[keycloak-user] Unable to query currently set bindCredentials for LDAP

Dmitry Telegin dt at acutus.pro
Fri Dec 14 00:13:36 EST 2018 

Hello Trey,

The bindCredential property is internally marked as "secret", so yes, it will be returned as "**********" and this is by design. If you absolutely need to expose it via REST, you can create a custom REST endpoint for that, however this seems an overkill to me.

OTOH, the testLDAPConnection endpoint in fact works without supplying the actual credential. Open Admin Console, go to LDAP config, click "Test authentication" and examine the network traffic it would generate. In my case it's like this:

GET https://<host>/auth/admin/realms/<realm>/testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn=Manager,dc=domain,dc=com&componentId=df317c1f-8f6a-4aad-8b8f-7b836d42fb8e&connectionTimeout=&connectionUrl=ldap://localhost&useTruststoreSpi=ldapsOnly

This endpoint returns HTTP 204 No Content if successful and HTTP 400 Bad Request otherwise.

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-12-13 at 16:44 +0000, Dockendorf, Trey wrote:
> I am using Puppet to automate the configuration of my Keycloak server and one thing I automate is the addition of LDAP authentication backends.  I have discovered that bindCredential comes back as "**********" [1] which prevents Puppet from knowing if the value is set correctly.  Is there a way to have Keycloak return the actual value that’s stored in the database?  I have found where in the database this is stored but I’d rather not have to resort to direct database queries with Puppet as that would severely limit the database backends I can support.
> 
> If there is no way to expose actual bindCredential value, is there a way to test that the currently set bind credentials actually work?  I have noticed that something like testLDAPConnection has to be provided the bind credentials rather than reading them from the realm’s configured LDAP.
> 
> Thanks,
> - Trey
> 
> [1]
> > $ /opt/keycloak/bin/kcadm.sh get components/OSC-LDAP-osc -r osc --no-config --server http://localhost:8080/auth --realm master --user admin --password <OMIT> | jq .config.bindCredential
> > Logging into http://localhost:8080/auth as user admin of realm master
> 
> [
>   "**********"
> ]
> 
> --
> Trey Dockendorf
> HPC Systems Engineer
> Ohio Supercomputer Center
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list