Hi,
On Thu, Aug 11, 2022 at 8:06 AM Yavor Marinov <ymarinov(a)gmail.com> wrote:
Hello again Florence,
You were right, once the user is created in Keycloak it appears in the
LDAP tree, but it's missing a lot of objectclasses. Which attributes should
I map into connection in order to have a proper creation of users?
I've tried adding the *posixaccount* into user object classes but
creating a new user produces an error that *homeDirectory* attribute is
missing.
The LDAP schema defines a set of mandatory attributes for the posixaccount
objectclass (the list following the MUST keyword):
# ldapsearch -x -b cn=schema -s base -LLL -o ldif-wrap=no objectclasses |
grep -i posixaccount
objectclasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of
an account with POSIX attributes' SUP top AUXILIARY *MUST ( cn $ uid $
uidNumber $ gidNumber $ homeDirectory )* MAY ( userPassword $ loginShell $
gecos $ description ) )
This means that if you want to add the posixaccount objectclass, you also
need to add the attributes. Keycloak allows you to configure LDAP mappers
<
https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers>, I
believe it's the functionality you should try to explore.
flo
On Wed, Aug 10, 2022 at 3:12 PM Yavor Marinov
<ymarinov(a)gmail.com> wrote:
> Hey Flo,
>
> First of all, thanks for your answer. Unfortunately trying ldapsearch for
> the created user from Keycloak doesn't return any result at all. Trying
> from the command line *id user.user* doesn't return a result either. Do
> you have any suggestions on how I can achieve the desired result? I suppose
> it should be something related to the connection, but i really don't know
> what i could do in order to have a proper flow for creating the user from
> within Keycloak.
>
> Again thanks in advance ;)
>
>
> On Wed, Aug 10, 2022 at 11:21 AM Florence Blanc-Renaud <flo(a)redhat.com>
> wrote:
>
>> Hi,
>>
>> On Tue, Aug 9, 2022 at 6:51 PM Yavor Marinov via FreeIPA-users <
>> freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>>> Hello all,
>>>
>>> I have an issue configuring both systems Keycloak and FreeIPA to work
>>> with User Federation. Configuration on Keycloak side for the ldap (FreeIPA
>>> server) is as follows:
>>>
>>> - LDAPs configuration
>>> - Keytab from FreeIPA generated with admin user
>>>
>>> The below screenshot is from the Keycloak User Federation:
>>> [image: image.png]
>>>
>>> [image: image.png]
>>>
>>> Importing users works flawlessly but the problems comes when I try to
>>> create user in Keycloak and expect it to be created on FreeIPA side -
>>> WRITABLE is on, and keycloak machine is enrolled into FreeIPA as a client
>>> (both OSes are Alma). There is no error, and Keycloak indicates that a new
>>> user is created.
>>>
>>> However, in FreeIPA's web interface the user is missing and the most
>>> frustrating thing is if i try to create the very same username, FreeIPA
>>> returns that it can't add the user, because it already *exists*. I
>>> guess the issue would be somewhere either in Username/RDN LDAP attribute or
>>> UUID or even Custom User LDAP filter, but i'm lost a bit.
>>>
>>
>> IPA webui is showing IPA users, and it considers that an LDAP entry is
>> an IPA user if it has the posixaccount objectclass. I guess you are able to
>> find the users using ldapsearch but they don't contain this objectclass and
>> that explains why they are not displayed in IPA Web UI.
>>
>> flo
>>
>>>
>>> In case someone wants to help here what i've tried to play with:
>>>
>>> - Setting UUID Ldap attribute to ipaUniqueID, but using it, returns
>>> 0 user when trying to sync, and creating user from Keycloak returns error
>>> - Setting custom ldap filter to match a group from the LDAP - no
>>> binding with admin user could be achieved, thus no user could be synced
>>>
>>>
>>> Anyhelp on this will be much appreciated :")
>>>
>>> Thank you in advance
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> Do not reply to spam, report it:
>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>
>>