Create user federation provider for freeipa with keycloak-operator

Configuring the server
1

Hi
I’m miserably failing at creating a freeipa user federation provider with the operator.
I hope someone can help me figure this one out.
My setup:

  • kubernetes: 1.20.5
  • keycloak-operator: v13.0.0 from operatorhub.

Here is the resource i define:

apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
  labels:
    app: sso
  name: realm-infra-monkey
spec:
  instanceSelector:
    matchLabels:
      app: sso
  realm:
    displayName: Infra-Monkey
    enabled: true
    id: infra-monkey
    realm: infra-monkey
    userFederationProviders:
      - displayName: "FreeIPA LDAP"
        providerName: "ldap-freeipa"
        config:
          vendor: "rhds"
          connectionUrl: "ldap://ipa-master.empire.lan"
          bindDn: "uid=keycloak_ro,cn=sysaccounts,cn=etc,dc=empire,dc=lan"
          bindCredential: "${vault.bindCredential}"
          usersDn: "cn=users,cn=accounts,dc=empire,dc=lan"
          usernameLDAPAttribute: "uid"
          uuidLDAPAttribute: "ipaUniqueID"
          searchScope: "1"
          useTruststoreSpi: "ldapsOnly"
          trustEmail: "false"
          userObjectClasses: "inetOrgPerson, organizationalPerson"
          rdnLDAPAttribute: "uid"
          editMode: "READ_ONLY"
          pagination: "true"
          connectionPooling: "true"
          cachePolicy: "DEFAULT"
          useKerberosForPasswordAuthentication: "false"
          importEnabled: "true"
          enabled: "true"
          changedSyncPeriod: "86400"
          allowKerberosAuthentication: "false"
          syncRegistrations: "false"
          authType: "simple"
          usePasswordModifyExtendedOp: "false"
          priority: "0"
          validatePasswordPolicy: "false"
          batchSizeForSync: "1000"

After configuration, the realm is created but not the provider.
I can see nothing in the logs.

If I create the same provider through the ui, it works and I get this in the logs:
17:19:28,622 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (default task-13) Creating new LDAP Store for the LDAP storage provider: 'FreeIPA LDAP', LDAP Configuration: {fullSyncPeriod=[-1], pagination=[true], usersDn=[cn=users,cn=accounts,dc=empire,dc=lan], connectionPooling=[true], cachePolicy=[DEFAULT], useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true], changedSyncPeriod=[-1], usernameLDAPAttribute=[uid], bindDn=[uid=keycloak_ro,cn=sysaccounts,cn=etc,dc=empire,dc=lan], vendor=[rhds], uuidLDAPAttribute=[ipaUniqueID], allowKerberosAuthentication=[false], connectionUrl=[ldap://ipa-master.empire.lan], syncRegistrations=[false], authType=[simple], debug=[false], searchScope=[1], useTruststoreSpi=[ldapsOnly], priority=[0], trustEmail=[false], userObjectClasses=[inetOrgPerson, organizationalPerson], rdnLDAPAttribute=[uid], editMode=[READ_ONLY], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: []

It looks like i’m providing the same values…
What am I missing?
How can I get more logs in keycloak or the operator?
Thank you for any help.

2

Solved it !
providerName: “ldap-freeipa” is wrong.
it must have the “ldap” value