Hello again Florence,

You were right, once the user is created in Keycloak it appears in the LDAP tree, but it's missing a lot of objectclasses. Which attributes should I map into connection in order to have a proper creation of users?

I've tried adding the posixaccount into user object classes but creating a new user produces an error that homeDirectory attribute is missing.

On Wed, Aug 10, 2022 at 3:12 PM Yavor Marinov <ymarinov@gmail.com> wrote:

Hey Flo,

First of all, thanks for your answer. Unfortunately trying ldapsearch for the created user from Keycloak doesn't return any result at all. Trying from the command line id user.user doesn't return a result either. Do you have any suggestions on how I can achieve the desired result? I suppose it should be something related to the connection, but i really don't know what i could do in order to have a proper flow for creating the user from within Keycloak.

Again thanks in advance ;)

On Wed, Aug 10, 2022 at 11:21 AM Florence Blanc-Renaud <flo@redhat.com> wrote:

Hi,

On Tue, Aug 9, 2022 at 6:51 PM Yavor Marinov via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hello all,

I have an issue configuring both systems Keycloak and FreeIPA to work with User Federation. Configuration on Keycloak side for the ldap (FreeIPA server) is as follows:

• LDAPs configuration
• Keytab from FreeIPA generated with admin user

The below screenshot is from the Keycloak User Federation:

Importing users works flawlessly but the problems comes when I try to create user in Keycloak and expect it to be created on FreeIPA side - WRITABLE is on, and keycloak machine is enrolled into FreeIPA as a client (both OSes are Alma). There is no error, and Keycloak indicates that a new user is created.

However, in FreeIPA's web interface the user is missing and the most frustrating thing is if i try to create the very same username, FreeIPA returns that it can't add the user, because it already exists. I guess the issue would be somewhere either in Username/RDN LDAP attribute or UUID or even Custom User LDAP filter, but i'm lost a bit.

IPA webui is showing IPA users, and it considers that an LDAP entry is an IPA user if it has the posixaccount objectclass. I guess you are able to find the users using ldapsearch but they don't contain this objectclass and that explains why they are not displayed in IPA Web UI.

flo

In case someone wants to help here what i've tried to play with:

• Setting UUID Ldap attribute to ipaUniqueID, but using it, returns 0 user when trying to sync, and creating user from Keycloak returns error
• Setting custom ldap filter to match a group from the LDAP - no binding with admin user could be achieved, thus no user could be synced

Anyhelp on this will be much appreciated :") 

Thank you in advance

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue