On 29.08.19 08:59, Jakub Hrozek via FreeIPA-users wrote:
[...]
Apparently then are not defined on the server side. btw is
ronald.wim...@mydomain.at a user in the trusted domain or the IPA
domain?
The user comes from a trusted domain where all four attributes exist and
have values.
When
On Wed, Aug 28, 2019 at 12:29:14PM +0200, Ronald Wimmer via FreeIPA-users wrote:
> On 28.08.19 08:39, Jakub Hrozek via FreeIPA-users wrote:
> > [...]
> > OK, this is what I would have expected. Is it possible to enable
> > debugging and run the KC operation to see exactly what is being looked
> >
On 28.08.19 08:39, Jakub Hrozek via FreeIPA-users wrote:
[...]
OK, this is what I would have expected. Is it possible to enable
debugging and run the KC operation to see exactly what is being looked
up and what fails?
(Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_add_ldb_el_to_dict]
(0x0400):
On Mon, Aug 26, 2019 at 02:17:29PM +0200, Ronald Wimmer via FreeIPA-users wrote:
> On 26.08.19 09:26, Jakub Hrozek via FreeIPA-users wrote:
> > [...]
> > Sorry, it's not totally clear to me if all the attributes were mapped to
> > mail by the KC installer or by your snippet?
>
> The original
On 26.08.19 09:26, Jakub Hrozek via FreeIPA-users wrote:
[...]
Sorry, it's not totally clear to me if all the attributes were mapped to
mail by the KC installer or by your snippet?
The original config looked like it should after executing keycloak's
federation-sssd-setup.sh:
[domain
On Mon, Aug 26, 2019 at 09:19:36AM +0200, Ronald Wimmer via FreeIPA-users wrote:
> On 23.08.19 20:18, Jakub Hrozek via FreeIPA-users wrote:
> > [...]
> > Wait, do they really map all these attributes to mail? This seems wrong,
> > the format is externalname:ldapname and IIRC the last one wins, so
On 23.08.19 20:18, Jakub Hrozek via FreeIPA-users wrote:
[...]
Wait, do they really map all these attributes to mail? This seems wrong,
the format is externalname:ldapname and IIRC the last one wins, so the last
one is applied and stores mail as telephoneNumber.
Sorry. I pasted a config
On Fri, Aug 23, 2019 at 05:48:18PM +0200, Ronald Wimmer via FreeIPA-users wrote:
> On 23.08.19 15:53, Jakub Hrozek via FreeIPA-users wrote:
> > [...]
> > Hmm, I don't remember from the top of my head which attributes does KC
> > try to fetch, but e-mail sounds like what it would need, at least
On pe, 23 elo 2019, Ronald Wimmer wrote:
On 23.08.19 18:03, Alexander Bokovoy wrote:
[...] Is this Keycloak installation done separate from IPA master?
If yes,
then you need to have ldap_user_extra_attrs on both IPA client where
Keycloak runs and on IPA masters that SSSD would talk to to
On 23.08.19 18:03, Alexander Bokovoy wrote:
[...] Is this Keycloak installation done separate from IPA master? If
yes,
then you need to have ldap_user_extra_attrs on both IPA client where
Keycloak runs and on IPA masters that SSSD would talk to to obtain
information about AD users.
Keycloak
On pe, 23 elo 2019, Ronald Wimmer via FreeIPA-users wrote:
On 23.08.19 15:53, Jakub Hrozek via FreeIPA-users wrote:
[...]
Hmm, I don't remember from the top of my head which attributes does KC
try to fetch, but e-mail sounds like what it would need, at least that's
what's most commonly used for
On 23.08.19 15:53, Jakub Hrozek via FreeIPA-users wrote:
[...]
Hmm, I don't remember from the top of my head which attributes does KC
try to fetch, but e-mail sounds like what it would need, at least that's
what's most commonly used for claims and such.
If you correlate the KC lookup errors
On Fri, Aug 23, 2019 at 01:07:23PM +0200, Ronald Wimmer via FreeIPA-users wrote:
> On 22.08.19 15:57, Jakub Hrozek via FreeIPA-users wrote:
> > [...]
> > As far as I remember, Keycloak uses the D-Bus interface of SSSD to
> > retrieve the user's attribute. Can you check if the ifp service is up
> >
On 22.08.19 15:57, Jakub Hrozek via FreeIPA-users wrote:
[...]
As far as I remember, Keycloak uses the D-Bus interface of SSSD to
retrieve the user's attribute. Can you check if the ifp service is up
and running and if there are any helpful logs in the sssd_ifp.log file?
I do not get AD
On Tue, Aug 20, 2019 at 01:13:09PM +0200, Ronald Wimmer via FreeIPA-users wrote:
> SSSD seems to work now and I can login to Keycloak with an IPA user.
> Unfortunately, when trying to use an AD user I get an exception:
>
> Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]:
>
SSSD seems to work now and I can login to Keycloak with an IPA user.
Unfortunately, when trying to use an AD user I get an exception:
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]:
13:10:46,967 WARN [org.keycloak.services] (default task-52)
KC-SERVICES0013: Failed
SSSD might be the right way to go. I followed this guide
https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/user-federation/sssd.adoc
but I am not sure what the output of "sssctl user-checks admin -s
keycloak" should be.
sssctl user-checks admin -s keycloak
17 matches
Mail list logo
