keycloak-config-cli
keycloak-config-cli copied to clipboard
adorsys
User import with credentials doesn't seem to work with a Realm that federates with LDAP Server
Current Behavior
It seems that user import with credentials doesn't work when your realm has User Federation set up with an LDAP server. The user is created, but the credentials are not set, leaving the user with no credentials set up.
Minimal kcc config example:
{
"groups": [
{
"clientRoles": {
"realm-management": [
"manage-users",
"query-users",
"query-groups"
]
},
"name": "Account manager"
}
],
"users": [
{
"credentials": [
{
"type": "password",
"value": "actual-password"
}
],
"enabled": true,
"groups": [
"/Account manager"
],
"username": "test-realm-account-manager"
}
],
"id": "test-realm",
"realm": "test-realm"
}
Expected Behavior
User is created with credentials imported.
Steps To Reproduce
0. Create LDAP server (e.g. OpenLDAP)
1. Create realm
2. Set up user federation with LDAP server
3. Attempt to import user with credentials to the LDAP server
Environment
- Keycloak Version: 24.0.5
- keycloak-config-cli Version: 6.1.5
- Java Version: 21
Anything else?
No response
I ran kcc with full debug logging and saw that the credentials are sent to the user creation API along with the user details. I guess that when federating with LDAP this field is ignored by Keycloak? Settings the credentials via the credentials API would work, as that is what the Keycloak Web UI uses when you reset a password in an LDAP-enabled realm
Okay, after some testing I did find out a way to bypass this issue, it is a bit annoying though. I have to first import the user without credentials or with dummy credentials, then do another import where I add the credentials. This forces kcc to use the User Update API which seems to accept adding credentials to the user on an LDAP-enabled realm.
In any case, it would be great if the user import with credentials on an LDAP-enabled realm use case could be supported.