Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User import with credentials doesn't seem to work with a Realm that federates with LDAP Server #1129

Open
davidfrickert opened this issue Aug 26, 2024 · 4 comments
Open

User import with credentials doesn't seem to work with a Realm that federates with LDAP Server #1129

davidfrickert opened this issue Aug 26, 2024 · 4 comments
Labels
bug

Comments

@davidfrickert
Copy link

Current Behavior

It seems that user import with credentials doesn't work when your realm has User Federation set up with an LDAP server.
The user is created, but the credentials are not set, leaving the user with no credentials set up.

Minimal kcc config example:

{
  "groups": [
    {
      "clientRoles": {
        "realm-management": [
          "manage-users",
          "query-users",
          "query-groups"
        ]
      },
      "name": "Account manager"
    }
  ],
  "users": [
    {
      "credentials": [
        {
          "type": "password",
          "value": "actual-password"
        }
      ],
      "enabled": true,
      "groups": [
        "/Account manager"
      ],
      "username": "test-realm-account-manager"
    }
  ],
  "id": "test-realm",
  "realm": "test-realm"
}

Expected Behavior

User is created with credentials imported.

Steps To Reproduce

0. Create LDAP server (e.g. OpenLDAP)

1. Create realm
2. Set up user federation with LDAP server
3. Attempt to import user with credentials to the LDAP server

Environment

  • Keycloak Version: 24.0.5
  • keycloak-config-cli Version: 6.1.5
  • Java Version: 21

Anything else?

No response
@davidfrickert
Copy link
Author

I ran kcc with full debug logging and saw that the credentials are sent to the user creation API along with the user details.
I guess that when federating with LDAP this field is ignored by Keycloak?
Settings the credentials via the credentials API would work, as that is what the Keycloak Web UI uses when you reset a password in an LDAP-enabled realm

@davidfrickert
Copy link
Author

Okay, after some testing I did find out a way to bypass this issue, it is a bit annoying though.
I have to first import the user without credentials or with dummy credentials, then do another import where I add the credentials.
This forces kcc to use the User Update API which seems to accept adding credentials to the user on an LDAP-enabled realm.

In any case, it would be great if the user import with credentials on an LDAP-enabled realm use case could be supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidfrickert and others