diff --git a/services/keycloak/ldap-federation-job.yaml b/services/keycloak/ldap-federation-job.yaml index f25ff13..f993fef 100644 --- a/services/keycloak/ldap-federation-job.yaml +++ b/services/keycloak/ldap-federation-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-ldap-federation-2 + name: keycloak-ldap-federation-3 namespace: sso spec: backoffLimit: 2 @@ -127,6 +127,45 @@ spec: raise SystemExit(f"Unable to resolve realm id for {realm} (status={status})") realm_id = realm_rep["id"] + # Some historical LDAP federation components were created with parentId=. + # That makes realm resolution null in Keycloak internals and breaks authentication. + status, all_components, _ = http_json( + "GET", + f"{base_url}/admin/realms/{realm}/components", + token, + ) + if status != 200: + raise SystemExit(f"Unexpected components response: {status}") + all_components = all_components or [] + + for c in all_components: + if c.get("providerId") != "ldap": + continue + if c.get("providerType") != "org.keycloak.storage.UserStorageProvider": + continue + if c.get("parentId") == realm_id: + continue + cid = c.get("id") + if not cid: + continue + print(f"Fixing LDAP federation parentId for {cid} (was {c.get('parentId')})") + status, comp, _ = http_json( + "GET", + f"{base_url}/admin/realms/{realm}/components/{cid}", + token, + ) + if status != 200 or not comp: + raise SystemExit(f"Unable to fetch component {cid} (status={status})") + comp["parentId"] = realm_id + status, _, _ = http_json( + "PUT", + f"{base_url}/admin/realms/{realm}/components/{cid}", + token, + comp, + ) + if status not in (200, 204): + raise SystemExit(f"Unexpected parentId repair status for {cid}: {status}") + # Find existing LDAP user federation provider (if any) status, components, _ = http_json( "GET",