[keycloak-user] Unable to query currently set bindCredentials for LDAP

Dockendorf, Trey tdockendorf at osc.edu
Fri Dec 14 13:46:12 EST 2018 

So my goal is for Puppet code to be given bind credentials and know if the provided value is currently configured in Keycloak.  Since the plain-text value isn't easily accessed I was hoping to use testLDAPConnection API call to test if the provided credentials currently configured in Keycloak are still valid so that Puppet could know if it needs to update with Puppet provided credentials.  In order to do this I'd have to make a call to testLDAPConnection and have it use bindCredential from the database and not have to be specified.  Is that possible?  So far I'm not having much luck.  Also only getting useful response if I use POST (per API docs) and not GET.  Is bindCredential not read from the database if omitted as query parameter?

Get token:
export TKN=$(curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "username=admin" \
 -d 'password=OMIT' \
 -d 'grant_type=password' \
 -d 'client_id=admin-cli' | jq -r '.access_token')

$ curl -X POST 'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc' \
>   -H "Accept: application/json" \
>   -H "Authorization: Bearer $TKN"
{"errorMessage":"LDAP test error"}

$ curl -X GET 'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc' \
>  -H "Accept: application/json" \
>  -H "Authorization: Bearer $TKN" -v
* About to connect() to localhost port 8080 (#0)
*   Trying ::1...
* Connection refused
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8080
> Accept: application/json
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIySXpfOGlmRGh6bVM0QksxYXE2X2NvcVl1UF96M2drazRxbkhTWm5PQ1Q4In0.eyJqdGkiOiI1ZjkyNGI1OC1kNzJjLTQyMzAtYmFiOS0yYjNjODNkZGE3MDEiLCJleHAiOjE1NDQ4MTMwMTEsIm5iZiI6MCwiaWF0IjoxNTQ0ODEyOTUxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiZGE4YTllOTItMzFhYS00MWU3LWExNjktMTc2Y2U5MWE2ZTcwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMTI4MjFjNjEtZWQ1ZC00Y2RjLWE4OTYtYjNkYjA4MDcwMmY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6e30sInNjb3BlIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.E_qAwNm7SCKK1fUJUIw8_u9KQRcRHFtFocyxnX8QmngdvepYqV-us0OAEKzU9zaDVgYAlmnk9vfaQfgZSK3XMGqsViM5NTdOo0X28wWfJg_PFsucWtYEH2nei_y9IZPu908sqz3eJCrPBaS2W44IhuX2ev6GFQrC2xP1GhveM69J7imLmYYPAKZsIVRR9YhfUlxMV9EQviYhY7zaEPcYyjuOWTTqqC7UsNx9kL8TQU6YsY_ZYBDqOqzV6e0bS90EQkVoWWoENeirJqriz-y9Mcj3ZwP2tMlUercYpe85DonnKDTal5scZVSNKOyl-E7B_DLF_EVQBDojGnDpu__QtQ
> 
< HTTP/1.1 405 Method Not Allowed
< Connection: keep-alive
< Content-Length: 0
< Date: Fri, 14 Dec 2018 18:43:20 GMT
< 
* Connection #0 to host localhost left intact

-- 
Trey Dockendorf

HPC Systems Engineer
Ohio Supercomputer Center

On 12/14/18, 12:13 AM, "Dmitry Telegin" <dt at acutus.pro> wrote:

    Hello Trey,
    
    The bindCredential property is internally marked as "secret", so yes, it will be returned as "**********" and this is by design. If you absolutely need to expose it via REST, you can create a custom REST endpoint for that, however this seems an overkill to me.
    
    OTOH, the testLDAPConnection endpoint in fact works without supplying the actual credential. Open Admin Console, go to LDAP config, click "Test authentication" and examine the network traffic it would generate. In my case it's like this:
    
    GET https://<host>/auth/admin/realms/<realm>/testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn=Manager,dc=domain,dc=com&componentId=df317c1f-8f6a-4aad-8b8f-7b836d42fb8e&connectionTimeout=&connectionUrl=ldap://localhost&useTruststoreSpi=ldapsOnly
    
    This endpoint returns HTTP 204 No Content if successful and HTTP 400 Bad Request otherwise.
    
    Good luck,
    Dmitry Telegin
    CTO, Acutus s.r.o.
    Keycloak Consulting and Training
    
    Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
    +42 (022) 888-30-71
    E-mail: info at acutus.pro
    
    On Thu, 2018-12-13 at 16:44 +0000, Dockendorf, Trey wrote:
    > I am using Puppet to automate the configuration of my Keycloak server and one thing I automate is the addition of LDAP authentication backends.  I have discovered that bindCredential comes back as "**********" [1] which prevents Puppet from knowing if the value is set correctly.  Is there a way to have Keycloak return the actual value that’s stored in the database?  I have found where in the database this is stored but I’d rather not have to resort to direct database queries with Puppet as that would severely limit the database backends I can support.
    > 
    > If there is no way to expose actual bindCredential value, is there a way to test that the currently set bind credentials actually work?  I have noticed that something like testLDAPConnection has to be provided the bind credentials rather than reading them from the realm’s configured LDAP.
    > 
    > Thanks,
    > - Trey
    > 
    > [1]
    > > $ /opt/keycloak/bin/kcadm.sh get components/OSC-LDAP-osc -r osc --no-config --server http://localhost:8080/auth --realm master --user admin --password <OMIT> | jq .config.bindCredential
    > > Logging into http://localhost:8080/auth as user admin of realm master
    > 
    > [
    >   "**********"
    > ]
    > 
    > --
    > Trey Dockendorf
    > HPC Systems Engineer
    > Ohio Supercomputer Center
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list