SSSD User Federation and Google LDAP

kurisu_makise · April 6, 2020, 2:32pm

Dear Keycloak Community,

I have been trying to configure and arrange communication between Google’s LDAP (further omit Google’s just LDAP) and Keycloak.

I already installed and set Keycloak, SSSD, and LDAP up.
What I’m facing is strange Keycloak behavior, and I want to figure out. Do I need to extend the existing code or don’t?

I saw the list from someone: [keycloak-user] SSSD and FreeIPA integration - no users, but I don’t trust any magical things and I’m hoping there should be a logical answer.

When I tried to add a new user with a gmail, it showed the error alert “such user existing” and sync it with google LDAP.

Such behavior is not applicable and synchronization does not work, ALL users are not being added to the view table in Keycloak.

Why is it happening to Keycloak? Because I see that SSSD is working and logs are present in the LDAP Audit report.

sssd.conf

[sssd]
debug_level = 6
services = nss, sudo, pam, ssh, ifp
domains = pantera.com

[ifp]
allowed_uids = root
debug_level = 6
user_attributes = +mail, +telephoneNumber, +givenname, +sn

[pam]
debug_level = 6

[nss]
debug_level = 6

[domain/pantera.com]
debug_level = 6
cache_credentials = true
ldap_tls_cert = /opt/jboss/tools/certs/ldap-client.crt
ldap_tls_key = /opt/jboss/tools/certs/ldap-client.key
ldap_tls_reqcert = allow
ldap_uri = ldaps://ldap.google.com:636
ldap_search_base = dc=pantera,dc=com
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_user_uuid = entryUUID
ldap_groups_use_matching_rule_in_chain = true
ldap_initgroups_use_matching_rule_in_chain = true
enumerate = false
ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber

Also, a peculiar message is

LDAP bind with uid=kurisumakise,ou=Users,dc=pantera,dc=com failed with INSUFFICIENT_ACCESS_RIGHTS.

in google audit logs.

But I’m not asking constantly about google LDAP, but maybe someone came across it.
Can it be the cause of a un-synchronization or not?

Any advice, remarks will be appreciated.
Thanks!

UPDATED: I want to emphasize that when a user with google acc tries to sign in Keycloak, it fails with INSUFFICIENT_ACCESS_RIGHTS.

But all other scheduled tasks are working and I see “Successful search status” in google logs.

Topic		Replies	Views
User federation with Google secure ldaps - no luck Configuring the server ldap	4	1593	April 25, 2024
User Federation - synchronize all users Configuring the server ldap	4	9069	March 3, 2021
LDAP+Kerberos User Federation using GSSAPI/SASL for LDAP authentication Configuring the server authentication , user-federation , ldap	3	624	October 28, 2024
User Federation Troubles Getting advice user-federation , ldap	11	9679	February 4, 2022
Keycloak SSSD Federation with Idm users not show up on admin console Configuring the server	0	81	December 17, 2024

SSSD User Federation and Google LDAP

Related topics