dmitriys via FreeIPA-users wrote:
Hi!
I tried connect freeipa to Keycloak. And hove some questions about attribute and
filters
I filled in this way:
* Username LDAP attribute uid
* RDN LDAP attribute uid
* UUID LDAP attribute uid
I'm not sure what they use the uuid for. uid is certainly going to be
unique but you may want ipaUniqueID to not carry any user-identifiable info.
* User Object Classes memberOf
* Connection URL
ldap://ldap.example.com
* Users DN cn=users,cn=accounts,dc=example,dc=com
* Bind Type simple
Enable StartTLS (when set enable cant login)
* Bind DN uid=test,cn=users,cn=compat,dc=example,dc=com
* Bind Credential **********
Don't bind using the compat user, use
uid=test,cn=users,cn=accounts,dc=example,dc=com
Custom User LDAP Filter
(memberOf=cn=users,cn=compat,dc=example,dc=com)
Do you have AD trust involved? If not then you probably don't need
cn=compat.
With this settings keycloak can connect to freeipa but cant sync any
users
2020-04-01 13:20:26,810 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry]
(default task-29) Creating new LDAP Store for the LDAP storage provider:
'freeipa_dev', LDAP Configuration: {pagination=[true], fullSyncPeriod=[-1],
startTls=[false], connectionPooling=[true],
usersDn=[cn=users,cn=accounts,dc=example,dc=com], cachePolicy=[DEFAULT],
useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true],
bindDn=[uid=admin,cn=users,cn=compat,dc=example,dc=com], changedSyncPeriod=[-1],
usernameLDAPAttribute=[uid], lastSync=[1585747226], vendor=[other],
uuidLDAPAttribute=[uid], allowKerberosAuthentication=[false],
connectionUrl=[ldap://ldap2.example.com], syncRegistrations=[true], authType=[simple],
customUserSearchFilter=[(memberOf=cn=users,cn=compat,dc=example,dc=com)], debug=[false],
searchScope=[1], useTruststoreSpi=[ldapsOnly], trustEmail=[false], priority=[0],
userObjectClasses=[memberOf], rdnLDAPAttribute=[uid], editMode=[READ_ONLY],
validatePasswordPoli
cy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
2020-04-01 13:20:26,812 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory]
(default task-29) Sync all users from LDAP to local store: realm: example, federation
provider: freeipa_dev
2020-04-01 13:20:26,894 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory]
(default task-29) Sync all users finished: 0 imported users, 0 updated users
When try enable SSL/TLS get this error for connection
2020-04-01 13:23:26,179 ERROR [org.keycloak.services] (default task-40) KC-SERVICES0055:
Error when connecting to LDAP: null: java.lang.NullPointerException
You'll need to ask the keycloak people this. It is completely unrelated
to IPA if it cannot connect at all.
rob