uidnumber = -1 / gidnumber = -1, the LDAP server automatically assigns a free value. flo > Is there a way around this, like f ex having freeipa to automatically > assign those? > > My whole problem is that I want to have a binding user that can add users, > and it seems that that granularity doesn’t work so well unless the user is > an ipauser and a posixaccount. > > > Best, > > Francis > > On 28 Aug 2024, at 22:21, Francis Augusto Medeiros-Logeay via > FreeIPA-users <[email protected]> wrote: > > > > On 2 Aug 2024, at 13:18, Florence Blanc-Renaud via FreeIPA-users < > [email protected]> wrote: > > Hi, > > On Fri, Jul 19, 2024 at 4:53 PM Francis Augusto Medeiros-Logeay via > FreeIPA-users <[email protected]> wrote: > >> >> >> >> On 18 Jul 2024, at 22:15, Rob Crittenden <[email protected]> wrote: >> >> >> >> Francis Augusto Medeiros-Logeay wrote: >> >> >> >> >> >> >> >> I am a bit lost here. Shouldn’t adding these privileges be enough to >> >> create users? And if the user is added to the admin group, shouldn’t >> >> users it creates via ldap (not ipa user-add) be modifiable by another >> >> admin user? >> > >> > There isn't enough information to go on. Can you show us more details on >> > this Keycloak privilege and permissions and what these unmodifiable >> > users look like? >> > >> > rob >> > >> >> >> Ok, here’s a full report: >> >> I created a user called “biding”. I then created a role so that this user >> could add other users and could be used on Keycloak for binding and adding >> users. >> >> I gave it the following default roles: >> >> - User administration >> - helpdesk >> - Keycloak biding (sorry for the typo) >> >> The last one is like this: >> >> ✘ ⚡ root@freeipa /home/francis ipa privilege-show >> Privilege name: Keycloak admin >> Privilege name: Keycloak admin >> Permissions: System: Add Users, System: Change User password >> Granting privilege to roles: Keycloak biding >> ⚡ root@freeipa /home/francis ipa role-show >> Role name: Keycloak biding >> Role name: Keycloak biding >> Member users: biding >> Privileges: User Administrators, Group Administrators, Stage User >> Administrators, Stage User Provisioning, >> Modify Users and Reset passwords, Modify Group membership, >> Keycloak admin >> >> >> I can’t add a user with it on Keyclok. This is what I get on the logs: >> >> { "date": "[19\/Jul\/2024:14:31:59.636888234 +0200] ", "utc_time": >> "1721392319.636888234", "event": "AUTHZ_ERROR", "dn": >> "uid=biding,cn=users,cn=accounts,dc=ipa,dc=med-lo", "bind_method": >> "SIMPLE", "root_dn": false, "client_ip": "10.10.210.152", "server_ip": >> "10.10.40.20", "ldap_version": 3, "conn_id": 3722, "op_id": 1, "msg": >> "target_dn=(uid=testing2,cn=users,cn=accounts,dc=ipa,dc=med-lo)” } >> >> I then added “biding” to the “admins” group. >> >> I could then create users on keycloak with it. This is how a user looks >> like: >> >> testing, users, accounts, ipa.med-lo >> dn: uid=testing,cn=users,cn=accounts,dc=ipa,dc=med-lo >> sn: TEst >> givenName: Test >> mail: [email protected] >> cn: Test TEst >> uid: testing >> objectClass: top >> objectClass: inetOrgPerson >> objectClass: organizationalPerson >> objectClass: person >> objectClass: postfixMailBox >> objectClass: ipaobject >> ipaUniqueID: b203edc0-45c9-11ef-bb0c-00505695d7f7 >> >> But, when searching for this user with my read-only system account, it >> doesn’t get it: >> >> ldapsearch -b dc=ipa,dc=med-lo -D >> uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=med-lo -W uid=testing >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=ipa,dc=med-lo> with scope subtree >> # filter: uid=testing >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 1 >> >> So I have two problems: >> >> How to give “biding” permission to add and modify users without adding it >> to the “admins” group, and how to make the users created by it readable >> like a normal ipa-user? >> > IPA assumes that it manages posix users, i.e. users with posixaccount > objectclass. Most of the ACIs are written with this assumption (targetfilter > = "(objectclass=posixaccount)"). > If you create your users with this objectclass I believe user management > will be easier and you can rely on the existing role "User Administrator". > > flo > >> >> > I tried that today. The problem is that if the user is created by > Keycloak, than I need to send all the attributes a posixAccount requires, > such as uidNumber and gidNumber. Keycloak can’t create those by default, > which makes it a bit harder to delegate user creation to Keycloak. > > Any tips on a possible workaround? > > Best, > Francis > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
