[keycloak-user] Active Directory Realm question.

Patrick V. Madden pmadden at tomsawyer.com
Tue Nov 4 16:38:40 EST 2014

Hi Marek, 

Wow! I was about to give up and then I decided to try to enter information into the field for User Object Classes. I was leaving that blank as it shows not required and tip seems to indicate it is for creating LDAP users via KeyCloak. I noticed in my LDAP Browser that among many others, it had 4 rows named objectClass as follows: 

Attribute Name Value 
objectClass top 
objectClass person 
objectClass organizationalPerson 
objectClass user 

Once I added these as "top,person,organizationalPerson,user" into User Object Classes field in LDAP Provider Settings it worked!!!! 

I was literally writing a response to say nope can't get it to work. Divine intervention made me try one more thing. 

This may be helpful to others. 

Thanks for your help. 


From: "Marek Posolda" <mposolda at redhat.com> 
To: "Patrick V. Madden" <pmadden at tomsawyer.com>, "keycloack-users" <keycloak-user at lists.jboss.org> 
Sent: Tuesday, November 4, 2014 1:58:31 PM 
Subject: Re: [keycloak-user] Active Directory Realm question. 


after "Synchronize all users" you should be able to see all users from LDAP, not just those which already authenticated in Keycloak. For your LDAP tree, I believe that Base DN should be "DC=acme,DC=com" and User DN should be "OU=acmeUsers,DC=acme,DC=com" . Please let me know if it helps. 


On 4.11.2014 14:58, Patrick V. Madden wrote: 


Hope this doesn't post twice.... 

I am running a local 1.0.4.Final build on my local machine to do some testing. 

I have a quick question regarding an Active Directory Realm that I am trying to configure. I am able to successfully test the connection and test authentication using Bind DN and Bind Credential and Connection URL. 

I can connect via an external LDAP browser using same credential and browse the directory. 

When I click Synchronize all users button it says it is successful. However, when I go back to search page I get nothing when I enter a username. When I click show all users it shows nothing. I was hoping it would show me a list of all users in the search tree based on my settings. 

Lets assume my company is acme.com. When I look at browser it shows: 

+---CN=John Doe 
---CN=Jane Doe 
---CN=Joe Blow 

I want the users to be in OU=acmeUsers,DC=acme,DC=com 

And yes OU=acmeUsers is what I need... 

So what would I put in for Base DN and User DN Suffix to get it to show a list of all users in the directory? 

Or does it only show users that have logged into the Realm via a web app? 

Hope this makes sense. 


Patrick Madden 
Principal Design Engineer 
Tom Sawyer Software 
1997 El Dorado Avenue 

Berkeley, CA 94707 

Cell: +1 (845) 416-4629 
E-mail: pmadden@ tomsawyer.com 

keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141104/c832abbb/attachment-0001.html 

More information about the keycloak-user mailing list