[Freeipa-users] Re: krb5PrincipalName - is it there?

Wed, 28 Aug 2024 07:19:33 -0700 

On Срд, 28 жні 2024, Francis Augusto Medeiros-Logeay wrote:



On 28 Aug 2024, at 15:37, Alexander Bokovoy <aboko...@redhat.com> wrote:

On Срд, 28 жні 2024, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:




On 28 Aug 2024, at 15:02, Rob Crittenden <rcrit...@redhat.com> wrote:


Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:

Hi,

I have configured Keycloak with FreeIPA for kerberos authentication.

It has worked fine, but today I noticed something:

Keycloak seems to look up krb5PrincipalName attribute to look for the
user principal. However, I don't see that attribute when I perform an
ldapsearch. Is it there at all?

I also tried to remove this from keycloak, because it says that when
this is empty it will just look for the username instead of user@domain.
But somehow it adds krb5PrincipalName again.

Is it keycloak that has a problem by not allowing me to remove
krb5PrincipalName, or is it FreeIPA that somehow lost that attribute?

Best,
Francis



Looks like a Keycloak issue. Check out
https://github.com/keycloak/keycloak/issues/25294


Thanks. But should I have this atteibute in Freeipa? I dont see it when 
performance en ldapsearch.


Keycloak allows you to configure what LDAP attributes correspond to what
properties. Use proper LDAP attribute for FreeIPA, in this case it is
krbPrincipalName. This can be chosen by setting LDAP vendor to 'rhds'.


I tried that. But I don’t see that attribute either on ldapsearch.
Maybe I am not using the right permissions when searching.


Most likely you are searching without authentication. The basic ACI we
have to allow krbprincipalname read/search/compare to all authenticated
LDAP binds:

aci: (targetattr = "krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || 
krbprincipalexpiration || krbprincipalname || krbprincipaltype || nsaccountlock")(targetfilter = 
"(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Kerberos 
Attributes";allow (compare,read,search) userdn = "ldap:///all";;)




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to