I figured out why the kerberos component wasn't showing up in the web console. I now
see that realm name and realm ID are not identical by default. It might make sense to
update the CLI docs to suggest that when creating a realm you explicitly set the ID to be
the same as the realm name as the web console automatically does. That is why I was
seeing the command line listing the component as part of the realm, but not visible when
browsing from the web console. The first part of my question still remains. It seems the
kcadm tool cannot be used to create or modify a user storage provider with all of the
fields. Some fields seem to cause parsing errors on the server. Including these fields
in the initial create command doesn't work. Neither does including them in an update
command:
kcadm.sh update components/my-kerberos-component-id -r demorealm -s
config.kerberosRealm=["my-kerberos-realm-name"]
Also results in:
Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not
deserialize instance of java.util.ArrayList out of VALUE_STRING token
----- Original Message -----
From: "Ryan Slominski" <ryans(a)jlab.org>
To: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Tuesday, February 6, 2018 2:16:32 PM
Subject: [keycloak-user] kcadm CLI for kerberos user storage API needs updating?
I'm following the latest CLI documentation
(
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs...
), but the section about managing Kerberos user storage providers seems to be out-of-date.
The related REST API documentation
(
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs...
) points out major changes occurred after version 2.4.0. In particular the following
command no longer works:
kcadm.sh create user-federation/instances -r demorealm ...
Instead it seems it should be something like the following:
kcadm.sh create components -r demorealm -s parentId=demorealm -s name="kerberos"
-s providerId="kerberos" -s
providerType="org.keycloak.storage.UserStorageProvider"\
-s config.enabled=["true"] -s
config.allowPasswordAuthentication=["true"] -s config.debug=["false"]
-s config.priority=["0"] -s config.updateProfileFirstLogin=["false"]
However, this "create components" command only seems to work if I don't
include the following otherwise desirable attributes:
-s config.keyTab=["path-to-keytab"]
-s config.kerberosRealm=["kerberos-realm-name"]
-s config.cachePolicy=["DEFAULT"]
-s config.editMode=["READ_ONLY"]
-s config.serverPrincipal=["http-principal-name"]
Including any one of them results in the server throwing the following exception:
Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not
deserialize instance of java.util.ArrayList out of VALUE_STRING token
Further, even if I leave these attributes out and attempt to finish the job using the web
console I noticed the new user storage provider doesn't show up in the list on the
web. It DOES show up when queried from the command line with:
kcadm.sh get components -r demorealm
But oddly doesn't show up if you filter as the web does with:
kcadm.sh get components -r demorealm -q type=org.keycloak.storage.UserStorageProvider
Any help is appreciated. Thanks,
Ryan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...