bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

keycloak: repair ldap federation parentId

Browse Source
This commit is contained in:
Brad Stein 2026-01-02 14:12:20 -03:00
parent 8a2f3c733e
commit 1346ccd31b
1 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
services/keycloak/ldap-federation-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-ldap-federation-2
name: keycloak-ldap-federation-3
namespace: sso
spec:
backoffLimit: 2
@ -127,6 +127,45 @@ spec:
raise SystemExit(f"Unable to resolve realm id for {realm} (status={status})")
realm_id = realm_rep["id"]
# Some historical LDAP federation components were created with parentId=<realm name>.
# That makes realm resolution null in Keycloak internals and breaks authentication.
status, all_components, _ = http_json(
"GET",
f"{base_url}/admin/realms/{realm}/components",
token,
)
if status != 200:
raise SystemExit(f"Unexpected components response: {status}")
all_components = all_components or []
for c in all_components:
if c.get("providerId") != "ldap":
continue
if c.get("providerType") != "org.keycloak.storage.UserStorageProvider":
continue
if c.get("parentId") == realm_id:
continue
cid = c.get("id")
if not cid:
continue
print(f"Fixing LDAP federation parentId for {cid} (was {c.get('parentId')})")
status, comp, _ = http_json(
"GET",
f"{base_url}/admin/realms/{realm}/components/{cid}",
token,
)
if status != 200 or not comp:
raise SystemExit(f"Unable to fetch component {cid} (status={status})")
comp["parentId"] = realm_id
status, _, _ = http_json(
"PUT",
f"{base_url}/admin/realms/{realm}/components/{cid}",
token,
comp,
)
if status not in (200, 204):
raise SystemExit(f"Unexpected parentId repair status for {cid}: {status}")
# Find existing LDAP user federation provider (if any)
status, components, _ = http_json(
"GET",