So my goal is for Puppet code to be given bind credentials and know if the provided value
is currently configured in Keycloak. Since the plain-text value isn't easily accessed
I was hoping to use testLDAPConnection API call to test if the provided credentials
currently configured in Keycloak are still valid so that Puppet could know if it needs to
update with Puppet provided credentials. In order to do this I'd have to make a call
to testLDAPConnection and have it use bindCredential from the database and not have to be
specified. Is that possible? So far I'm not having much luck. Also only getting
useful response if I use POST (per API docs) and not GET. Is bindCredential not read from
the database if omitted as query parameter?
Get token:
export TKN=$(curl -X POST
'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin" \
-d 'password=OMIT' \
-d 'grant_type=password' \
-d 'client_id=admin-cli' | jq -r '.access_token')
$ curl -X POST
'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc'
\
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN"
{"errorMessage":"LDAP
test error"}
$ curl -X GET
'http://localhost:8080/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc'
\
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" -v
* About to connect() to localhost
port 8080 (#0)
* Trying ::1...
* Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
GET
/auth/admin/realms/osc/testLDAPConnection?action=testAuthentication&componentId=OSC-LDAP-osc
HTTP/1.1
User-Agent: curl/7.29.0
Host: localhost:8080
Accept: application/json
Authorization: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIySXpfOGlmRGh6bVM0QksxYXE2X2NvcVl1UF96M2drazRxbkhTWm5PQ1Q4In0.eyJqdGkiOiI1ZjkyNGI1OC1kNzJjLTQyMzAtYmFiOS0yYjNjODNkZGE3MDEiLCJleHAiOjE1NDQ4MTMwMTEsIm5iZiI6MCwiaWF0IjoxNTQ0ODEyOTUxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWRtaW4tY2xpIiwic3ViIjoiZGE4YTllOTItMzFhYS00MWU3LWExNjktMTc2Y2U5MWE2ZTcwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMTI4MjFjNjEtZWQ1ZC00Y2RjLWE4OTYtYjNkYjA4MDcwMmY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6e30sInNjb3BlIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.E_qAwNm7SCKK1fUJUIw8_u9KQRcRHFtFocyxnX8QmngdvepYqV-us0OAEKzU9zaDVgYAlmnk9vfaQfgZSK3XMGqsViM5NTdOo0X28wWfJg_PFsucWtYEH2nei_y9IZPu908sqz3eJCrPBaS2W44IhuX2ev6GFQrC2xP1GhveM69J7imLmYYPAKZsIVRR9YhfUlxMV9EQviYhY7zaEPcYyjuOWTTqqC7UsNx9kL8TQU6YsY_ZYBDqOqzV6e0bS90EQkVoWWoENeirJqriz-y9Mcj3ZwP2tMlUercYpe85DonnKDTal5scZVSNKOyl-E7B_DLF_EVQBDojGnDpu__QtQ
< HTTP/1.1 405 Method Not Allowed
< Connection: keep-alive
< Content-Length: 0
< Date: Fri, 14 Dec 2018 18:43:20 GMT
<
* Connection #0 to host localhost left intact
--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center
On 12/14/18, 12:13 AM, "Dmitry Telegin" <dt(a)acutus.pro> wrote:
Hello Trey,
The bindCredential property is internally marked as "secret", so yes, it
will be returned as "**********" and this is by design. If you absolutely need
to expose it via REST, you can create a custom REST endpoint for that, however this seems
an overkill to me.
OTOH, the testLDAPConnection endpoint in fact works without supplying the actual
credential. Open Admin Console, go to LDAP config, click "Test authentication"
and examine the network traffic it would generate. In my case it's like this:
GET
https://<host>/auth/admin/realms/<realm>/testLDAPConnection?action=testAuthentication&bindCredential=**********&bindDn=cn=Manager,dc=domain,dc=com&componentId=df317c1f-8f6a-4aad-8b8f-7b836d42fb8e&connectionTimeout=&connectionUrl=ldap://localhost&useTruststoreSpi=ldapsOnly
This endpoint returns HTTP 204 No Content if successful and HTTP 400 Bad Request
otherwise.
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-12-13 at 16:44 +0000, Dockendorf, Trey wrote:
I am using Puppet to automate the configuration of my Keycloak server
and one thing I automate is the addition of LDAP authentication backends. I have
discovered that bindCredential comes back as "**********" [1] which prevents
Puppet from knowing if the value is set correctly. Is there a way to have Keycloak return
the actual value that’s stored in the database? I have found where in the database this
is stored but I’d rather not have to resort to direct database queries with Puppet as that
would severely limit the database backends I can support.
If there is no way to expose actual bindCredential value, is there a way to test that the
currently set bind credentials actually work? I have noticed that something like
testLDAPConnection has to be provided the bind credentials rather than reading them from
the realm’s configured LDAP.
Thanks,
- Trey
[1]
> $ /opt/keycloak/bin/kcadm.sh get components/OSC-LDAP-osc -r osc --no-config --server
http://localhost:8080/auth --realm master --user admin --password <OMIT> | jq
.config.bindCredential
> Logging into
http://localhost:8080/auth as user admin of realm master
[
"**********"
]
--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user