8:24 a.m.
Hi!
I tried connect freeipa to Keycloak. And hove some questions about attribute and filters
I filled in this way:
* Username LDAP attribute uid
* RDN LDAP attribute uid
* UUID LDAP attribute uid
* User Object Classes memberOf
* Connection URL ldap://ldap.example.com
* Users DN cn=users,cn=accounts,dc=example,dc=com
* Bind Type simple
Enable StartTLS (when set enable cant login)
* Bind DN uid=test,cn=users,cn=compat,dc=example,dc=com
* Bind Credential **********
Custom User LDAP Filter (memberOf=cn=users,cn=compat,dc=example,dc=com)
With this settings keycloak can connect to freeipa but cant sync any users
2020-04-01 13:20:26,810 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry]
(default task-29) Creating new LDAP Store for the LDAP storage provider:
'freeipa_dev', LDAP Configuration: {pagination=[true], fullSyncPeriod=[-1],
startTls=[false], connectionPooling=[true],
usersDn=[cn=users,cn=accounts,dc=example,dc=com], cachePolicy=[DEFAULT],
useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true],
bindDn=[uid=admin,cn=users,cn=compat,dc=example,dc=com], changedSyncPeriod=[-1],
usernameLDAPAttribute=[uid], lastSync=[1585747226], vendor=[other],
uuidLDAPAttribute=[uid], allowKerberosAuthentication=[false],
connectionUrl=[ldap://ldap2.example.com], syncRegistrations=[true], authType=[simple],
customUserSearchFilter=[(memberOf=cn=users,cn=compat,dc=example,dc=com)], debug=[false],
searchScope=[1], useTruststoreSpi=[ldapsOnly], trustEmail=[false], priority=[0],
userObjectClasses=[memberOf], rdnLDAPAttribute=[uid], editMode=[READ_ONLY],
validatePasswordPoli
cy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
2020-04-01 13:20:26,812 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory]
(default task-29) Sync all users from LDAP to local store: realm: example, federation
provider: freeipa_dev
2020-04-01 13:20:26,894 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory]
(default task-29) Sync all users finished: 0 imported users, 0 updated users
When try enable SSL/TLS get this error for connection
2020-04-01 13:23:26,179 ERROR [org.keycloak.services] (default task-40) KC-SERVICES0055:
Error when connecting to LDAP: null: java.lang.NullPointerException
How i can resolve this issue ?
thank you
10:10 a.m.
dmitriys via FreeIPA-users wrote:
Hi!
I tried connect freeipa to Keycloak. And hove some questions about attribute and
filters
I filled in this way:
* Username LDAP attribute uid
* RDN LDAP attribute uid
* UUID LDAP attribute uid
I'm not sure what they use the uuid for. uid is certainly going to be
unique but you may want ipaUniqueID to not carry any user-identifiable info.
* User Object Classes memberOf
* Connection URL ldap://ldap.example.com
* Users DN cn=users,cn=accounts,dc=example,dc=com
* Bind Type simple
Enable StartTLS (when set enable cant login)
* Bind DN uid=test,cn=users,cn=compat,dc=example,dc=com
* Bind Credential **********
Don't bind using the compat user, use
uid=test,cn=users,cn=accounts,dc=example,dc=com
Custom User LDAP Filter
(memberOf=cn=users,cn=compat,dc=example,dc=com)
Do you have AD trust involved? If not then you probably don't need
cn=compat.
With this settings keycloak can connect to freeipa but cant sync any
users
2020-04-01 13:20:26,810 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry]
(default task-29) Creating new LDAP Store for the LDAP storage provider:
'freeipa_dev', LDAP Configuration: {pagination=[true], fullSyncPeriod=[-1],
startTls=[false], connectionPooling=[true],
usersDn=[cn=users,cn=accounts,dc=example,dc=com], cachePolicy=[DEFAULT],
useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true],
bindDn=[uid=admin,cn=users,cn=compat,dc=example,dc=com], changedSyncPeriod=[-1],
usernameLDAPAttribute=[uid], lastSync=[1585747226], vendor=[other],
uuidLDAPAttribute=[uid], allowKerberosAuthentication=[false],
connectionUrl=[ldap://ldap2.example.com], syncRegistrations=[true], authType=[simple],
customUserSearchFilter=[(memberOf=cn=users,cn=compat,dc=example,dc=com)], debug=[false],
searchScope=[1], useTruststoreSpi=[ldapsOnly], trustEmail=[false], priority=[0],
userObjectClasses=[memberOf], rdnLDAPAttribute=[uid], editMode=[READ_ONLY],
validatePasswordPoli
cy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
2020-04-01 13:20:26,812 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory]
(default task-29) Sync all users from LDAP to local store: realm: example, federation
provider: freeipa_dev
2020-04-01 13:20:26,894 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory]
(default task-29) Sync all users finished: 0 imported users, 0 updated users
When try enable SSL/TLS get this error for connection
2020-04-01 13:23:26,179 ERROR [org.keycloak.services] (default task-40) KC-SERVICES0055:
Error when connecting to LDAP: null: java.lang.NullPointerException
You'll need to ask the keycloak people this. It is completely unrelated
to IPA if it cannot connect at all.
