Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ISSUE: IPA domain needs ldap_user_extra_attrs in sssd.conf #40

Closed
spoore1 opened this issue May 26, 2023 · 1 comment · Fixed by #61
Closed

ISSUE: IPA domain needs ldap_user_extra_attrs in sssd.conf #40

spoore1 opened this issue May 26, 2023 · 1 comment · Fixed by #61

Comments

@spoore1
Copy link
Collaborator

spoore1 commented May 26, 2023

When an IPA Integration Domain is enabled and setup, the sssd.conf file is missing the ldap_user_extra_attrs setting in the domain section.

When the setting is missing, I'm unable to see IPA users reflected in Keycloak. To resolve the issue, I'm adding the following after setting up an IPA Integration Domain:

ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname
@spoore1
Copy link
Collaborator Author

spoore1 commented May 30, 2023

@f-trivino I ran a test with the latest updates and I'm still seeing this issue.

This is what I'm doing to reproduce this (using containers from this PR):

  1. Setup basic freeipa server, ipa-tuura, and keycloak
sudo make container
sudo make up-gating

This should start dns, ipa, ipa-tuura, and keycloak containers

  1. Add IPA integration domain

sudo make bridge

Should add IPA Integration Domain which runs ipa-client-install on ipa-tuura

  1. Add IPA user

ipa user-add ipauser1 ....

  1. Lookup user from Keycloak

/opt/keycloak/bin/kcadm.sh get users -q username=ipauser1

Expected results should look something like:

[ {
  "id" : "7f075f36-d891-445b-a8f8-49b7eda4086f",
  "createdTimestamp" : 1685478261805,
  "username" : "ipauser2",
  "enabled" : true,
  "totp" : false,
  "emailVerified" : false,
  "firstName" : "ipauser2",
  "lastName" : "ipauser2.last",
  "email" : "[email protected]",
  "federationLink" : "44567635-a5ff-4806-b201-c5e3800702ec",
  "disableableCredentialTypes" : [ ],
  "requiredActions" : [ ],
  "notBefore" : 0,
  "access" : {
    "manageGroupMembership" : true,
    "view" : true,
    "mapRoles" : true,
    "impersonate" : true,
    "manage" : true
  }
} ]

Actual results:

HTTP error - 400 Bad Request

Fix seems to just be adding this line to domain section of sssd.conf on ipa-tuura system:

ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname

After that, if I add a new IPA user and search from Keycloak, I can see it. Hence the working ipauser2 entry above that I saw after the fix.

antoniotorresm added a commit to antoniotorresm/ipa-tuura that referenced this issue Sep 7, 2023
@antoniotorresm
Add ldap_user_extra_attrs option in sssd.conf for IPA domain
37c11c5 
The option `ldap_user_extra_attrs = mail:mail, sn:sn,
givenname:givenname` in IPA domain is needed for correct functioning.

Resolves: freeipa#40
Signed-off-by: Antonio Torres <[email protected]>
@antoniotorresm antoniotorresm mentioned this issue Sep 7, 2023
Merged
f-trivino pushed a commit that referenced this issue Sep 7, 2023
@antoniotorresm @f-trivino
Add ldap_user_extra_attrs option in sssd.conf for IPA domain
ab37d36 
The option `ldap_user_extra_attrs = mail:mail, sn:sn,
givenname:givenname` in IPA domain is needed for correct functioning.

Resolves: #40
Signed-off-by: Antonio Torres <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add ldap_user_extra_attrs option in sssd.conf for IPA domain antoniotorresm/ipa-tuura
1 participant
@spoore1