5:52 p.m.
Thanks Marek,
Much appreciated. One more note that is not critical but perhaps relevant. Even without
those Object Classes defined, the synchronize all users result showed success. Now perhaps
that means there was no error. Not sure how you want to handle that but perhaps should
check for at least one result?
Thanks again.
Patrick Madden
Principal Design Engineer
Tom Sawyer Software
1997 El Dorado Avenue
Berkeley, CA 94707
Cell: +1 (845) 416-4629
E-mail: pmadden@ tomsawyer.com
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Patrick V. Madden" <pmadden(a)tomsawyer.com>
Cc: "keycloack-users" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, November 5, 2014 10:20:38 AM
Subject: Re: [keycloak-user] Active Directory Realm question.
yes, it makes sense to have Object classes mandatory in UI. I've fixed it (also change
the tooltip), will be available in next version.
Thanks!
Marek
On 4.11.2014 22:38, Patrick V. Madden wrote:
Hi Marek,
Wow! I was about to give up and then I decided to try to enter information into the field
for User Object Classes. I was leaving that blank as it shows not required and tip seems
to indicate it is for creating LDAP users via KeyCloak. I noticed in my LDAP Browser that
among many others, it had 4 rows named objectClass as follows:
Attribute Name Value
objectClass top
objectClass person
objectClass organizationalPerson
objectClass user
Once I added these as "top,person,organizationalPerson,user" into User Object
Classes field in LDAP Provider Settings it worked!!!!
I was literally writing a response to say nope can't get it to work. Divine
intervention made me try one more thing.
This may be helpful to others.
Thanks for your help.
Patrick
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Patrick V. Madden" <pmadden(a)tomsawyer.com> ,
"keycloack-users" <keycloak-user(a)lists.jboss.org>
Sent: Tuesday, November 4, 2014 1:58:31 PM
Subject: Re: [keycloak-user] Active Directory Realm question.
Hi,
after "Synchronize all users" you should be able to see all users from LDAP, not
just those which already authenticated in Keycloak. For your LDAP tree, I believe that
Base DN should be "DC=acme,DC=com" and User DN should be
"OU=acmeUsers,DC=acme,DC=com" . Please let me know if it helps.
Marek
On 4.11.2014 14:58, Patrick V. Madden wrote:
BQ_BEGIN
Hi,
Hope this doesn't post twice....
I am running a local 1.0.4.Final build on my local machine to do some testing.
I have a quick question regarding an Active Directory Realm that I am trying to configure.
I am able to successfully test the connection and test authentication using Bind DN and
Bind Credential and Connection URL.
I can connect via an external LDAP browser using same credential and browse the directory.
When I click Synchronize all users button it says it is successful. However, when I go
back to search page I get nothing when I enter a username. When I click show all users it
shows nothing. I was hoping it would show me a list of all users in the search tree based
on my settings.
Lets assume my company is acme.com. When I look at browser it shows:
RootDSE
+---DC=acme,DC=com
+---OU=acmeUsers
+---CN=John Doe
---CN=Jane Doe
---CN=Joe Blow
I want the users to be in OU=acmeUsers,DC=acme,DC=com
And yes OU=acmeUsers is what I need...
So what would I put in for Base DN and User DN Suffix to get it to show a list of all
users in the directory?
Or does it only show users that have logged into the Realm via a web app?
Hope this makes sense.
Regards,
Patrick Madden
Principal Design Engineer
Tom Sawyer Software
1997 El Dorado Avenue
Berkeley, CA 94707
Cell: +1 (845) 416-4629
E-mail: pmadden@ tomsawyer.com
_______________________________________________
keycloak-user mailing list keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
BQ_END
6:28 a.m.
New subject: Active Directory Realm question.
Maybe admin console can display count of inserted and updated users
during sync. So it will display some message like:
"Sync successful! 34 users imported from LDAP and 12 users updated from
LDAP during synchronization"
What do you think?
I've created JIRA for that https://issues.jboss.org/browse/KEYCLOAK-826 .
