On Срд, 28 жні 2024, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
On 28 Aug 2024, at 15:02, Rob Crittenden <rcrit...@redhat.com> wrote:
Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
I have configured Keycloak with FreeIPA for kerberos authentication.
It has worked fine, but today I noticed something:
Keycloak seems to look up krb5PrincipalName attribute to look for the
user principal. However, I don't see that attribute when I perform an
ldapsearch. Is it there at all?
I also tried to remove this from keycloak, because it says that when
this is empty it will just look for the username instead of user@domain.
But somehow it adds krb5PrincipalName again.
Is it keycloak that has a problem by not allowing me to remove
krb5PrincipalName, or is it FreeIPA that somehow lost that attribute?
Best,
Francis
Looks like a Keycloak issue. Check out
https://github.com/keycloak/keycloak/issues/25294
Thanks. But should I have this atteibute in Freeipa? I dont see it when
performance en ldapsearch.
Keycloak allows you to configure what LDAP attributes correspond to what
properties. Use proper LDAP attribute for FreeIPA, in this case it is
krbPrincipalName. This can be chosen by setting LDAP vendor to 'rhds'.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
