Add LDAP User Federation with kcadm cli but fails to show in UI until any realm setting change is made

0
votes

I'm trying to automate the configuration setup for a Realm in Keycloak using the kcadm.sh CLI tool. When I add our LDAP configuration for user federation using a command like the following

    kcadm.sh create components -r API \
    -s name="Active Directory" \
    -s parentId=f19b715d-272d-4b29-8474-dc538fb5e5c8 \
    -s providerId=ldap \
    -s providerType=org.keycloak.storage.UserStorageProvider \
    -s 'config.priority=["1"]' \
    -s 'config.fullSyncPeriod=["-1"]' \
    -s 'config.changedSyncPeriod=["-1"]' \
    -s 'config.cachePolicy=["DEFAULT"]' \
    -s config.evictionDay=[] \
    -s config.evictionHour=[] \
    -s config.evictionMinute=[] \
    -s config.maxLifespan=[] \
    -s 'config.batchSizeForSync=["1000"]' \
    -s 'config.editMode=["READ_ONLY"]' \
    -s 'config.syncRegistrations=["false"]' \
    -s 'config.vendor=["ad"]' \
    -s 'config.usernameLDAPAttribute=["sAMAccountName"]' \
    -s 'config.rdnLDAPAttribute=["sAMAccountName"]' \
    -s 'config.uuidLDAPAttribute=["objectGUID"]' \
    -s 'config.userObjectClasses=["person, organizationalPerson, user"]' \
    -s 'config.connectionUrl=["LDAP://192.168.110.50"]' \
    -s 'config.usersDn=["OU=ST Users,DC=something,DC=com,DC=au"]' \
    -s 'config.authType=["simple"]' \
    -s 'config.bindDn=["CN=Webauth LDAP,OU=System Accounts,OU=AIH Users,DC=something,DC=com,DC=au"]' \
    -s 'config.bindCredential=["secret"]' \
    -s 'config.searchScope=["2"]' \
    -s 'config.useTruststoreSpi=["ldapsOnly"]' \
    -s 'config.connectionPooling=["true"]' \
    -s 'config.pagination=["true"]' \
    -s 'config.allowKerberosAuthentication=["true"]' \
    -s 'config.serverPrincipal=["HTTP/[email protected]"]' \
    -s 'config.keyTab=["/opt/keycloak/standalone/configuration/int-keycloak.keytab"]' \
    -s 'config.kerberosRealm=["SOMETHING.COM.AU"]' \
    -s 'config.debug=["true"]' \
    -s 'config.useKerberosForPasswordAuthentication=["true"]'

it is successfully added to the realm (as verified by inspecting the database component and component_config tables). BUT, when I sign-in to the Keycloak Admin console to inspect that setup for the realm I do not see any User Federation setup. It is not until I made some benign change to the realm (change the realm display name) or flush the realm caches does the configuration for the LDAP user federation becomes visible in the Admin console UI.

Is there something I should be doing to automate adding user federation with LDAP?

Note: I'm using Keycloak v8.0.1.

1
keycloak
Sounds like a Bug in Keycloak. You could look up in keycloak code on github. If you want to have a workaround, you could change something, as you did, but via REST-Call, so that you can automate that: keycloak.org/docs-api/8.0/rest-api/index.htmlJulian Egner

1 Answers

0
votes

This might happen because you haven't passed the -s parentId correctly

    PARENT_ID=$(/opt/jboss/keycloak/bin/kcadm.sh get /auth/admin/realms/$REALM_NAME --fields id --format csv --noquotes)
/opt/jboss/keycloak/bin/kcadm.sh create components -r $REALM_NAME -s name="migration-provider" -s providerId="migration-provider" -s providerType="org.keycloak.storage.UserStorageProvider" -s parentId="$PARENT_ID" -s 'config.priority=["0"]' -s 'config.enabled=["true"]' -s 'config.cachePolicy=["NO_CACHE"]'

Try something like this it worked for me :)