Marek
On 6.11.2014 00:52, Patrick V. Madden wrote:
Thanks Marek,
Much appreciated. One more note that is not critical but perhaps
relevant. Even without those Object Classes defined, the synchronize
all users result showed success. Now perhaps that means there was no
error. Not sure how you want to handle that but perhaps should check
for at least one result?
Thanks again.
*Patrick Madden*
Principal Design Engineer
*Tom Sawyer Software <http://www.tomsawyer.com/>*
1997 El Dorado Avenue
Berkeley, CA 94707
Cell: +1 (845) 416-4629 <callto:+1%20%28845%29%20416-4629>
E-mail: pmadden(a)tomsawyer.com <mailto:pmadden@tomsawyer.com>
------------------------------------------------------------------------
*From: *"Marek Posolda" <mposolda(a)redhat.com>
*To: *"Patrick V. Madden" <pmadden(a)tomsawyer.com>
*Cc: *"keycloack-users" <keycloak-user(a)lists.jboss.org>
*Sent: *Wednesday, November 5, 2014 10:20:38 AM
*Subject: *Re: [keycloak-user] Active Directory Realm question.
yes, it makes sense to have Object classes mandatory in UI. I've fixed
it (also change the tooltip), will be available in next version.
Thanks!
Marek
On 4.11.2014 22:38, Patrick V. Madden wrote:
Hi Marek,
Wow! I was about to give up and then I decided to try to enter
information into the field for User Object Classes. I was leaving
that blank as it shows not required and tip seems to indicate it
is for creating LDAP users via KeyCloak. I noticed in my LDAP
Browser that among many others, it had 4 rows named objectClass as
follows:
Attribute Name Value
objectClass top
objectClass person
objectClass organizationalPerson
objectClass user
Once I added these as "top,person,organizationalPerson,user" into
User Object Classes field in LDAP Provider Settings it worked!!!!
I was literally writing a response to say nope can't get it to
work. Divine intervention made me try one more thing.
This may be helpful to others.
Thanks for your help.
Patrick
------------------------------------------------------------------------
*From: *"Marek Posolda" <mposolda(a)redhat.com>
*To: *"Patrick V. Madden" <pmadden(a)tomsawyer.com>,
"keycloack-users" <keycloak-user(a)lists.jboss.org>
*Sent: *Tuesday, November 4, 2014 1:58:31 PM
*Subject: *Re: [keycloak-user] Active Directory Realm question.
Hi,
after "Synchronize all users" you should be able to see all users
from LDAP, not just those which already authenticated in Keycloak.
For your LDAP tree, I believe that Base DN should be
"DC=acme,DC=com" and User DN should be
"OU=acmeUsers,DC=acme,DC=com" . Please let me know if it helps.
Marek
On 4.11.2014 14:58, Patrick V. Madden wrote:
Hi,
Hope this doesn't post twice....
I am running a local 1.0.4.Final build on my local machine to
do some testing.
I have a quick question regarding an Active Directory Realm
that I am trying to configure. I am able to successfully test
the connection and test authentication using Bind DN and Bind
Credential and Connection URL.
I can connect via an external LDAP browser using same
credential and browse the directory.
When I click Synchronize all users button it says it is
successful. However, when I go back to search page I get
nothing when I enter a username. When I click show all users
it shows nothing. I was hoping it would show me a list of all
users in the search tree based on my settings.
Lets assume my company is acme.com. When I look at browser it
shows:
RootDSE
+---DC=acme,DC=com
+---OU=acmeUsers
+---CN=John Doe
---CN=Jane Doe
---CN=Joe Blow
I want the users to be in OU=acmeUsers,DC=acme,DC=com
And yes OU=acmeUsers is what I need...
So what would I put in for Base DN and User DN Suffix to get
it to show a list of all users in the directory?
Or does it only show users that have logged into the Realm via
a web app?
Hope this makes sense.
Regards,
*Patrick Madden*
Principal Design Engineer
*Tom Sawyer Software <http://www.tomsawyer.com/>*
1997 El Dorado Avenue
Berkeley, CA 94707
Cell: +1 (845) 416-4629 <callto:+1%20%28845%29%20416-4629>
E-mail: pmadden(a)tomsawyer.com <mailto:pmadden@tomsawyer.com>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3704
days inactive
3705
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Patrick V. Madden