search

adorsys / keycloak-config-cli

Import YAML/JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
Apache License 2.0
791 stars 146 forks source link

User import with credentials doesn't seem to work with a Realm that federates with LDAP Server #1129

Open davidfrickert opened 2 months ago

davidfrickert commented 2 months ago

Current Behavior

It seems that user import with credentials doesn't work when your realm has User Federation set up with an LDAP server. The user is created, but the credentials are not set, leaving the user with no credentials set up.

Minimal kcc config example:

{
  "groups": [
    {
      "clientRoles": {
        "realm-management": [
          "manage-users",
          "query-users",
          "query-groups"
        ]
      },
      "name": "Account manager"
    }
  ],
  "users": [
    {
      "credentials": [
        {
          "type": "password",
          "value": "actual-password"
        }
      ],
      "enabled": true,
      "groups": [
        "/Account manager"
      ],
      "username": "test-realm-account-manager"
    }
  ],
  "id": "test-realm",
  "realm": "test-realm"
}

Expected Behavior

User is created with credentials imported.

Steps To Reproduce

0. Create LDAP server (e.g. OpenLDAP)

1. Create realm
2. Set up user federation with LDAP server
3. Attempt to import user with credentials to the LDAP server

Environment

Anything else?

No response

davidfrickert commented 2 months ago

I ran kcc with full debug logging and saw that the credentials are sent to the user creation API along with the user details. I guess that when federating with LDAP this field is ignored by Keycloak? Settings the credentials via the credentials API would work, as that is what the Keycloak Web UI uses when you reset a password in an LDAP-enabled realm

davidfrickert commented 2 months ago

Okay, after some testing I did find out a way to bypass this issue, it is a bit annoying though. I have to first import the user without credentials or with dummy credentials, then do another import where I add the credentials. This forces kcc to use the User Update API which seems to accept adding credentials to the user on an LDAP-enabled realm.

In any case, it would be great if the user import with credentials on an LDAP-enabled realm use case could be supported.