12:39 p.m.
Using GET was giving me 405 Method not allowed [1], but if I change to POST I get 400 even
though I know the credentials saved are good. The buttons in web interface are doing
nothing for me, I click "Test authentication" and nothing happens. This is
Keycloak 4.2.1.Final. Tried with both Firefox and Chrome. Also "Test
connection" does nothing too.
Thanks,
- Trey
TOKEN:
export TKN=$(curl -X POST
'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin" \
-d 'password=<OMIT> \
-d 'grant_type=password' \
-d 'client_id=admin-cli' | jq -r '.access_token')
[1]:
# curl -X GET
'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn%3Dread%2Cou%3DAdmin%<OMIT>&componentId=OSC-LDAP-osc&connectionTimeout=&connectionUrl=ldaps%3A%2F%OMIT%3A636&useTruststoreSpi=never'
\
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" -v
* About to connect() to localhost
port 8080 (#0)
* Trying ::1...
* Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
GET
/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn%3Dread%2Cou%3DAdmin%OMIT&componentId=OSC-LDAP-osc&connectionTimeout=&connectionUrl=ldaps%3A%2F%OMIT%3A636&useTruststoreSpi=never
HTTP/1.1
User-Agent: curl/7.29.0
Host: localhost:8080
Accept: application/json
Authorization: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIySXpfOGlmRGh6bVM0QksxYXE2X2NvcVl1UF96M2drazRxbkhTWm5PQ1Q4In0.eyJqdGkiOiI1NzJiNjU5MC0zZGZlLTRjM2QtYTg4MS0wYzNiYzM2ZTdkMTciLCJleHAiOjE1NDUwNzExNjYsIm5iZiI6MCwiaWF0IjoxNTQ1MDcxMTA2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiZGE4YTllOTItMzFhYS00MWU3LWExNjktMTc2Y2U5MWE2ZTcwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMjJkZTdmNWItMmQ2OC00YzNjLWIzM2YtYzQzMzk1ZWM0NTY5IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6e30sInNjb3BlIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.VRlEt0O_8_7YF2I8I7TggbItyh8Wn3FW0k3GTL9gH4buXaLAt8i8RbSrfn_THVtTagDREw4EyHgVSVPaUYnDlODouk7b4k9-bOWTfAQm9BsNncWLWhvbiZGfrVu6BDqGEtWY-JIUNhbg_ChDMPlcctBvTwgBmnQvh3JIQfsM7bxPhqO7k9b5NPT5yKiyL9RWQqgNHCJvRaQrzqT1JhzRxJiZB38FCd8_Hf25IpWtvfYQnaU0r3LRcMDaO-2rYMYkm_1IztdSOQFPB6vCdwup45HpSPvFB8J5WB0z7nNtsdaVrly0B8AHWV2bckS5n_-jI4LCxxh2H5ZHyNPrp_jOzA
< HTTP/1.1 405 Method Not Allowed
< Connection: keep-alive
< Content-Length: 0
< Date: Mon, 17 Dec 2018 18:25:07 GMT
<
* Connection #0 to host localhost left intact
--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center
On 12/16/18, 9:41 PM, "Dmitry Telegin" <dt(a)acutus.pro> wrote:
Hello Trey,
Please try the following link:
GET
https://<host>/auth/admin/realms/<realm>/testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=<bind-dn>&componentId=<component-id>&connectionTimeout=&connectionUrl=<connection-url>&useTruststoreSpi=ldapsOnly
You should substitute the values in angle brackets with your actual ones. You can look
them up by firing Admin console, going to LDAP config, pressing F12, clicking "Test
authentication" and examining the contents of the resulting GET request.
You should also leave bindCredential as is; this special value (10 asterisks)
instructs Keycloak to perform testing with the saved credentials.
You will get HTTP 204 No Content if successful and HTTP 400 Bad Request otherwise.
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Fri, 2018-12-14 at 18:46 +0000, Dockendorf, Trey wrote:
So my goal is for Puppet code to be given bind credentials and know
if the provided value is currently configured in Keycloak. Since the plain-text value
isn't easily accessed I was hoping to use testLDAPConnection API call to test if the
provided credentials currently configured in Keycloak are still valid so that Puppet could
know if it needs to update with Puppet provided credentials. In order to do this I'd
have to make a call to testLDAPConnection and have it use bindCredential from the database
and not have to be specified. Is that possible? So far I'm not having much luck.
Also only getting useful response if I use POST (per API docs) and not GET. Is
bindCredential not read from the database if omitted as query parameter?
