On Tue, Aug 20, 2019 at 01:13:09PM +0200, Ronald Wimmer via FreeIPA-users wrote: > SSSD seems to work now and I can login to Keycloak with an IPA user. > Unfortunately, when trying to use an AD user I get an exception: > > Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: > 13:10:46,967 WARN [org.keycloak.services] (default task-52) > KC-SERVICES0013: Failed authentication: org.keycloak > > .federation.sssd.api.SSSDException: Failed to retrieve user's attributes. > Check if SSSD service is active. > > Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at > org.keycloak.federation.sssd.api.Sssd.getUser(Sssd.java:112) > > Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at > org.keycloak.federation.sssd.SSSDFederationProvider.importUserToKeycloak(SSSDFederationProvider.java:114) > > Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: at > org.keycloak.federation.sssd.SSSDFederationProvider.findOrCreateAuthenticatedUser(SSSDFederationProvider.java: > > 109) > > > SSSD service is active. >
As far as I remember, Keycloak uses the D-Bus interface of SSSD to retrieve the user's attribute. Can you check if the ifp service is up and running and if there are any helpful logs in the sssd_ifp.log file? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
