Hi
I’m miserably failing at creating a freeipa user federation provider with the operator.
I hope someone can help me figure this one out.
My setup:
- kubernetes: 1.20.5
- keycloak-operator: v13.0.0 from operatorhub.
Here is the resource i define:
apiVersion: keycloak.org/v1alpha1 kind: KeycloakRealm metadata: labels: app: sso name: realm-infra-monkey spec: instanceSelector: matchLabels: app: sso realm: displayName: Infra-Monkey enabled: true id: infra-monkey realm: infra-monkey userFederationProviders: - displayName: "FreeIPA LDAP" providerName: "ldap-freeipa" config: vendor: "rhds" connectionUrl: "ldap://ipa-master.empire.lan" bindDn: "uid=keycloak_ro,cn=sysaccounts,cn=etc,dc=empire,dc=lan" bindCredential: "${vault.bindCredential}" usersDn: "cn=users,cn=accounts,dc=empire,dc=lan" usernameLDAPAttribute: "uid" uuidLDAPAttribute: "ipaUniqueID" searchScope: "1" useTruststoreSpi: "ldapsOnly" trustEmail: "false" userObjectClasses: "inetOrgPerson, organizationalPerson" rdnLDAPAttribute: "uid" editMode: "READ_ONLY" pagination: "true" connectionPooling: "true" cachePolicy: "DEFAULT" useKerberosForPasswordAuthentication: "false" importEnabled: "true" enabled: "true" changedSyncPeriod: "86400" allowKerberosAuthentication: "false" syncRegistrations: "false" authType: "simple" usePasswordModifyExtendedOp: "false" priority: "0" validatePasswordPolicy: "false" batchSizeForSync: "1000"
After configuration, the realm is created but not the provider.
I can see nothing in the logs.
If I create the same provider through the ui, it works and I get this in the logs:
17:19:28,622 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (default task-13) Creating new LDAP Store for the LDAP storage provider: 'FreeIPA LDAP', LDAP Configuration: {fullSyncPeriod=[-1], pagination=[true], usersDn=[cn=users,cn=accounts,dc=empire,dc=lan], connectionPooling=[true], cachePolicy=[DEFAULT], useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true], changedSyncPeriod=[-1], usernameLDAPAttribute=[uid], bindDn=[uid=keycloak_ro,cn=sysaccounts,cn=etc,dc=empire,dc=lan], vendor=[rhds], uuidLDAPAttribute=[ipaUniqueID], allowKerberosAuthentication=[false], connectionUrl=[ldap://ipa-master.empire.lan], syncRegistrations=[false], authType=[simple], debug=[false], searchScope=[1], useTruststoreSpi=[ldapsOnly], priority=[0], trustEmail=[false], userObjectClasses=[inetOrgPerson, organizationalPerson], rdnLDAPAttribute=[uid], editMode=[READ_ONLY], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
It looks like i’m providing the same values…
What am I missing?
How can I get more logs in keycloak or the operator?
Thank you for any help.