Get token:
export TKN=$(curl -X POST
'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin" \
-d 'password=OMIT' \
-d 'grant_type=password' \
-d 'client_id=admin-cli' | jq -r '.access_token')
$ curl -X POST
'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc'
\
> -H "Accept: application/json" \
> -H "Authorization: Bearer $TKN"
{"errorMessage":"LDAP test error"}
$ curl -X GET
'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc'
\
> -H "Accept: application/json" \
> -H "Authorization: Bearer $TKN" -v
* About to connect() to localhost port 8080 (#0)
* Trying ::1...
* Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET
/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc
HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8080
> Accept: application/json
> Authorization: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIySXpfOGlmRGh6bVM0QksxYXE2X2NvcVl1UF96M2drazRxbkhTWm5PQ1Q4In0.eyJqdGkiOiI1ZjkyNGI1OC1kNzJjLTQyMzAtYmFiOS0yYjNjODNkZGE3MDEiLCJleHAiOjE1NDQ4MTMwMTEsIm5iZiI6MCwiaWF0IjoxNTQ0ODEyOTUxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiZGE4YTllOTItMzFhYS00MWU3LWExNjktMTc2Y2U5MWE2ZTcwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMTI4MjFjNjEtZWQ1ZC00Y2RjLWE4OTYtYjNkYjA4MDcwMmY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6e30sInNjb3BlIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.E_qAwNm7SCKK1fUJUIw8_u9KQRcRHFtFocyxnX8QmngdvepYqV-us0OAEKzU9zaDVgYAlmnk9vfaQfgZSK3XMGqsViM5NTdOo0X28wWfJg_PFsucWtYEH2nei_y9IZPu908sqz3eJCrPBaS2W44IhuX2ev6GFQrC2xP1GhveM69J7imLmYYPAKZsIVRR9YhfUlxMV9EQviYhY7zaEPcYyjuOWTTqqC7UsNx9kL8TQU6YsY_ZYBDqOqzV6e0bS90EQkVoWWoENeirJqriz-y9Mcj3ZwP2tMlUercYpe85DonnKDTal5scZVSNKOyl-E7B_DLF_EVQBDojGnDpu__QtQ
>
< HTTP/1.1 405 Method Not Allowed
< Connection: keep-alive
< Content-Length: 0
< Date: Fri, 14 Dec 2018 18:43:20 GMT
<
* Connection #0 to host localhost left intact
--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center
> On 12/14/18, 12:13 AM, "Dmitry Telegin" <dt(a)acutus.pro> wrote:
Hello Trey,
The bindCredential property is internally marked as "secret", so yes, it
will be returned as "**********" and this is by design. If you absolutely need
to expose it via REST, you can create a custom REST endpoint for that, however this seems
an overkill to me.
OTOH, the testLDAPConnection endpoint in fact works without supplying the actual
credential. Open Admin Console, go to LDAP config, click "Test authentication"
and examine the network traffic it would generate. In my case it's like this:
GET
https://<host>/auth/admin/realms/<realm>/testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn=Manager,dc=domain,dc=com&componentId=df317c1f-8f6a-4aad-8b8f-7b836d42fb8e&connectionTimeout=&connectionUrl=ldap://localhost&useTruststoreSpi=ldapsOnly
This endpoint returns HTTP 204 No Content if successful and HTTP 400 Bad Request
otherwise.
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-12-13 at 16:44 +0000, Dockendorf, Trey wrote:
> I am using Puppet to automate the configuration of my Keycloak server and one
thing I automate is the addition of LDAP authentication backends. I have discovered that
bindCredential comes back as "**********" [1] which prevents Puppet from knowing
if the value is set correctly. Is there a way to have Keycloak return the actual value
that’s stored in the database? I have found where in the database this is stored but I’d
rather not have to resort to direct database queries with Puppet as that would severely
limit the database backends I can support.
>
> If there is no way to expose actual bindCredential value, is there a way to test
that the currently set bind credentials actually work? I have noticed that something like
testLDAPConnection has to be provided the bind credentials rather than reading them from
the realm’s configured LDAP.
>
> Thanks,
> - Trey
>
> [1]
> > > $ /opt/keycloak/bin/kcadm.sh get components/OSC-LDAP-osc -r osc
--no-config --server http://localhost:8080/auth --realm master --user admin --password
<OMIT> | jq .config.bindCredential
> > > Logging into http://localhost:8080/auth as user admin of realm master
>
> [
> "**********"
> ]
>
> --
> Trey Dockendorf
> HPC Systems Engineer
> Ohio Supercomputer Center
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user