Coder Social home page Coder Social logo

ipa-tuura's Issues

ISSUE: Implement better error handling for the Domain app

A call to delete a domain with a wrong id does not return any error, IMO it should mention something like "No such domain".

If a wrong client id/password is provided, ipa-client-install fails but this error is not well handled

Interoperability issues between Domains and SCIM apps

The current implementation faces interoperability issues between the domains app, which serves as the administrative interface for managing integration domains, and the SCIM app, responsible for read and write operations to and from these domains. The writability of the interface is contingent upon specific settings within the integration domain.

Integration domains are not seamlessly interacting with the SCIM app, leading to potential synchronization problems.

The writable interface is not resetting appropriately after the addition of a new integration domain.

RFE: split users_dn so that user can use different OUs for READ and WRITE

Currently, the domains app exposes users_dn field so that admin can specify the full DN of LDAP tree where users are, basically the distinguished name (DN) of the Organization Unit (OU) that holds the user accounts. The aim of this ticket is to split users_dn into two fields so that the admin can decouple different OUs with READ and WRITE permissions.

ISSUE: LDAP provider integration

After adding a SCIM plugin with the LDAP integration domain, I needed to change in sssd.conf as it was 'dn=ldap, dn=test'

ldap_search_base = dc=ldap, dc=test
and also add
ldap_default_authtok = Password

This allowed me to id the user, but infopipe will not find the correct user attributes if the default user LDAP schema does not contain sn or givenName.

ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname

A solution should be investigated, which requires consideration for different LDAP schemas that SSSD can work with.

Adding IPA integration domain is broken

This curl call:

curl -k -X POST "https://bridge.ipa.test:4430/domains/v1/domain/" -H "accept: application/json" -H "Content-Type: application/json" -H "X-CSRFToken: x1yU9RGPKs4mJdWIOzEc7wKbwbnJ0B6iTHuW6ja0gdBpEOBVacK1vIhSSYlfsnRw" -d "{ \"name\": \"ipa.test\", \"description\": \"IPA Integration Domain\", \"integration_domain_url\": \"https://master.ipa.test\", \"client_id\": \"admin\", \"client_secret\": \"Secret123\", \"id_provider\": \"ipa\", \"user_extra_attrs\": \"mail:mail, sn:sn, givenname:givenname\", \"user_object_classes\": \"\", \"users_dn\": \"ou=people,dc=ipa,dc=test\", \"ldap_tls_cacert\": \"/etc/openldap/certs/cacert.pem\"}"

results in:

