SSSD and FreeIPA Identity Management integration

Keycloak includes the System Security Services Daemon (SSSD) plugin. SSSD is part of the Fedora and Red Hat Enterprise Linux (RHEL), and it provides access to multiple identities and authentication providers. SSSD also provides benefits such as failover and offline support. For more information, see the Red Hat Enterprise Linux Identity Management documentation.

SSSD integrates with the FreeIPA identity management (IdM) server, providing authentication and access control. With this integration, Keycloak can authenticate against privileged access management (PAM) services and retrieve user data from SSSD. For more information about using Red Hat Identity Management in Linux environments, see the Red Hat Enterprise Linux Identity Management documentation.

keycloak sssd freeipa integration overview

Keycloak and SSSD communicate through read-only D-Bus interfaces. For this reason, the way to provision and update users is to use the FreeIPA/IdM administration interface. By default, the interface imports the username, email, first name, and last name.

Keycloak registers groups and roles automatically but does not synchronize them. Any changes made by the Keycloak administrator in Keycloak do not synchronize with SSSD.

FreeIPA/IdM server

The FreeIPA Docker image is available in Docker Hub. To set up the FreeIPA server, see the FreeIPA documentation.

Procedure

  1. Run your FreeIPA server using this command:

     docker run --name freeipa-server-container -it \
 -h server.freeipa.local -e PASSWORD=YOUR_PASSWORD \
 -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
 -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server

    The parameter -h with server.freeipa.local represents the FreeIPA/IdM server hostname. Change YOUR_PASSWORD to a password of your own.

  2. After the container starts, change the /etc/hosts file to include:

    x.x.x.x     server.freeipa.local

    If you do not make this change, you must set up a DNS server.

  3. Use the following command to enroll your Linux server in the IPA domain so that the SSSD federation provider starts and runs on Keycloak:

     ipa-client-install --mkhomedir -p admin -w password

  4. Run the following command on the client to verify the installation is working:

     kinit admin

  5. Enter your password.

  6. Add users to the IPA server using this command:

    $ ipa user-add <username> --first=<first name> --last=<surname> --email=<email address> --phone=<telephoneNumber> --street=<street> \      --city=<city> --state=<state> --postalcode=<postal code> --password

  7. Force set the user’s password using kinit.

     kinit <username>

  8. Enter the following to restore normal IPA operation:

    kdestroy -A
kinit admin

SSSD and D-Bus

The federation provider obtains the data from SSSD using D-BUS. It authenticates the data using PAM.

Procedure

  1. Install the sssd-dbus RPM.

    $ sudo yum install sssd-dbus

  2. Run the following provisioning script:

    $ bin/federation-sssd-setup.sh

    This script makes the following changes to /etc/sssd/sssd.conf:

      [domain/your-hostname.local]
  ...
  ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber
  ...
  [sssd]
  services = nss, sudo, pam, ssh, ifp
  ...
  [ifp]
  allowed_uids = root, yourOSUsername
  user_attributes = +mail, +telephoneNumber, +givenname, +sn

  3. Run dbus-send to ensure the setup is successful.

    sudo dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:john

    If the setup is successful, you see the user’s group. If this command returns a timeout or an error, the federation provider running on Keycloak cannot retrieve any data. This error usually happens because the server is not enrolled in the FreeIPA IdM server, or does not have permission to access the SSSD service.

    If you do not have permission to access the SSSD service, ensure that the user running the Keycloak server is in the /etc/sssd/sssd.conf file in the following section:

    [ifp]
allowed_uids = root, your_username

Enabling the SSSD federation provider

Keycloak uses DBus-Java to communicate at a low level with D-Bus. D-Bus depends on the Unix Sockets Library.

You can find an RPM for this library in the keycloak repository. Before installing this RPM, check the RPM signature using this command:

  $ rpm -K libunix-dbus-java-0.8.0-1.fc24.x86_64.rpm
  libunix-dbus-java-0.8.0-1.fc24.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID 84dc9914: OK
    Header SHA1 digest: OK (d17bb7ebaa7a5304c1856ee4357c8ba4ec9c0b89)
    V4 RSA/SHA256 Signature, key ID 84dc9914: OK
    MD5 digest: OK (770c2e68d052cb4a4473e1e9fd8818cf)

Install the RPM using this command:

$ sudo yum install libunix-dbus-java-0.8.0-1.fc24.x86_64.rpm

Keycloak uses JNA to authenticate with PAM. Ensure you have the JAN package installed.

$ sudo yum install jna

Use the sssctl user-checks command to validate your setup:

  $ sudo sssctl user-checks admin -s keycloak

Configuring a federated SSSD store

After the installation, configure a federated SSSD store.

Procedure

  1. Click User Federation in the menu.

  2. From the Add Provider list select sssd. Keycloak brings you to the sssd configuration page.

  3. Click Save.

You can now authenticate against Keycloak using FreeIPA/IdM credentials.