Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > Ok, I am not sure how this works: > > I created this user, called biding. I want it to be able to create users on > FreeIPA, mailing by biding Keycloak to it. > > So I created the role: > [francis@freeipa]~% ipa role-show > Role name: Keycloak biding > Role name: Keycloak biding > Member users: biding > Privileges: User Administrators, Group Administrators, Stage User > Administrators, Stage User Provisioning, Modify Users and Reset > passwords, Modify Group membership, Keycloak admin > > Yes, too many roles, because it simply wasn’t doing it. Keycloak would fail > saying the user didn’t have permissions. > > So what I did was to add this user to the admin group. Then it created users. > But not even my admin user can delete those users created that way. > > Why isn’t this working? And why when giving it permissions it is creating > objects that simply can’t be read by my previous biding users?
You haven't described how you integrated Keycloak. Nor what the "Keycloak admin" privilege consists of. Note that since your IPA user biding has these permissions have you tried kinit and use ipa user-add directly (after removal from the admins group)? If it fails, how does it fail? Look in /var/log/dirsrv/slapd-REALM/access for the bind and ADD and look to see how it failed. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