[Wed Nov 29 08:18:06.228224 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966] HTTP connection keep-alive (idm.ipa.test)
[Wed Nov 29 08:18:06.513683 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966] ipa: role_member_add result {'completed': 1, 'faile
d': {'member': {'privilege': ()}}, 'result': {'cn': ('ipatuura writable interface',), 'member_service': ('ipatuura/[email protected]',), 
'memberof_privilege': ('User Administrators',), 'dn': 'cn=ipatuura writable interface,cn=roles,cn=accounts,dc=ipa,dc=test'}}
[Wed Nov 29 08:18:07.704047 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966] Internal Server Error: /domains/v1/domain/
[Wed Nov 29 08:18:07.704075 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966] Traceback (most recent call last):
[Wed Nov 29 08:18:07.704079 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/usr/local/lib/python3.9/site-packages/djan
go/core/handlers/exception.py", line 55, in inner
[Wed Nov 29 08:18:07.704083 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     response = get_response(request)
[Wed Nov 29 08:18:07.704087 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/usr/local/lib/python3.9/site-packages/djan
go/core/handlers/base.py", line 197, in _get_response
[Wed Nov 29 08:18:07.704091 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     response = wrapped_callback(request, *callback_
args, **callback_kwargs)
[Wed Nov 29 08:18:07.704094 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/usr/local/lib/python3.9/site-packages/djan
go/views/decorators/csrf.py", line 56, in wrapper_view
[Wed Nov 29 08:18:07.704098 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     return view_func(*args, **kwargs)
[Wed Nov 29 08:18:07.704101 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/usr/local/lib/python3.9/site-packages/rest
_framework/viewsets.py", line 125, in view
[Wed Nov 29 08:18:07.704105 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     return self.dispatch(request, *args, **kwargs)
[Wed Nov 29 08:18:07.704109 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/usr/local/lib/python3.9/site-packages/rest
_framework/views.py", line 509, in dispatch
[Wed Nov 29 08:18:07.704112 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     response = self.handle_exception(exc)
[Wed Nov 29 08:18:07.704116 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/usr/local/lib/python3.9/site-packages/rest
_framework/views.py", line 469, in handle_exception
[Wed Nov 29 08:18:07.704120 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     self.raise_uncaught_exception(exc)
[Wed Nov 29 08:18:07.704123 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/usr/local/lib/python3.9/site-packages/rest
_framework/views.py", line 480, in raise_uncaught_exception
[Wed Nov 29 08:18:07.704127 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     raise exc
[Wed Nov 29 08:18:07.704130 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/usr/local/lib/python3.9/site-packages/rest
_framework/views.py", line 506, in dispatch
[Wed Nov 29 08:18:07.704134 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     response = handler(request, *args, **kwargs)
[Wed Nov 29 08:18:07.704137 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/www/ipa-tuura/src/ipa-tuura/root/../domain
s/views.py", line 45, in create
[Wed Nov 29 08:18:07.704141 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     raise e
[Wed Nov 29 08:18:07.704145 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/www/ipa-tuura/src/ipa-tuura/root/../domain
s/views.py", line 41, in create
[Wed Nov 29 08:18:07.704148 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     add_domain(serializer.validated_data)
[Wed Nov 29 08:18:07.704152 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/www/ipa-tuura/src/ipa-tuura/root/../domain
s/utils.py", line 482, in add_domain
[Wed Nov 29 08:18:07.704155 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     ipa = IPA()
[Wed Nov 29 08:18:07.704159 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/www/ipa-tuura/src/ipa-tuura/root/../scim/i
pa.py", line 443, in IPA
[Wed Nov 29 08:18:07.704162 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     _IPA._instance = _IPA()
[Wed Nov 29 08:18:07.704176 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]   File "/www/ipa-tuura/src/ipa-tuura/root/../scim/i
pa.py", line 410, in __init__
[Wed Nov 29 08:18:07.704180 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966]     self._apiconn = self._write(domains.models.Doma
in.objects.last().id_provider)
[Wed Nov 29 08:18:07.704184 2023] [wsgi:error] [pid 102:tid 243] [remote 10.45.225.10:38966] AttributeError: 'NoneType' object has no attribute 
'id_provider'

failure adding user in ldap when domain requires custom user_object_classes

I'm testing with a 389 Directory Server that is setup on Fedora 38 like this:

dnf -y install 389-ds-base cockpit-389-ds

cat > /tmp/instance.inf <<EOF
[general]
config_version = 2

[slapd]
root_password = Secret123

[backend-userroot]
sample_entries = yes
suffix = dc=ldap,dc=test
EOF

dscreate from-file /tmp/instance.inf

I used Keycloak 17 with the Storage Plugin from here:
https://github.com/justin-stephenson/scim-keycloak-user-storage-spi/tree/kc17_test_user_extra_attrs_string

In Keycloak for LDAP User Object Classes, I added:
posixAccount, nsPerson, nsAccount, nsOrgPerson

When I add a user in Keycloak, I'm seeing an error from ipa-tuura and the user account does not appear to be added to LDAP. I see this in the journal:

Sep 26 22:12:06 bridge.ipa.test python3[204]: Unable to complete SCIM call.                              
Sep 26 22:12:06 bridge.ipa.test python3[204]: Traceback (most recent call last):                         
Sep 26 22:12:06 bridge.ipa.test python3[204]:   File "/www/ipa-tuura/src/ipa-tuura/scim/ipa.py", line 353, in modify
Sep 26 22:12:06 bridge.ipa.test python3[204]:     self._conn.modify_ext_s(dn, mod_attrs)                 
Sep 26 22:12:06 bridge.ipa.test python3[204]:   File "/usr/lib64/python3.11/site-packages/ldap/ldapobject.py", line 400, in modify_ext_s
Sep 26 22:12:06 bridge.ipa.test python3[204]:     resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
Sep 26 22:12:06 bridge.ipa.test python3[204]:                                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 26 22:12:06 bridge.ipa.test python3[204]:   File "/usr/lib64/python3.11/site-packages/ldap/ldapobject.py", line 543, in result3
Sep 26 22:12:06 bridge.ipa.test python3[204]:     resp_type, resp_data, resp_msgid, decoded_resp_ctrls, retoid, retval = self.result4(
Sep 26 22:12:06 bridge.ipa.test python3[204]:                                                                            ^^^^^^^^^^^^^
Sep 26 22:12:06 bridge.ipa.test python3[204]:   File "/usr/lib64/python3.11/site-packages/ldap/ldapobject.py", line 553, in result4
Sep 26 22:12:06 bridge.ipa.test python3[204]:     ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
Sep 26 22:12:06 bridge.ipa.test python3[204]:                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 26 22:12:06 bridge.ipa.test python3[204]:   File "/usr/lib64/python3.11/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
Sep 26 22:12:06 bridge.ipa.test python3[204]:     result = func(*args,**kwargs)                          
Sep 26 22:12:06 bridge.ipa.test python3[204]:              ^^^^^^^^^^^^^^^^^^^^                          
Sep 26 22:12:06 bridge.ipa.test python3[204]: ldap.NO_SUCH_OBJECT: {'msgtype': 103, 'msgid': 2, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'matched': 'ou=people,dc=ldap,dc=test'}
Sep 26 22:12:06 bridge.ipa.test python3[204]: During handling of the above exception, another exception occurred:
Sep 26 22:12:06 bridge.ipa.test python3[204]: Traceback (most recent call last):                         
Sep 26 22:12:06 bridge.ipa.test python3[204]:   File "/usr/local/lib/python3.11/site-packages/django_scim/views.py", line 112, in dispatch
Sep 26 22:12:06 bridge.ipa.test python3[204]:     return super(SCIMView, self).dispatch(request, *args, **kwargs)
Sep 26 22:12:06 bridge.ipa.test python3[204]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 26 22:12:06 bridge.ipa.test python3[204]:   File "/usr/local/lib/python3.11/site-packages/django/views/generic/base.py", line 143, in dispatch
Sep 26 22:12:06 bridge.ipa.test python3[204]:     return handler(request, *args, **kwargs)               
Sep 26 22:12:06 bridge.ipa.test python3[204]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^               
Sep 26 22:12:06 bridge.ipa.test python3[204]:   File "/usr/local/lib/python3.11/site-packages/django_scim/views.py", line 372, in put
Sep 26 22:12:06 bridge.ipa.test python3[204]:     scim_obj.save()                                        
Sep 26 22:12:06 bridge.ipa.test python3[204]:   File "/www/ipa-tuura/src/ipa-tuura/scim/adapters.py", line 133, in save
Sep 26 22:12:06 bridge.ipa.test python3[204]:     ipa_if.user_mod(self)                                  
Sep 26 22:12:06 bridge.ipa.test python3[204]:   File "/www/ipa-tuura/src/ipa-tuura/scim/ipa.py", line 417, in user_mod
Sep 26 22:12:06 bridge.ipa.test python3[204]:     self._apiconn.modify(scim_user)                        
Sep 26 22:12:06 bridge.ipa.test python3[204]:   File "/www/ipa-tuura/src/ipa-tuura/scim/ipa.py", line 357, in modify
Sep 26 22:12:06 bridge.ipa.test python3[204]:     raise LDAPNotFoundException(                           
Sep 26 22:12:06 bridge.ipa.test python3[204]: scim.ipa.LDAPNotFoundException: User testldapuser1 not found

EDIT:

I should note that on the 389 server, I enabled the DNA plugin to handle automatic UID/GID assignment when I was troubleshooting why SSSD could not see the users in LDAP. That's when I also tried adding the custom User Object Classes.

DNA plugin config:

dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: nsContainer
cn: Distributed Numeric Assignment Plugin
nsslapd-pluginInitfunc: dna_init
nsslapd-pluginType: bepreoperation
nsslapd-pluginEnabled: on
nsslapd-pluginPath: libdna-plugin
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Distributed Numeric Assignment
nsslapd-pluginVersion: 2.1.8
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Distributed Numeric Assignment plugin

# UID and GID numbers, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=UID and GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID and GID numbers
dnaType: uidNumber
dnaType: gidNumber
dnaMaxValue: -1
dnaMagicRegen: 0
dnaFilter: (|(objectclass=posixAccount)(objectclass=posixGroup))
dnaScope: dc=example,dc=com
dnaNextValue: 99999

ISSUE: Better handling of concurrent Domain request handling

if 2 calls are done to add the same domain, the REST API does not complain but we end up with 2 domains in the sql db and only one in sssd.conf. Removing any of these domains results in an inconsistency (one remaining domain in sql, but no domain in sssd.conf).

