Hi,On Tue, Aug 9, 2022 at 6:51 PM Yavor Marinov via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:Hello all,I have an issue configuring both systems Keycloak and FreeIPA to work with User Federation. Configuration on Keycloak side for the ldap (FreeIPA server) is as follows:
- LDAPs configuration
- Keytab from FreeIPA generated with admin user
The below screenshot is from the Keycloak User Federation:Importing users works flawlessly but the problems comes when I try to create user in Keycloak and expect it to be created on FreeIPA side - WRITABLE is on, and keycloak machine is enrolled into FreeIPA as a client (both OSes are Alma). There is no error, and Keycloak indicates that a new user is created.However, in FreeIPA's web interface the user is missing and the most frustrating thing is if i try to create the very same username, FreeIPA returns that it can't add the user, because it already exists. I guess the issue would be somewhere either in Username/RDN LDAP attribute or UUID or even Custom User LDAP filter, but i'm lost a bit.IPA webui is showing IPA users, and it considers that an LDAP entry is an IPA user if it has the posixaccount objectclass. I guess you are able to find the users using ldapsearch but they don't contain this objectclass and that explains why they are not displayed in IPA Web UI.flo_______________________________________________In case someone wants to help here what i've tried to play with:
- Setting UUID Ldap attribute to ipaUniqueID, but using it, returns 0 user when trying to sync, and creating user from Keycloak returns error
- Setting custom ldap filter to match a group from the LDAP - no binding with admin user could be achieved, thus no user could be synced
Anyhelp on this will be much appreciated :")Thank you in advance
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue