Hello again Florence, You were right, once the user is created in Keycloak it appears in the LDAP tree, but it's missing a lot of objectclasses. Which attributes should I map into connection in order to have a proper creation of users? I've tried adding the *posixaccount* into user object classes but creating a new user produces an error that *homeDirectory* attribute is missing.
On Wed, Aug 10, 2022 at 3:12 PM Yavor Marinov <[email protected]> wrote: > Hey Flo, > > First of all, thanks for your answer. Unfortunately trying ldapsearch for > the created user from Keycloak doesn't return any result at all. Trying > from the command line *id user.user* doesn't return a result either. Do > you have any suggestions on how I can achieve the desired result? I suppose > it should be something related to the connection, but i really don't know > what i could do in order to have a proper flow for creating the user from > within Keycloak. > > Again thanks in advance ;) > > > On Wed, Aug 10, 2022 at 11:21 AM Florence Blanc-Renaud <[email protected]> > wrote: > >> Hi, >> >> On Tue, Aug 9, 2022 at 6:51 PM Yavor Marinov via FreeIPA-users < >> [email protected]> wrote: >> >>> Hello all, >>> >>> I have an issue configuring both systems Keycloak and FreeIPA to work >>> with User Federation. Configuration on Keycloak side for the ldap (FreeIPA >>> server) is as follows: >>> >>> - LDAPs configuration >>> - Keytab from FreeIPA generated with admin user >>> >>> The below screenshot is from the Keycloak User Federation: >>> [image: image.png] >>> >>> [image: image.png] >>> >>> Importing users works flawlessly but the problems comes when I try to >>> create user in Keycloak and expect it to be created on FreeIPA side - >>> WRITABLE is on, and keycloak machine is enrolled into FreeIPA as a client >>> (both OSes are Alma). There is no error, and Keycloak indicates that a new >>> user is created. >>> >>> However, in FreeIPA's web interface the user is missing and the most >>> frustrating thing is if i try to create the very same username, FreeIPA >>> returns that it can't add the user, because it already *exists*. I >>> guess the issue would be somewhere either in Username/RDN LDAP attribute or >>> UUID or even Custom User LDAP filter, but i'm lost a bit. >>> >> >> IPA webui is showing IPA users, and it considers that an LDAP entry is an >> IPA user if it has the posixaccount objectclass. I guess you are able to >> find the users using ldapsearch but they don't contain this objectclass and >> that explains why they are not displayed in IPA Web UI. >> >> flo >> >>> >>> In case someone wants to help here what i've tried to play with: >>> >>> - Setting UUID Ldap attribute to ipaUniqueID, but using it, returns >>> 0 user when trying to sync, and creating user from Keycloak returns error >>> - Setting custom ldap filter to match a group from the LDAP - no >>> binding with admin user could be achieved, thus no user could be synced >>> >>> >>> Anyhelp on this will be much appreciated :") >>> >>> Thank you in advance >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
