Hey Flo, First of all, thanks for your answer. Unfortunately trying ldapsearch for the created user from Keycloak doesn't return any result at all. Trying from the command line *id user.user* doesn't return a result either. Do you have any suggestions on how I can achieve the desired result? I suppose it should be something related to the connection, but i really don't know what i could do in order to have a proper flow for creating the user from within Keycloak.
Again thanks in advance ;) On Wed, Aug 10, 2022 at 11:21 AM Florence Blanc-Renaud <[email protected]> wrote: > Hi, > > On Tue, Aug 9, 2022 at 6:51 PM Yavor Marinov via FreeIPA-users < > [email protected]> wrote: > >> Hello all, >> >> I have an issue configuring both systems Keycloak and FreeIPA to work >> with User Federation. Configuration on Keycloak side for the ldap (FreeIPA >> server) is as follows: >> >> - LDAPs configuration >> - Keytab from FreeIPA generated with admin user >> >> The below screenshot is from the Keycloak User Federation: >> [image: image.png] >> >> [image: image.png] >> >> Importing users works flawlessly but the problems comes when I try to >> create user in Keycloak and expect it to be created on FreeIPA side - >> WRITABLE is on, and keycloak machine is enrolled into FreeIPA as a client >> (both OSes are Alma). There is no error, and Keycloak indicates that a new >> user is created. >> >> However, in FreeIPA's web interface the user is missing and the most >> frustrating thing is if i try to create the very same username, FreeIPA >> returns that it can't add the user, because it already *exists*. I guess >> the issue would be somewhere either in Username/RDN LDAP attribute or UUID >> or even Custom User LDAP filter, but i'm lost a bit. >> > > IPA webui is showing IPA users, and it considers that an LDAP entry is an > IPA user if it has the posixaccount objectclass. I guess you are able to > find the users using ldapsearch but they don't contain this objectclass and > that explains why they are not displayed in IPA Web UI. > > flo > >> >> In case someone wants to help here what i've tried to play with: >> >> - Setting UUID Ldap attribute to ipaUniqueID, but using it, returns 0 >> user when trying to sync, and creating user from Keycloak returns error >> - Setting custom ldap filter to match a group from the LDAP - no >> binding with admin user could be achieved, thus no user could be synced >> >> >> Anyhelp on this will be much appreciated :") >> >> Thank you in advance >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
