Hi, On Thu, Aug 11, 2022 at 8:06 AM Yavor Marinov <[email protected]> wrote:
> Hello again Florence, > > You were right, once the user is created in Keycloak it appears in the > LDAP tree, but it's missing a lot of objectclasses. Which attributes should > I map into connection in order to have a proper creation of users? > I've tried adding the *posixaccount* into user object classes but > creating a new user produces an error that *homeDirectory* attribute is > missing. > The LDAP schema defines a set of mandatory attributes for the posixaccount objectclass (the list following the MUST keyword): # ldapsearch -x -b cn=schema -s base -LLL -o ldif-wrap=no objectclasses | grep -i posixaccount objectclasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY *MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )* MAY ( userPassword $ loginShell $ gecos $ description ) ) This means that if you want to add the posixaccount objectclass, you also need to add the attributes. Keycloak allows you to configure LDAP mappers <https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers>, I believe it's the functionality you should try to explore. flo > On Wed, Aug 10, 2022 at 3:12 PM Yavor Marinov <[email protected]> wrote: > >> Hey Flo, >> >> First of all, thanks for your answer. Unfortunately trying ldapsearch for >> the created user from Keycloak doesn't return any result at all. Trying >> from the command line *id user.user* doesn't return a result either. Do >> you have any suggestions on how I can achieve the desired result? I suppose >> it should be something related to the connection, but i really don't know >> what i could do in order to have a proper flow for creating the user from >> within Keycloak. >> >> Again thanks in advance ;) >> >> >> On Wed, Aug 10, 2022 at 11:21 AM Florence Blanc-Renaud <[email protected]> >> wrote: >> >>> Hi, >>> >>> On Tue, Aug 9, 2022 at 6:51 PM Yavor Marinov via FreeIPA-users < >>> [email protected]> wrote: >>> >>>> Hello all, >>>> >>>> I have an issue configuring both systems Keycloak and FreeIPA to work >>>> with User Federation. Configuration on Keycloak side for the ldap (FreeIPA >>>> server) is as follows: >>>> >>>> - LDAPs configuration >>>> - Keytab from FreeIPA generated with admin user >>>> >>>> The below screenshot is from the Keycloak User Federation: >>>> [image: image.png] >>>> >>>> [image: image.png] >>>> >>>> Importing users works flawlessly but the problems comes when I try to >>>> create user in Keycloak and expect it to be created on FreeIPA side - >>>> WRITABLE is on, and keycloak machine is enrolled into FreeIPA as a client >>>> (both OSes are Alma). There is no error, and Keycloak indicates that a new >>>> user is created. >>>> >>>> However, in FreeIPA's web interface the user is missing and the most >>>> frustrating thing is if i try to create the very same username, FreeIPA >>>> returns that it can't add the user, because it already *exists*. I >>>> guess the issue would be somewhere either in Username/RDN LDAP attribute or >>>> UUID or even Custom User LDAP filter, but i'm lost a bit. >>>> >>> >>> IPA webui is showing IPA users, and it considers that an LDAP entry is >>> an IPA user if it has the posixaccount objectclass. I guess you are able to >>> find the users using ldapsearch but they don't contain this objectclass and >>> that explains why they are not displayed in IPA Web UI. >>> >>> flo >>> >>>> >>>> In case someone wants to help here what i've tried to play with: >>>> >>>> - Setting UUID Ldap attribute to ipaUniqueID, but using it, returns >>>> 0 user when trying to sync, and creating user from Keycloak returns >>>> error >>>> - Setting custom ldap filter to match a group from the LDAP - no >>>> binding with admin user could be achieved, thus no user could be synced >>>> >>>> >>>> Anyhelp on this will be much appreciated :") >>>> >>>> Thank you in advance >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to >>>> [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
