[keycloak-user] Unable to query currently set bindCredentials for LDAP

Dmitry Telegin dt at acutus.pro
Sun Dec 16 21:41:21 EST 2018 

Hello Trey,

Please try the following link:

GET https://<host>/auth/admin/realms/<realm>/testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=<bind-dn>&componentId=<component-id>&connectionTimeout=&connectionUrl=<connection-url>&useTruststoreSpi=ldapsOnly

You should substitute the values in angle brackets with your actual ones. You can look them up by firing Admin console, going to LDAP config, pressing F12, clicking "Test authentication" and examining the contents of the resulting GET request.
You should also leave bindCredential as is; this special value (10 asterisks) instructs Keycloak to perform testing with the saved credentials.

You will get HTTP 204 No Content if successful and HTTP 400 Bad Request otherwise.

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-12-14 at 18:46 +0000, Dockendorf, Trey wrote:
> So my goal is for Puppet code to be given bind credentials and know if the provided value is currently configured in Keycloak.  Since the plain-text value isn't easily accessed I was hoping to use testLDAPConnection API call to test if the provided credentials currently configured in Keycloak are still valid so that Puppet could know if it needs to update with Puppet provided credentials.  In order to do this I'd have to make a call to testLDAPConnection and have it use bindCredential from the database and not have to be specified.  Is that possible?  So far I'm not having much luck.  Also only getting useful response if I use POST (per API docs) and not GET.  Is bindCredential not read from the database if omitted as query parameter?
> 
> Get token:
> export TKN=$(curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \
>  -H "Content-Type: application/x-www-form-urlencoded" \
>  -d "username=admin" \
>  -d 'password=OMIT' \
>  -d 'grant_type=password' \
>  -d 'client_id=admin-cli' | jq -r '.access_token')
> 
> $ curl -X POST 'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc' \
> >   -H "Accept: application/json" \
> >   -H "Authorization: Bearer $TKN"
> 
> {"errorMessage":"LDAP test error"}
> 
> $ curl -X GET 'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc' \
> >  -H "Accept: application/json" \
> >  -H "Authorization: Bearer $TKN" -v
> 
> * About to connect() to localhost port 8080 (#0)
> *   Trying ::1...
> * Connection refused
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 8080 (#0)
> > GET /auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc HTTP/1.1
> > User-Agent: curl/7.29.0
> > Host: localhost:8080
> > Accept: application/json
> > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIySXpfOGlmRGh6bVM0QksxYXE2X2NvcVl1UF96M2drazRxbkhTWm5PQ1Q4In0.eyJqdGkiOiI1ZjkyNGI1OC1kNzJjLTQyMzAtYmFiOS0yYjNjODNkZGE3MDEiLCJleHAiOjE1NDQ4MTMwMTEsIm5iZiI6MCwiaWF0IjoxNTQ0ODEyOTUxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiZGE4YTllOTItMzFhYS00MWU3LWExNjktMTc2Y2U5MWE2ZTcwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMTI4MjFjNjEtZWQ1ZC00Y2RjLWE4OTYtYjNkYjA4MDcwMmY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6e30sInNjb3BlIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.E_qAwNm7SCKK1fUJUIw8_u9KQRcRHFtFocyxnX8QmngdvepYqV-us0OAEKzU9zaDVgYAlmnk9vfaQfgZSK3XMGqsViM5NTdOo0X28wWfJg_PFsucWtYEH2nei_y9IZPu908sqz3eJCrPBaS2W44IhuX2ev6GFQrC2xP1GhveM69J7imLmYYPAKZsIVRR9YhfUlxMV9EQviYhY7zaEPcYyjuOWTTqqC7UsNx9kL8TQU6YsY_ZYBDqOqzV6e0bS90EQkVoWWoENeirJqriz-y9Mcj3ZwP2tMlUercYpe85DonnKDTal5scZVSNKOyl-E7B_DLF_EVQBDojGnDpu__QtQ
> > 
> 
> < HTTP/1.1 405 Method Not Allowed
> < Connection: keep-alive
> < Content-Length: 0
> < Date: Fri, 14 Dec 2018 18:43:20 GMT
>> * Connection #0 to host localhost left intact
> 
> -- 
> Trey Dockendorf
> 
> HPC Systems Engineer
> Ohio Supercomputer Center
> 
> > On 12/14/18, 12:13 AM, "Dmitry Telegin" <dt at acutus.pro> wrote:
> 
>     Hello Trey,
>     
>     The bindCredential property is internally marked as "secret", so yes, it will be returned as "**********" and this is by design. If you absolutely need to expose it via REST, you can create a custom REST endpoint for that, however this seems an overkill to me.
>     
>     OTOH, the testLDAPConnection endpoint in fact works without supplying the actual credential. Open Admin Console, go to LDAP config, click "Test authentication" and examine the network traffic it would generate. In my case it's like this:
>     
>     GET https://<host>/auth/admin/realms/<realm>/testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn=Manager,dc=domain,dc=com&componentId=df317c1f-8f6a-4aad-8b8f-7b836d42fb8e&connectionTimeout=&connectionUrl=ldap://localhost&useTruststoreSpi=ldapsOnly
>     
>     This endpoint returns HTTP 204 No Content if successful and HTTP 400 Bad Request otherwise.
>     
>     Good luck,
>     Dmitry Telegin
>     CTO, Acutus s.r.o.
>     Keycloak Consulting and Training
>     
>     Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>     +42 (022) 888-30-71
>     E-mail: info at acutus.pro
>     
>     On Thu, 2018-12-13 at 16:44 +0000, Dockendorf, Trey wrote:
>     > I am using Puppet to automate the configuration of my Keycloak server and one thing I automate is the addition of LDAP authentication backends.  I have discovered that bindCredential comes back as "**********" [1] which prevents Puppet from knowing if the value is set correctly.  Is there a way to have Keycloak return the actual value that’s stored in the database?  I have found where in the database this is stored but I’d rather not have to resort to direct database queries with Puppet as that would severely limit the database backends I can support.
>     > 
>     > If there is no way to expose actual bindCredential value, is there a way to test that the currently set bind credentials actually work?  I have noticed that something like testLDAPConnection has to be provided the bind credentials rather than reading them from the realm’s configured LDAP.
>     > 
>     > Thanks,
>     > - Trey
>     > 
>     > [1]
> >     > > $ /opt/keycloak/bin/kcadm.sh get components/OSC-LDAP-osc -r osc --no-config --server http://localhost:8080/auth --realm master --user admin --password <OMIT> | jq .config.bindCredential
> >     > > Logging into http://localhost:8080/auth as user admin of realm master
>     > 
>     > [
>     >   "**********"
>     > ]
>     > 
>     > --
>     > Trey Dockendorf
>     > HPC Systems Engineer
>     > Ohio Supercomputer Center
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     
>     
>

More information about the keycloak-user mailing list