I have the following setup:
- FreeIPA 4.8.7 via docker (freeipa/freeipa-server:centos-8)
- Keycloack 12.0.1
- The FreeIPA users are in
cn=users,cn=accounts,dc=freeipa,dc=example,dc=com
- Keycloack DN:
krbprincipalname=ldap/keycloak.example.com@FREEIPA.EXAMPLE.COM,cn=services,cn=accounts,dc=freeipa,dc=example,dc=com
I created a host account for keycloack via this script: https://gitlab.lindenaar.net/scripts/freeipa/tree/master#freeipa-service-passwordsh and was able to successfully pull the users from FreeIPA into keycloak.
In the FreeIPA web UI I added the "User Administrator" role to the keycloack host.
Now when I try to add a user in keycloak however I get the following error:
LDAP: error code 50 - Insufficient 'add' privilege to add the entry 'uid=newuser,cn=users,cn=accounts,dc=freeipa,dc=example,dc=com'.
]; remaining name 'uid=newuser,cn=users,cn=accounts,dc=freeipa,dc=example,dc=com'
If I do docker exec -it freeipa-server-container ipa host-show --all --raw keycloak.example.com
I get:
dn: fqdn=keycloak.example.com,cn=computers,cn=accounts,dc=freeipa,dc=example,dc=com
fqdn: keycloak.example.com
krbcanonicalname: host/keycloak.example.com@FREEIPA.EXAMPLE.COM
krbprincipalname: host/keycloak.example.com@FREEIPA.EXAMPLE.COM
krbprincipalname: keycloak@FREEIPA.EXAMPLE.COM
has_password: FALSE
has_keytab: FALSE
managedby: fqdn=keycloak.example.com,cn=computers,cn=accounts,dc=freeipa,dc=example,dc=com
cn: keycloak.example.com
ipaUniqueID: 6dc12944-51b6-11eb-b243-0242ac110002
krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,dc=freeipa,dc=example,dc=com
krbTicketFlags: 3145856
managing: fqdn=keycloak.example.com,cn=computers,cn=accounts,dc=freeipa,dc=example,dc=com
memberof: cn=User Administrator,cn=roles,cn=accounts,dc=freeipa,dc=example,dc=com
memberofindirect: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Modify Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Modify Groups,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Add Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Undelete User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Preserve User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Add Groups,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Read Stage User password,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Remove Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Remove Stage User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Modify User RDN,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Read Stage Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Manage User Certificates,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Remove Groups,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Manage User Principals,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Read Radius Servers,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Read Preserved Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=Group Administrators,cn=privileges,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Add Stage User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Modify External Group Membership,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Unlock User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Remove preserved User,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=System: Change User password,cn=permissions,cn=pbac,dc=freeipa,dc=example,dc=com
memberofindirect: cn=User Administrators,cn=privileges,cn=pbac,dc=freeipa,dc=example,dc=com
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: ieee802device
objectClass: ipasshhost
objectClass: top
objectClass: ipaSshGroupOfPubKeys
objectClass: krbticketpolicyaux
serverHostName: keycloak
What am I missing? I see there is a cn=pbac
in that list but I don't know where that comes from and what it means. Is that why the permissions are not taking?