rob
10:38 a.m.
Hi,
I never tried it myself, but this blog should provide you with the
correct attribute/filters:
https://blog.delouw.ch/2019/06/01/openid-and-saml-authentication-with-key...
HTH,
flo
On 4/1/20 3:24 PM, dmitriys via FreeIPA-users wrote:
Hi!
I tried connect freeipa to Keycloak. And hove some questions about attribute and
filters
I filled in this way:
* Username LDAP attribute uid
* RDN LDAP attribute uid
* UUID LDAP attribute uid
* User Object Classes memberOf
* Connection URL ldap://ldap.example.com
* Users DN cn=users,cn=accounts,dc=example,dc=com
* Bind Type simple
Enable StartTLS (when set enable cant login)
* Bind DN uid=test,cn=users,cn=compat,dc=example,dc=com
* Bind Credential **********
Custom User LDAP Filter (memberOf=cn=users,cn=compat,dc=example,dc=com)
With this settings keycloak can connect to freeipa but cant sync any users
2020-04-01 13:20:26,810 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry]
(default task-29) Creating new LDAP Store for the LDAP storage provider:
'freeipa_dev', LDAP Configuration: {pagination=[true], fullSyncPeriod=[-1],
startTls=[false], connectionPooling=[true],
usersDn=[cn=users,cn=accounts,dc=example,dc=com], cachePolicy=[DEFAULT],
useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true],
bindDn=[uid=admin,cn=users,cn=compat,dc=example,dc=com], changedSyncPeriod=[-1],
usernameLDAPAttribute=[uid], lastSync=[1585747226], vendor=[other],
uuidLDAPAttribute=[uid], allowKerberosAuthentication=[false],
connectionUrl=[ldap://ldap2.example.com], syncRegistrations=[true], authType=[simple],
customUserSearchFilter=[(memberOf=cn=users,cn=compat,dc=example,dc=com)], debug=[false],
searchScope=[1], useTruststoreSpi=[ldapsOnly], trustEmail=[false], priority=[0],
userObjectClasses=[memberOf], rdnLDAPAttribute=[uid], editMode=[READ_ONLY],
validatePasswordPoli
cy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
2020-04-01 13:20:26,812 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory]
(default task-29) Sync all users from LDAP to local store: realm: example, federation
provider: freeipa_dev
2020-04-01 13:20:26,894 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory]
(default task-29) Sync all users finished: 0 imported users, 0 updated users
When try enable SSL/TLS get this error for connection
2020-04-01 13:23:26,179 ERROR [org.keycloak.services] (default task-40) KC-SERVICES0055:
Error when connecting to LDAP: null: java.lang.NullPointerException
How i can resolve this issue ?
thank you
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
3:30 a.m.
New subject: Spacewalk and FreeIPA
Hi,
anyone here successfully configured Spacewalk authentication for FreeIPA
users?
I followed every step on
https://github.com/spacewalkproject/spacewalk/wiki/SpacewalkAndIPA and
can see that Kerberos auth seemed to have worked according to the
ssl_access.log of Spacewalk but after clicking on login Spacewalk gives
me an HTTP 403 error and I cannot find anything helpful in any log I am
aware of.
Cheers,
Ronald
3:44 a.m.
New subject: Spacewalk and FreeIPA
Sorry for unintentionally posting this new topic within this thread.
Cheers,
Ronald
1478
days inactive
1479
days old
freeipa-users@lists.fedorahosted.org
4 comments
4 participants
participants (4)
-
dmitriys -
Florence Blanc-Renaud -
Rob Crittenden -
Ronald Wimmer