I'm trying to automate the configuration setup for a Realm in Keycloak using the kcadm.sh
CLI tool. When I add our LDAP configuration for user federation using a command like the following
kcadm.sh create components -r API \
-s name="Active Directory" \
-s parentId=f19b715d-272d-4b29-8474-dc538fb5e5c8 \
-s providerId=ldap \
-s providerType=org.keycloak.storage.UserStorageProvider \
-s 'config.priority=["1"]' \
-s 'config.fullSyncPeriod=["-1"]' \
-s 'config.changedSyncPeriod=["-1"]' \
-s 'config.cachePolicy=["DEFAULT"]' \
-s config.evictionDay=[] \
-s config.evictionHour=[] \
-s config.evictionMinute=[] \
-s config.maxLifespan=[] \
-s 'config.batchSizeForSync=["1000"]' \
-s 'config.editMode=["READ_ONLY"]' \
-s 'config.syncRegistrations=["false"]' \
-s 'config.vendor=["ad"]' \
-s 'config.usernameLDAPAttribute=["sAMAccountName"]' \
-s 'config.rdnLDAPAttribute=["sAMAccountName"]' \
-s 'config.uuidLDAPAttribute=["objectGUID"]' \
-s 'config.userObjectClasses=["person, organizationalPerson, user"]' \
-s 'config.connectionUrl=["LDAP://192.168.110.50"]' \
-s 'config.usersDn=["OU=ST Users,DC=something,DC=com,DC=au"]' \
-s 'config.authType=["simple"]' \
-s 'config.bindDn=["CN=Webauth LDAP,OU=System Accounts,OU=AIH Users,DC=something,DC=com,DC=au"]' \
-s 'config.bindCredential=["secret"]' \
-s 'config.searchScope=["2"]' \
-s 'config.useTruststoreSpi=["ldapsOnly"]' \
-s 'config.connectionPooling=["true"]' \
-s 'config.pagination=["true"]' \
-s 'config.allowKerberosAuthentication=["true"]' \
-s 'config.serverPrincipal=["HTTP/[email protected]"]' \
-s 'config.keyTab=["/opt/keycloak/standalone/configuration/int-keycloak.keytab"]' \
-s 'config.kerberosRealm=["SOMETHING.COM.AU"]' \
-s 'config.debug=["true"]' \
-s 'config.useKerberosForPasswordAuthentication=["true"]'
it is successfully added to the realm (as verified by inspecting the database component
and component_config
tables). BUT, when I sign-in to the Keycloak Admin console to inspect that setup for the realm I do not see any User Federation setup. It is not until I made some benign change to the realm (change the realm display name) or flush the realm caches does the configuration for the LDAP user federation becomes visible in the Admin console UI.
Is there something I should be doing to automate adding user federation with LDAP?
Note: I'm using Keycloak v8.0.1.