1

I have the following setup:

  • FreeIPA 4.8.7 via docker (freeipa/freeipa-server:centos-8)
  • Keycloack 12.0.1
  • The FreeIPA users are in cn=users,cn=accounts,dc=freeipa,dc=example,dc=com
  • Keycloack DN: krbprincipalname=ldap/keycloak.example.com@FREEIPA.EXAMPLE.COM,cn=services,cn=accounts,dc=freeipa,dc=example,dc=com

I created a host account for keycloack via this script: https://gitlab.lindenaar.net/scripts/freeipa/tree/master#freeipa-service-passwordsh and was able to successfully pull the users from FreeIPA into keycloak.

In the FreeIPA web UI I added the "User Administrator" role to the keycloack host.

Now when I try to add a user in keycloak however I get the following error:

LDAP: error code 50 - Insufficient 'add' privilege to add the entry 'uid=newuser,cn=users,cn=accounts,dc=freeipa,dc=example,dc=com'.
]; remaining name 'uid=newuser,cn=users,cn=accounts,dc=freeipa,dc=example,dc=com'

If I do docker exec -it freeipa-server-container ipa host-show --all --raw keycloak.example.com I get:

dn: fqdn=keycloak.example.com,cn=computers,cn=accounts,dc=freeipa,dc=example,dc=com
  fqdn: keycloak.example.com
  krbcanonicalname: host/keycloak.example.com@FREEIPA.EXAMPLE.COM
  krbprincipalname: host/keycloak.example.com@FREEIPA.EXAMPLE.COM
  krbprincipalname: keycloak@FREEIPA.EXAMPLE.COM
  has_password: FALSE
  has_keytab: FALSE
  managedby: fqdn=keycloak.example.com,cn=computers,cn=accounts,dc=freeipa,dc=example,dc=com
  cn: keycloak.example.com
  ipaUniqueID: 6dc12944-51b6-11eb-b243-0242ac110002
  krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,dc=freeipa,dc=example,dc=com
  krbTicketFlags: 3145856
  managing: fqdn=keycloak.example.com,cn=computers,cn=accounts,dc=freeipa,dc=example,dc=com
  memberof: cn=User Administrator,cn=roles,cn=accounts,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Modify Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Modify Groups,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Add Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Undelete User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Preserve User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Add Groups,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Read Stage User password,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Remove Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Remove Stage User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Modify User RDN,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Read Stage Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Manage User Certificates,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Remove Groups,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Manage User Principals,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Read Radius Servers,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Read Preserved Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=Group Administrators,cn=privileges,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Add Stage User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Modify External Group Membership,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Unlock User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Remove preserved User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=System: Change User password,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
  memberofindirect: cn=User Administrators,cn=privileges,cn=pbac,dc=freeipa,dc=example,dc=com
  objectClass: ipaobject
  objectClass: nshost
  objectClass: ipahost
  objectClass: pkiuser
  objectClass: ipaservice
  objectClass: krbprincipalaux
  objectClass: krbprincipal
  objectClass: ieee802device
  objectClass: ipasshhost
  objectClass: top
  objectClass: ipaSshGroupOfPubKeys
  objectClass: krbticketpolicyaux
  serverHostName: keycloak

What am I missing? I see there is a cn=pbac in that list but I don't know where that comes from and what it means. Is that why the permissions are not taking?

sschueller
  • 111
  • 2

0 Answers0