failure adding user in ldap when domain requires custom user_object_classes #67
Description
I'm testing with a 389 Directory Server that is setup on Fedora 38 like this:
dnf -y install 389-ds-base cockpit-389-ds
cat > /tmp/instance.inf <<EOF
[general]
config_version = 2
[slapd]
root_password = Secret123
[backend-userroot]
sample_entries = yes
suffix = dc=ldap,dc=test
EOF
dscreate from-file /tmp/instance.inf
I used Keycloak 17 with the Storage Plugin from here:
https://github.com/justin-stephenson/scim-keycloak-user-storage-spi/tree/kc17_test_user_extra_attrs_string
In Keycloak for LDAP User Object Classes, I added:
posixAccount, nsPerson, nsAccount, nsOrgPerson
When I add a user in Keycloak, I'm seeing an error from ipa-tuura and the user account does not appear to be added to LDAP. I see this in the journal:
Sep 26 22:12:06 bridge.ipa.test python3[204]: Unable to complete SCIM call.
Sep 26 22:12:06 bridge.ipa.test python3[204]: Traceback (most recent call last):
Sep 26 22:12:06 bridge.ipa.test python3[204]: File "/www/ipa-tuura/src/ipa-tuura/scim/ipa.py", line 353, in modify
Sep 26 22:12:06 bridge.ipa.test python3[204]: self._conn.modify_ext_s(dn, mod_attrs)
Sep 26 22:12:06 bridge.ipa.test python3[204]: File "/usr/lib64/python3.11/site-packages/ldap/ldapobject.py", line 400, in modify_ext_s
Sep 26 22:12:06 bridge.ipa.test python3[204]: resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
Sep 26 22:12:06 bridge.ipa.test python3[204]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 26 22:12:06 bridge.ipa.test python3[204]: File "/usr/lib64/python3.11/site-packages/ldap/ldapobject.py", line 543, in result3
Sep 26 22:12:06 bridge.ipa.test python3[204]: resp_type, resp_data, resp_msgid, decoded_resp_ctrls, retoid, retval = self.result4(
Sep 26 22:12:06 bridge.ipa.test python3[204]: ^^^^^^^^^^^^^
Sep 26 22:12:06 bridge.ipa.test python3[204]: File "/usr/lib64/python3.11/site-packages/ldap/ldapobject.py", line 553, in result4
Sep 26 22:12:06 bridge.ipa.test python3[204]: ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
Sep 26 22:12:06 bridge.ipa.test python3[204]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 26 22:12:06 bridge.ipa.test python3[204]: File "/usr/lib64/python3.11/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
Sep 26 22:12:06 bridge.ipa.test python3[204]: result = func(*args,**kwargs)
Sep 26 22:12:06 bridge.ipa.test python3[204]: ^^^^^^^^^^^^^^^^^^^^
Sep 26 22:12:06 bridge.ipa.test python3[204]: ldap.NO_SUCH_OBJECT: {'msgtype': 103, 'msgid': 2, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'matched': 'ou=people,dc=ldap,dc=test'}
Sep 26 22:12:06 bridge.ipa.test python3[204]: During handling of the above exception, another exception occurred:
Sep 26 22:12:06 bridge.ipa.test python3[204]: Traceback (most recent call last):
Sep 26 22:12:06 bridge.ipa.test python3[204]: File "/usr/local/lib/python3.11/site-packages/django_scim/views.py", line 112, in dispatch
Sep 26 22:12:06 bridge.ipa.test python3[204]: return super(SCIMView, self).dispatch(request, *args, **kwargs)
Sep 26 22:12:06 bridge.ipa.test python3[204]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 26 22:12:06 bridge.ipa.test python3[204]: File "/usr/local/lib/python3.11/site-packages/django/views/generic/base.py", line 143, in dispatch
Sep 26 22:12:06 bridge.ipa.test python3[204]: return handler(request, *args, **kwargs)
Sep 26 22:12:06 bridge.ipa.test python3[204]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 26 22:12:06 bridge.ipa.test python3[204]: File "/usr/local/lib/python3.11/site-packages/django_scim/views.py", line 372, in put
Sep 26 22:12:06 bridge.ipa.test python3[204]: scim_obj.save()
Sep 26 22:12:06 bridge.ipa.test python3[204]: File "/www/ipa-tuura/src/ipa-tuura/scim/adapters.py", line 133, in save
Sep 26 22:12:06 bridge.ipa.test python3[204]: ipa_if.user_mod(self)
Sep 26 22:12:06 bridge.ipa.test python3[204]: File "/www/ipa-tuura/src/ipa-tuura/scim/ipa.py", line 417, in user_mod
Sep 26 22:12:06 bridge.ipa.test python3[204]: self._apiconn.modify(scim_user)
Sep 26 22:12:06 bridge.ipa.test python3[204]: File "/www/ipa-tuura/src/ipa-tuura/scim/ipa.py", line 357, in modify
Sep 26 22:12:06 bridge.ipa.test python3[204]: raise LDAPNotFoundException(
Sep 26 22:12:06 bridge.ipa.test python3[204]: scim.ipa.LDAPNotFoundException: User testldapuser1 not found
EDIT:
I should note that on the 389 server, I enabled the DNA plugin to handle automatic UID/GID assignment when I was troubleshooting why SSSD could not see the users in LDAP. That's when I also tried adding the custom User Object Classes.
DNA plugin config:
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: nsContainer
cn: Distributed Numeric Assignment Plugin
nsslapd-pluginInitfunc: dna_init
nsslapd-pluginType: bepreoperation
nsslapd-pluginEnabled: on
nsslapd-pluginPath: libdna-plugin
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Distributed Numeric Assignment
nsslapd-pluginVersion: 2.1.8
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Distributed Numeric Assignment plugin
# UID and GID numbers, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=UID and GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID and GID numbers
dnaType: uidNumber
dnaType: gidNumber
dnaMaxValue: -1
dnaMagicRegen: 0
dnaFilter: (|(objectclass=posixAccount)(objectclass=posixGroup))
dnaScope: dc=example,dc=com
dnaNextValue: 99999