Keycloak 17 : no SSSD user federation provider

gnot · March 17, 2022, 11:30am

I migrated the MariaDB database of my previous kc 15.0.1 installation to postgresql.
Then I have installed kc 17 on a new lxc container (Debian 11) using the migrated database.

The migrated sssd provider entries are visible in kc 17 user federation.

But in the ‘Add provider…’ dropdown I have only kerberos and ldap. sssd is missing.

The kc 17 server is rolled out to FreeIPA.
In /etc/sssd/sssd.conf I have

[domain/xxx]
...
ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname

[sssd]
services = nss, pam, ssh, sudo, ifp
...
[ifp]
allowed_uids = root, www-data, 1209
user_attributes = +mail, +givenname, +sn

1209 is the uid of the keycloak user in FreeIPA

cat /etc/pam.d/keycloak
auth    required   pam_sss.so
account required   pam_sss.so

This works

su -pc 'dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:xxx array:string:maildrop,homeDirectory,displayName' keycloak

This also works

sssctl user-checks keycloak -s keycloak

When I restart keycloak I get this message in syslog

Mar 17 10:28:57 auth kc.sh[463]: 2022-03-17 10:28:57,654 WARN  [org.keycloak.storage.AbstractStorageManager] (executor-thread-0) Configured StorageProvider sssd of provider id sssd does not exist

When I open the user federation config I get

Mar 17 10:30:37 auth kc.sh[463]: 2022-03-17 10:30:37,352 ERROR [org.keycloak.services.resources.admin.ComponentResource] (executor-thread-8) Failed to get component list for component modelsssdof realm xxx
Mar 17 10:30:37 auth kc.sh[463]: 2022-03-17 10:30:37,355 ERROR [org.keycloak.services.resources.admin.ComponentResource] (executor-thread-8) Failed to get component list for component modelFreeIPA sssdof realm xxx

‘sss’ and ‘FreeIPA sss’ are the configured provider IDs. ‘FreeIPA sss’ is enabled and ‘sss’ is disabled.

When I click on the ‘FreeIPA sss’ entry I get

Mar 17 10:31:58 auth kc.sh[463]: 2022-03-17 10:31:58,392 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-10) Uncaught server error: java.lang.RuntimeException: java.lang.IllegalArgumentException: No such provider 'sssd'
Mar 17 10:31:58 auth kc.sh[463]:         at org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:75)
Mar 17 10:31:58 auth kc.sh[463]:         at org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:45)
Mar 17 10:31:58 auth kc.sh[463]:         at org.keycloak.models.utils.StripSecretsUtils.strip(StripSecretsUtils.java:54)
Mar 17 10:31:58 auth kc.sh[463]:         at org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:855)
Mar 17 10:31:58 auth kc.sh[463]:         at org.keycloak.services.resources.admin.ComponentResource.getComponent(ComponentResource.java:154)
Mar 17 10:31:58 auth kc.sh[463]:         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Mar 17 10:31:58 auth kc.sh[463]:         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Mar 17 10:31:58 auth kc.sh[463]:         at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Mar 17 10:31:58 auth kc.sh[463]:         at java.base/java.lang.reflect.Method.invoke(Method.java:566)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)
Mar 17 10:31:58 auth systemd-journald[52]: Forwarding to syslog missed 9 messages.
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
Mar 17 10:31:58 auth kc.sh[463]:         at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
Mar 17 10:31:58 auth kc.sh[463]:         at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
Mar 17 10:31:58 auth kc.sh[463]:         at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
Mar 17 10:31:58 auth kc.sh[463]:         at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
Mar 17 10:31:58 auth kc.sh[463]:         at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
Mar 17 10:31:58 auth kc.sh[463]:         at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
Mar 17 10:31:58 auth kc.sh[463]:         at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:362)
Mar 17 10:31:58 auth kc.sh[463]:         at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:340)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
Mar 17 10:31:58 auth kc.sh[463]:         at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:66)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
Mar 17 10:31:58 auth kc.sh[463]:         at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
Mar 17 10:31:58 auth kc.sh[463]:         at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:543)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1452)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
Mar 17 10:31:58 auth kc.sh[463]:         at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
Mar 17 10:31:58 auth kc.sh[463]:         at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
Mar 17 10:31:58 auth kc.sh[463]:         at java.base/java.lang.Thread.run(Thread.java:829)
Mar 17 10:31:58 auth kc.sh[463]: Caused by: java.lang.IllegalArgumentException: No such provider 'sssd'
Mar 17 10:31:58 auth kc.sh[463]:         at org.keycloak.models.utils.ComponentUtil.getComponentFactory(ComponentUtil.java:87)
Mar 17 10:31:58 auth kc.sh[463]:         at org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:62)
Mar 17 10:31:58 auth kc.sh[463]:         ... 57 more

pmcpherson · December 1, 2023, 4:34pm

Did you figure this out?
I am running Keycloak 23 in a docker container and have mounted all the SSSD stuff as volumes on the container and have followed all the instructions here Server Administration Guide
but cannot get it to work; SSSD option does not show up in the user federation menu in the admin console.

Topic		Replies	Views
Keycloak 17 - No SSSD Federation Provider option Configuring the server	2	568	March 23, 2022
SSSD not an option under "User Federation" Configuring the server	1	1033	August 29, 2020
SSSD user federation not working after upgrade from 17.0.1 Getting advice	1	289	December 1, 2023
SSSD User Federation and Google LDAP Configuring the server ldap	0	1471	April 6, 2020
SSSD federation support in 20.0.2 Configuring the server user-federation	1	320	December 23, 2022

Keycloak 17 : no SSSD user federation provider

Related Topics