RFE: replace internal django HTTP runserver by Apache/nginx

Runserver is not intended for production as it doesn’t support HTTPS, instead we need to deploy the bridge service with WSGI platform in a container. This way, we will be able to start serving API HTTPS requests. The deployment must be container friendly.

Finally, the different services must redirect everything into HTTPS, only HTTPS based communication should be allowed.

https://docs.djangoproject.com/en/dev/howto/deployment/wsgi/

https://medium.com/@adamsokode/deploying-django-app-inside-container-running-apache-mod-wsgi-73831aa04724

AD users missing attributes

When testing with AD, it appears that ipa-tuura is creating the users but, there are a couple missing attributes needed to enable them to be used.

Without the attributes:

PS C:\cygwin64\home\Administrator> id kcuser101                                                          
/usr/bin/id: 'kcuser101': no such user

With the attributes, you should see:

PS C:\cygwin64\home\Administrator> id kcuser107
uid=1049687(kcuser107) gid=1049089(Domain Users) groups=1049089(Domain Users)

Minimum attributes needed that I've found so far:
userAccountControl set to 66048 (65536=don't expire password, 512=normal account
sAMAccountName set to username

Unsure if there are others but, adding those enables the account and sets SamAccountName so that it can be seen from PS on Windows and SSSD on Linux.

realm join failing to AD domain

Adding an AD domain from Keycloak with the SCIM user storage plugin, it looks like the domain is properly added. However, when I check on the ipa-tuura bridge container, SSSD isn't configured and I see errors in the journal for the realm join.

bridge_ad_join2.log

ISSUE: IPA domain needs ldap_user_extra_attrs in sssd.conf

When an IPA Integration Domain is enabled and setup, the sssd.conf file is missing the ldap_user_extra_attrs setting in the domain section.

When the setting is missing, I'm unable to see IPA users reflected in Keycloak. To resolve the issue, I'm adding the following after setting up an IPA Integration Domain:

ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname

keycloak errors on first get for ldap user

In one test environment, if I create a user in LDAP and then try to get it in Keycloak, I see a failure for the first time I run the get:

  Command:
    /opt/keycloak/bin/kcadm.sh get users -q [email protected]
  CWD:
  Env:
  Output:
  Error output:
    HTTP error - 500 Internal Server Error

When I run a follow up get call, it works and returns the user:

[ {
  "id" : "80026f36-377b-42d3-8e49-78f218afd0e6",
  "createdTimestamp" : 1721335207332,
  "username" : "[email protected]",
  "enabled" : false,
  "totp" : false,
  "emailVerified" : false,
  "disableableCredentialTypes" : [ ],
  "requiredActions" : [ ],
  "notBefore" : 0,
  "access" : {
    "manageGroupMembership" : true,
    "view" : true,
    "mapRoles" : true,
    "impersonate" : true,
    "manage" : true
  }
} ]

These are the parameters from the SCIMv2 storage plugin:

[ {
  "id" : "20bbf6d7-d323-4497-afc1-b7f0c2202aa2",
  "name" : "scim",
  "providerId" : "scim",
  "providerType" : "org.keycloak.storage.UserStorageProvider",
  "parentId" : "0569a5b3-8c85-441c-9a81-85001d4c40c0",
  "config" : {
    "domainclientid" : [ "cn=Directory Manager" ],
    "loginpassword" : [ "Password" ],
    "domainname" : [ "ldap.test" ],
    "users_dn" : [ "ou=users,dc=ldap,dc=test" ],
    "scimurl" : [ "bridge.ipa.test:443" ],
    "domainurl" : [ "ldap://rhds.ldap.test" ],
    "enabled" : [ "True" ],
    "idprovider" : [ "ldap" ],
    "keycloak_hostname" : [ "keycloak.ipa.test" ],
    "domaindesc" : [ "Bridge_to_ldap" ],
    "cacert" : [ "/etc/openldap/certs/cacert.pem" ],
    "addintgdomain" : [ "True" ],
    "domainclientsecret" : [ "Password" ],
    "extraattrs" : [ "mail:mail, sn:sn, givenname:givenname" ],
    "loginusername" : [ "scim" ]
  }
} ]

In IPA-Tuura, I see this:

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 1,
  "itemsPerPage": 50,
  "startIndex": 1,
  "Resources": [
    {
      "id": "100009",
      "externalId": null,
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "userName": "[email protected]",
      "name": {
        "givenName": null,
        "familyName": null,
        "formatted": "[email protected]"
      },
      "displayName": "[email protected]",
      "emails": [],
      "active": true,
      "groups": [],
      "meta": {
        "resourceType": "User",
        "location": "https://localhost/scim/v2/Users/100009"
      }
    }
  ]
}

And this is from the keycloak journal:

Jul 18 20:40:07 keycloak.ipa.test kc.sh[619506]: 2024-07-18 20:40:07,331 DEBUG [org.apache.http.wire] (executor-thread-0) http-outgoing-2 << "{"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], "totalResults": 1, "itemsPerPage": 50, "startIndex": 1, "Resources": 

[
  {
    "id": "100009",
    "externalId": null,
    "schemas": [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "userName": "[email protected]",
    "name": {
      "givenName": null,
      "familyName": null,
      "formatted": "[email protected]"
    },
    "displayName": "[email protected]",
    "emails": [],
    "active": true,
    "groups": [],
    "meta": {
      "resourceType": "User",
      "location": "https://localhost/scim/v2/Users/100009"
    }
  }
]

Jul 18 20:40:07 keycloak.ipa.test kc.sh[619506]: 2024-07-18 20:40:07,339 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-0) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Index 0 out of bounds for length 0

User lookup fails in keycloak due to null familyName and null givenName 

[root@client ~]# ipa user-show testuser1 --all --raw
  dn: uid=testuser1,cn=users,cn=accounts,dc=ipa,dc=test
  uid: testuser1
  givenname: test
  sn: user
  cn: testuser1
  initials: tu
  homedirectory: /home/testuser1
  gecos: test user
  loginshell: /bin/sh
  krbcanonicalname: [email protected]
  krbprincipalname: [email protected]
  mail: [email protected]
  uidnumber: 1319600004
  gidnumber: 1319600004
  nsaccountlock: FALSE
  has_password: FALSE
  has_keytab: FALSE
  displayName: test user
  ipaNTSecurityIdentifier: S-1-5-21-3608036487-284666822-748930798-1004
  ipaUniqueID: 2c791fd0-1ff1-11ee-abe2-fa163e14acb1
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test
  mepManagedEntry: cn=testuser1,cn=groups,cn=accounts,dc=ipa,dc=test
  objectClass: top
  objectClass: person
  objectClass: organizationalperson
  objectClass: inetorgperson
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: krbprincipalaux
  objectClass: krbticketpolicyaux
  objectClass: ipaobject
  objectClass: ipasshuser
  objectClass: ipaSshGroupOfPubKeys
  objectClass: mepOriginEntry



[root@client ~]# curl -b cookies.txt -X POST -d @filter_testuser1.json "http://127.0.0.1:8000/scim/v2/Users/.search" |json_pp 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   665  100   551  100   114  22569   4669 --:--:-- --:--:-- --:--:-- 30227
{
   "Resources" : [
      {
         "active" : true,
         "displayName" : "testuser1",
         "emails" : [
            {
               "primary" : true,
               "value" : "[email protected]"
            }
         ],
         "externalId" : null,
         "groups" : [],
         "id" : "1319600004",
         "meta" : {
            "location" : "https://localhost/scim/v2/Users/1319600004",
            "resourceType" : "User"
         },
         "name" : {
            "familyName" : null,
            "formatted" : "testuser1",
            "givenName" : null
         },
         "schemas" : [
            "urn:ietf:params:scim:schemas:core:2.0:User"
         ],
         "userName" : "testuser1"
      }
   ],
   "itemsPerPage" : 50,
   "schemas" : [
      "urn:ietf:params:scim:api:messages:2.0:ListResponse"
   ],
   "startIndex" : 1,
   "totalResults" : 1
}



2023-07-11 10:15:12,242 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-31) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Cannot invoke "String.equals(Object)" because the return value of "org.keycloak.models.UserModel.getFirstName()" is null
        at com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._wrapAsIOE(DefaultSerializerProvider.java:509)
        at com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._serialize(DefaultSerializerProvider.java:482)
        at com.fasterxml.jackson.databind.ser.DefaultSerializerProvider.serializeValue(DefaultSerializerProvider.java:400)
        at com.fasterxml.jackson.databind.ObjectWriter$Prefetch.serialize(ObjectWriter.java:1514)
        at com.fasterxml.jackson.databind.ObjectWriter.writeValue(ObjectWriter.java:1007)

Applying image updates to a running container make the service to stop working

Issue

After applying updates to a running container, the service stops working.

