Error when syncing keycloak with freeIPA

Hi, I’m trying to set up keycloak to sync with freeIPA so I can manage user accounts using keycloak. I set up everything using this article here as an example (but enabled syncing):
https://blog.delouw.ch/2019/06/01/openid-and-saml-authentication-with-keycloak-and-freeipa/
Keycloak is v11.0 and freeIPA is v4.8.4.

When I try to add a user via keycloak, I get the message “Error! could not create the user”. Then when I check the keycloak logs, I see this:

LDAP: error code 65 - missing attribute “cn” required by object class “inetOrgPerson”
]; remaining name ‘uid=newuser1,cn=users,cn=accounts,dc=ipa,dc=mytestdomain,dc=org’

Am I doing something wrong here? Any ideas would be appreciated.

Thanks,
S

in case anyone is wondering, I managed to fix it. You have to add a mapper to user federation definitition and map the user’s full name to ‘cn’. Also, in order to create a user from keycloak into freeIPA, you have to set the UUID field to ‘uid’.

Either way, I found out the hard way that you MUST add users to Free IPA FIRST, then just sync to keycloak. There’s no way around it because keycloak can’t create the proper fields for the user to show up in FreeIPA.

1 Like

Things work as expected with OpenLDAP: Keycloak, Flowable and OpenLDAP