[keycloak-user] Active Directory Realm question.

Patrick V. Madden pmadden at tomsawyer.com
Wed Nov 5 18:52:03 EST 2014 

Thanks Marek, 

Much appreciated. One more note that is not critical but perhaps relevant. Even without those Object Classes defined, the synchronize all users result showed success. Now perhaps that means there was no error. Not sure how you want to handle that but perhaps should check for at least one result? 

Thanks again. 

Patrick Madden 
Principal Design Engineer 
Tom Sawyer Software 
1997 El Dorado Avenue 
Berkeley, CA 94707 

Cell: +1 (845) 416-4629 
E-mail: pmadden@ tomsawyer.com 




From: "Marek Posolda" <mposolda at redhat.com> 
To: "Patrick V. Madden" <pmadden at tomsawyer.com> 
Cc: "keycloack-users" <keycloak-user at lists.jboss.org> 
Sent: Wednesday, November 5, 2014 10:20:38 AM 
Subject: Re: [keycloak-user] Active Directory Realm question. 

yes, it makes sense to have Object classes mandatory in UI. I've fixed it (also change the tooltip), will be available in next version. 

Thanks! 
Marek 

On 4.11.2014 22:38, Patrick V. Madden wrote: 



Hi Marek, 

Wow! I was about to give up and then I decided to try to enter information into the field for User Object Classes. I was leaving that blank as it shows not required and tip seems to indicate it is for creating LDAP users via KeyCloak. I noticed in my LDAP Browser that among many others, it had 4 rows named objectClass as follows: 

Attribute Name Value 
objectClass top 
objectClass person 
objectClass organizationalPerson 
objectClass user 

Once I added these as "top,person,organizationalPerson,user" into User Object Classes field in LDAP Provider Settings it worked!!!! 

I was literally writing a response to say nope can't get it to work. Divine intervention made me try one more thing. 

This may be helpful to others. 

Thanks for your help. 

Patrick 


From: "Marek Posolda" <mposolda at redhat.com> 
To: "Patrick V. Madden" <pmadden at tomsawyer.com> , "keycloack-users" <keycloak-user at lists.jboss.org> 
Sent: Tuesday, November 4, 2014 1:58:31 PM 
Subject: Re: [keycloak-user] Active Directory Realm question. 

Hi, 

after "Synchronize all users" you should be able to see all users from LDAP, not just those which already authenticated in Keycloak. For your LDAP tree, I believe that Base DN should be "DC=acme,DC=com" and User DN should be "OU=acmeUsers,DC=acme,DC=com" . Please let me know if it helps. 

Marek 

On 4.11.2014 14:58, Patrick V. Madden wrote: 

BQ_BEGIN

Hi, 

Hope this doesn't post twice.... 

I am running a local 1.0.4.Final build on my local machine to do some testing. 

I have a quick question regarding an Active Directory Realm that I am trying to configure. I am able to successfully test the connection and test authentication using Bind DN and Bind Credential and Connection URL. 

I can connect via an external LDAP browser using same credential and browse the directory. 

When I click Synchronize all users button it says it is successful. However, when I go back to search page I get nothing when I enter a username. When I click show all users it shows nothing. I was hoping it would show me a list of all users in the search tree based on my settings. 

Lets assume my company is acme.com. When I look at browser it shows: 

RootDSE 
+---DC=acme,DC=com 
+---OU=acmeUsers 
+---CN=John Doe 
---CN=Jane Doe 
---CN=Joe Blow 

I want the users to be in OU=acmeUsers,DC=acme,DC=com 

And yes OU=acmeUsers is what I need... 

So what would I put in for Base DN and User DN Suffix to get it to show a list of all users in the directory? 

Or does it only show users that have logged into the Realm via a web app? 

Hope this makes sense. 

Regards, 

Patrick Madden 
Principal Design Engineer 
Tom Sawyer Software 
1997 El Dorado Avenue 

Berkeley, CA 94707 



Cell: +1 (845) 416-4629 
E-mail: pmadden@ tomsawyer.com 




_______________________________________________
keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user 





BQ_END


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141105/e3c554ef/attachment-0001.html

More information about the keycloak-user mailing list