Reputation: 349
Keycloak minimal privileges to bind to LDAP
Our goal is to manage FreeIPA users passwords from Keycloak, this works when we use the admin user from FreeIPA to bind from Keycloak, e.g. in the Keycloak > User Federation > LDAP > Bind DN: uid=admin,cn=users,cn=accounts,dc=example,dc=com
When using a non privileged user with only the permissions to manage passwords we can synchronize the user but listing the users from keycloak returns an error: 'an unexpected server error has occurred'
If we add the non privileged user to the admin group in LDAP it also works
These are the commands that we used to add the permission to manage passwords:
ipa role-add "Self Password Reset"
ipa role-add-member "Self Password Reset" --users="ldap-passwd-reset"
ipa role-add-privilege "Self Password Reset" --privileges="Modify Users and Reset passwords"
ipa role-add-privilege "Self Password Reset" --privileges="Password Policy Readers"
ipa role-add-privilege "Self Password Reset" --privileges="Kerberos Ticket Policy Readers"
ipa permission-mod "System: Change User password" --includedattrs="krbloginfailedcount"
My question is what are the minimum privileges that a user needs to be able to manage LDAP passwords from Keycloak without being member of the admin groups
Upvotes: 2
Views: 881
Answers (0)
Related Questions
- How to grant some users partial user management rights in Keycloak?
- Keycloak federation with LDAP fails to make the connection : Error! Error when trying to connect to LDAP. See server.log for details
- Keycloak impersonation only for certain users
- Keycloak - Issues syncing users with LDAP
- Setting up Keycloak for authentication
- Authorization on Keycloak
- LDAP - ldapwhoami returns "ldap_bind: Invalid credentials (49)"
- Keycloak unable to synchronize with LDAP: Synchronization ignored as it's already in progress
- Keycloak LDAP integration: using of Custom User LDAP Filter to filter by group
- Map LDAP specific attribute to Keycloak roles