Steps to Reproduce

  1. Deploy for the first time:
    podman run --name=bridge -d --privileged --dns --add-host idm.ipa.test: -p 8000:8000 -p 3501:3500 -p 4701:81 -p 4430:443 --hostname bridge.ipa.test
  2. service works
  3. sudo podman pull image
  4. sudo podman stop bridge
  5. sudo podman rm -a
  6. podman run --name=bridge -d --privileged --dns --add-host idm.ipa.test: -p 8000:8000 -p 3501:3500 -p 4701:81 -p 4430:443 --hostname bridge.ipa.test

Actual behavior

After applying updates the service doesn't work.

"Cannot connect to provided URL!"

from error_log: [Wed Nov 29 08:11:50.272546 2023] [ssl:info] [pid 104:tid 322] SSL Library Error: error:0A000416:SSL routines::sslv3 alert certificate unknown (
SSL alert number 46)

Expected behavior

Service should work.

RFE: implement Integration Domain UnitTests with Mock

The view integration domain unit tests end calling the corresponding POST request for domain enrollment. We don't really want to enroll with an integration domain as we will need to add more infra to the GitHub Actions (e.g. IPA/LDAP/ADDC servers)...

This RFE is all about to implement mocks for the app REST-API calls, a JSON should be returned instead of enrolling with a domain.

Support password change

It would be awesome if we could support password change e.g. on password expiration events.

This is especially acute as freeipa by default requires that users change their password on first logon.

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

  • Update Konflux references (quay.io/redhat-appstudio-tekton-catalog/task-buildah, quay.io/redhat-appstudio-tekton-catalog/task-clair-scan, quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan, quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check, quay.io/redhat-appstudio-tekton-catalog/task-git-clone, quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies, quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check, quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check, quay.io/redhat-appstudio-tekton-catalog/task-source-build)

