kcadm.sh create example to add freeipa user federation with password experiation support?
414 views
Skip to first unread message
Jelle de Jong
Mar 4, 2022, 5:28:51 PM3/4/22
to Keycloak User
Hello everybody,
There used to be bin/federation-sssd-setup.sh but with version 17 I can not find the script.
Can someone share an example on how to add freeipa user federation with the kcadm.sh? Preferable with password expiration support.
# something similar to: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html/server_administration_guide/user-storage-federation#sssd
# the bellow two commands are working on my system:
Kind regards,
Jelle de Jong
There used to be bin/federation-sssd-setup.sh but with version 17 I can not find the script.
Can someone share an example on how to add freeipa user federation with the kcadm.sh? Preferable with password expiration support.
# something similar to: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.2/html/server_administration_guide/user-storage-federation#sssd
# the bellow two commands are working on my system:
sudo dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:j.doe
sudo sssctl user-checks j.doe -s keycloak
I do not see an SSSD Federation Provider option for version 17.
I am using java-17-openjdk-headless with keycloak-17.0.0.tar.gz
sudo sssctl user-checks j.doe -s keycloak
I do not see an SSSD Federation Provider option for version 17.
I am using java-17-openjdk-headless with keycloak-17.0.0.tar.gz
Kind regards,
Jelle de Jong
Jelle de Jong
Mar 6, 2022, 11:47:01 AM3/6/22
to keyclo...@googlegroups.com
Hello everybody,
Update: (still no SSSD federation option in keycloak-17.0.0...
requesting further assistance)
I restarted my installation on the newer CentOS Stream 9, because the
jna package depends on java-11-headless witch works with
keycloak-17.0.0.tar.gz (in opposite of the situation in CentOS Stream 8)
I installed jna, libunix-dbus-java-0.8.0-1.fc24.x86_64.rpm and sssd-dbus
I used /opt/keycloak/keycloak-17.0.0/bin/federation-sssd-setup.sh from
keycloak-legacy-17.0.0.zip to make sure /etc/pam.d/keycloak and
/etc/sssd/sssd.conf are configured correctly.
The bellow commands are both working:
sudo dbus-send --print-reply --system
--dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
org.freedesktop.sssd.infopipe.GetUserGroups string:j.doe
sudo sssctl user-checks j.doe -s keycloak
I restarted the whole machine just to make sure the services/java
packages are reloaded correctly.
So this is as the steps here:
https://matthew-beliveau.github.io/Keycloak-SSSD-and-FreeIPA/ but this
was written in 2018.
I do not see any SSSD federation option in keycloak-17.0.0, what should
I do to integrate FreeIPA?
Am I missing a feature that I should build?
Mar 06 17:32:59 keycloak02.example.lan kc.sh[2132]: 2022-03-06
17:32:59,181 INFO [io.quarkus] (main) Installed features: [agroal, cdi,
hibernate-orm, infinispan-client, jdbc-h2, jdbc-mariadb, jdbc-mssql,
jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, narayana-jta,
reactive-routes, resteasy, resteasy-jackson,
smallrye-context-propagation, smallrye-health, smallrye-metrics, vault,
vertx]
Kind regards,
Jelle de Jong
> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com
> <https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Update: (still no SSSD federation option in keycloak-17.0.0...
requesting further assistance)
I restarted my installation on the newer CentOS Stream 9, because the
jna package depends on java-11-headless witch works with
keycloak-17.0.0.tar.gz (in opposite of the situation in CentOS Stream 8)
I installed jna, libunix-dbus-java-0.8.0-1.fc24.x86_64.rpm and sssd-dbus
I used /opt/keycloak/keycloak-17.0.0/bin/federation-sssd-setup.sh from
keycloak-legacy-17.0.0.zip to make sure /etc/pam.d/keycloak and
/etc/sssd/sssd.conf are configured correctly.
The bellow commands are both working:
sudo dbus-send --print-reply --system
--dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
org.freedesktop.sssd.infopipe.GetUserGroups string:j.doe
sudo sssctl user-checks j.doe -s keycloak
packages are reloaded correctly.
So this is as the steps here:
https://matthew-beliveau.github.io/Keycloak-SSSD-and-FreeIPA/ but this
was written in 2018.
I do not see any SSSD federation option in keycloak-17.0.0, what should
I do to integrate FreeIPA?
Am I missing a feature that I should build?
Mar 06 17:32:59 keycloak02.example.lan kc.sh[2132]: 2022-03-06
17:32:59,181 INFO [io.quarkus] (main) Installed features: [agroal, cdi,
hibernate-orm, infinispan-client, jdbc-h2, jdbc-mariadb, jdbc-mssql,
jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, narayana-jta,
reactive-routes, resteasy, resteasy-jackson,
smallrye-context-propagation, smallrye-health, smallrye-metrics, vault,
vertx]
Kind regards,
Jelle de Jong
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com
> <https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Jelle de Jong
Mar 14, 2022, 9:21:00 AM3/14/22
to keyclo...@googlegroups.com
Hello everybody,
I was wondering if there is someone that could help me with quarkus and
sssd/freeipa intergration? Or should I downgrade to legacy? Is this the
right place to ask for help?