Detected dependencies

dockerfile
Containerfile
tekton
.tekton/ipa-tuura-pull-request.yaml
  • quay.io/redhat-appstudio-tekton-catalog/task-init 0.2@sha256:b23c7a924f303a67b3a00b32a6713ae1a4fccbc5327daa76a6edd250501ea7a3
  • quay.io/redhat-appstudio-tekton-catalog/task-git-clone 0.1@sha256:2be7c9c83159c5247f1f9aab8fa1a2cb29d0df66f6c5bb48a012320bdcb03c7d
  • quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies 0.1@sha256:9aec3ae9f0f50a05abdc739faf4cbc82832cff16c77ac74e1d54072a882c0503
  • quay.io/redhat-appstudio-tekton-catalog/task-buildah 0.1@sha256:021f7029d0d8a1834bc45a4cd3cc451c03d0f87a5793eb19e1902f8b00dd3d4c
  • quay.io/redhat-appstudio-tekton-catalog/task-source-build 0.1@sha256:83ee909cb8f7d659fac380a2521fb60f30c309e5ecb91f3aad2433936e690d98
  • quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check 0.4@sha256:aaf998c36c66d2330cf45894f9cca52486fcdd73e030620e7107e28da247ed87
  • quay.io/redhat-appstudio-tekton-catalog/task-clair-scan 0.1@sha256:de7d372d90939db203072a024f1b13869dd11fac9b196e2a485bdf2a20099902
  • quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check 0.1@sha256:5aa816e7d7f5e03448d658edfeb26e086aa8a2102c4c3c1113651cf5ccfe55b1
  • quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan 0.1@sha256:fa168cd63bdebfbefc8392fbf0f5226ff6d12a8692306261a9372ddacb5ccb2c
  • quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check 0.1@sha256:1f7ae5f2660ddfd447727cdc4a8311ce4d991e5fd8f0a23f1b13d6968d8a97e1
  • quay.io/redhat-appstudio-tekton-catalog/task-show-sbom 0.1@sha256:9cd4bf015b18621834f40ed02c8dccda1f7834c7d989521a8314bdb3a596e96b
  • quay.io/redhat-appstudio-tekton-catalog/task-summary 0.2@sha256:51d5aaa4e13e9fb4303f667e38d07e758820040032ed9fb3ab5f6afaaffc60d8
.tekton/ipa-tuura-push.yaml
  • quay.io/redhat-appstudio-tekton-catalog/task-init 0.2@sha256:b23c7a924f303a67b3a00b32a6713ae1a4fccbc5327daa76a6edd250501ea7a3
  • quay.io/redhat-appstudio-tekton-catalog/task-git-clone 0.1@sha256:2be7c9c83159c5247f1f9aab8fa1a2cb29d0df66f6c5bb48a012320bdcb03c7d
  • quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies 0.1@sha256:9aec3ae9f0f50a05abdc739faf4cbc82832cff16c77ac74e1d54072a882c0503
  • quay.io/redhat-appstudio-tekton-catalog/task-buildah 0.1@sha256:021f7029d0d8a1834bc45a4cd3cc451c03d0f87a5793eb19e1902f8b00dd3d4c
  • quay.io/redhat-appstudio-tekton-catalog/task-source-build 0.1@sha256:83ee909cb8f7d659fac380a2521fb60f30c309e5ecb91f3aad2433936e690d98
  • quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check 0.4@sha256:aaf998c36c66d2330cf45894f9cca52486fcdd73e030620e7107e28da247ed87
  • quay.io/redhat-appstudio-tekton-catalog/task-clair-scan 0.1@sha256:de7d372d90939db203072a024f1b13869dd11fac9b196e2a485bdf2a20099902
  • quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check 0.1@sha256:5aa816e7d7f5e03448d658edfeb26e086aa8a2102c4c3c1113651cf5ccfe55b1
  • quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan 0.1@sha256:fa168cd63bdebfbefc8392fbf0f5226ff6d12a8692306261a9372ddacb5ccb2c
  • quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check 0.1@sha256:1f7ae5f2660ddfd447727cdc4a8311ce4d991e5fd8f0a23f1b13d6968d8a97e1
  • quay.io/redhat-appstudio-tekton-catalog/task-show-sbom 0.1@sha256:9cd4bf015b18621834f40ed02c8dccda1f7834c7d989521a8314bdb3a596e96b
  • quay.io/redhat-appstudio-tekton-catalog/task-summary 0.2@sha256:51d5aaa4e13e9fb4303f667e38d07e758820040032ed9fb3ab5f6afaaffc60d8

ISSUE: naming of the django apps is confusing

Currently, the django project (ipa-tuura) is composed by:

  • ipa-tuura app
  • creds app
  • domains app

ipa-tuura app is actually the scimv2 app so that the following naming would make more sense:

  • scim app
  • creds app
  • domains app

also the project name could be renamed to ipatuura.

Iipa-tuura package creation (github)

I am asking any owner of freeipa organization to enable packages for an organization freeipa At this this page you should be able to enable public packages to be created at least for this project. It will help us to publish container images and use ghcr.io per pull rewuest to test changes and store containers.

Allow to configure encryption types during AD domain addition

You might want to allow encryption type list be configurable. There are plenty of environments where people are still using RC4 (sorry) or AES128-SHA1. Also, with Windows Server 2025 there will be support for RFC8009 encrytpion types (SHA2-based) so it is best to remove the hard-coded encryption lines here and instead add a configuration with sensible defaults.

Originally posted by @abbra in #88 (comment)

RFE: Protect Authentication and Authorization of the SCIMv2 Service with OAuth2 Bearer Token Authentication.

The SCIM 2.0 protocol supports multiple HTTP-based authentication schemes to enable API access by some SCIM clients. Currently, only httpbasic is supported and there is no Authorization defined. The aim of this ticket is to implement support for Oauth2 with bearer token.

The new auth scheme should be exposed in the “/ServiceProviderConfig” endpoint for the auto-discovery service.

OAuth2 Bearer Token allows the authentications to be delegated to a OIDC server outside of the SCIM API implementation apart from making the auth mech compatible with OIDC. The best security practices related to bearer tokens (like TLS transport, limited scoping, short lifetimes) must be enforced.

Ideally, we should also define authorization scopes such as scim read and scim write so that the client can request the minimum access to the API.

New AD users not seen in Keycloak

I am able to setup an Integration domain in Keycloak to an AD domain. If I add a user in Keycloak, I see it replicated to AD. However, if I add a new user in AD, I do not see it in Keycloak.

I will add more details soon.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.