Kind regards,
Jelle de Jong
I was wondering if there is someone that could help me with quarkus and
sssd/freeipa intergration? Or should I downgrade to legacy? Is this the
right place to ask for help?
Kind regards,
Jelle de Jong
gnot
Mar 21, 2022, 5:26:27 PM3/21/22
to Keycloak User
Hello Jelle,
I have the same problem.
With kc 15.01 the sssd federation provider is working.
With kc 17 the sssd option is not there.
I tried in LXC Container (proxmox) with Debian 11, AlmaLinux 8.5 and Fedora 35.
Always the same result.
Did you find a solution?
Kind regards
Guido
Jelle de Jong
Mar 21, 2022, 5:36:39 PM3/21/22
to keyclo...@googlegroups.com
Hello Guido and others,
I have not found a solution yet. I wanted to try keycloack-17-legacy,
have you tried that version or should I go directly for
keycloack-15-legacy?
If someone knowlageble that knows how to intergrate keycloak quarkus
with freeipa could help, that would be great so I do not need to go back
to legacy-15.
Kind regards,
Jelle
> <https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com?utm_medium=email&utm_source=footer>>.
> <https://groups.google.com/d/msgid/keycloak-user/30a92d08-410f-46f0-aa3b-1c6336231892n%40googlegroups.com?utm_medium=email&utm_source=footer>.
I have not found a solution yet. I wanted to try keycloack-17-legacy,
have you tried that version or should I go directly for
keycloack-15-legacy?
If someone knowlageble that knows how to intergrate keycloak quarkus
with freeipa could help, that would be great so I do not need to go back
to legacy-15.
Kind regards,
Jelle
> <https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> >>
> >
>
> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/30a92d08-410f-46f0-aa3b-1c6336231892n%40googlegroups.com
> >>
> >
>
> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/keycloak-user/30a92d08-410f-46f0-aa3b-1c6336231892n%40googlegroups.com?utm_medium=email&utm_source=footer>.
gnot
Mar 21, 2022, 5:52:22 PM3/21/22
to Keycloak User
I migrated the MariaDB database I used in kc 15.0.1 to a PostgreSQL database I am using in kc 17.
The database already has an entry 'FreeIPA' for the sssd user federation.
When I start kc 17 I get this error message:
Mar 21 21:45:25 sso2 kc.sh[2836]: 2022-03-21 21:45:25,575 ERROR [org.keycloak.services.resources.admin.ComponentResource] (executor-thread-24) Failed to get component list for component model FreeIPA sssd of realm myrealm
gnot
Mar 23, 2022, 3:08:11 AM3/23/22
to Keycloak User
Hello Jelle,
I solved my problem.
The sssd federation provider option is now available in my installations with AlmaLinux 8.5 and Fedora 35
As CentOS Stream 9 is similar to Fedora 35 it should also work for you.
As I mentioned before I installed kc 17 with an existing database from my kc 15.0.1 installation.
My solution was:
stop keycloak
create a new empty database
edit /opt/keycloak/conf/keycloak.conf to use this empty database
start keycloak in dev mode: bin/kc.sh start-dev
stop keycloak
start keycloak in production mode: systemctl restart keycloak (bin/kc.sh start --auto-build --spi-connections-jpa-default-migration-strategy=update)
open admin console, go to user federation, sssd option is available
I did this with my Fedora 35 installation and could not believe that this was the solution.
So I did these steps again with the AlmaLinux 8.5 installation and it is also working.
gnot
Mar 23, 2022, 3:23:27 AM3/23/22
to Keycloak User
I forgot one step in my previous post.
After the second "stop keycloak" iI did:
edit /opt/keycloak/conf/keycloak.conf to use the original database from my kc 15.01 installation again
Jelle de Jong
Apr 6, 2022, 9:35:51 AM4/6/22
to keyclo...@googlegroups.com
Hello Guido,
Thank you for the hints.
I used keycloak-17.0.1 on CentOS Stream 9, recreated the database and
restarted with:
/opt/keycloak/keycloak-17.0.1/bin/kc.sh start --auto-build
--spi-connections-jpa-default-migration-strategy=update --db mariadb ....
and voila there the sssd federation option became available!
Kind regards,
Jelle de Jong
> https://matthew-beliveau.github.io/Keycloak-SSSD-and-FreeIPA/ <https://matthew-beliveau.github.io/Keycloak-SSSD-and-FreeIPA/>
> <https://groups.google.com/d/msgid/keycloak-user/4e36e6d3-e4ec-4240-80b0-7afcd4851e46n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Thank you for the hints.
I used keycloak-17.0.1 on CentOS Stream 9, recreated the database and
restarted with:
/opt/keycloak/keycloak-17.0.1/bin/kc.sh start --auto-build
--spi-connections-jpa-default-migration-strategy=update --db mariadb ....
and voila there the sssd federation option became available!
Kind regards,
Jelle de Jong
> <https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com>
>
> >>
> <https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> >>
> >
>
>
> >>
> <https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/keycloak-user/532ab9ee-1184-4081-8c42-da318d0870a5n%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> >>
> >
>
> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/4e36e6d3-e4ec-4240-80b0-7afcd4851e46n%40googlegroups.com
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/keycloak-user/4e36e6d3-e4ec-4240-80b0-7afcd4851e46n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages