From 1346ccd31b65a4219eae1a2913c055c969f9e6b9 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Fri, 2 Jan 2026 14:12:20 -0300
Subject: [PATCH] keycloak: repair ldap federation parentId

---
 services/keycloak/ldap-federation-job.yaml | 41 +++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/services/keycloak/ldap-federation-job.yaml b/services/keycloak/ldap-federation-job.yaml
index f25ff13..f993fef 100644
--- a/services/keycloak/ldap-federation-job.yaml
+++ b/services/keycloak/ldap-federation-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-ldap-federation-2
+  name: keycloak-ldap-federation-3
   namespace: sso
 spec:
   backoffLimit: 2
@@ -127,6 +127,45 @@ spec:
                   raise SystemExit(f"Unable to resolve realm id for {realm} (status={status})")
               realm_id = realm_rep["id"]
 
+              # Some historical LDAP federation components were created with parentId=<realm name>.
+              # That makes realm resolution null in Keycloak internals and breaks authentication.
+              status, all_components, _ = http_json(
+                  "GET",
+                  f"{base_url}/admin/realms/{realm}/components",
+                  token,
+              )
+              if status != 200:
+                  raise SystemExit(f"Unexpected components response: {status}")
+              all_components = all_components or []
+
+              for c in all_components:
+                  if c.get("providerId") != "ldap":
+                      continue
+                  if c.get("providerType") != "org.keycloak.storage.UserStorageProvider":
+                      continue
+                  if c.get("parentId") == realm_id:
+                      continue
+                  cid = c.get("id")
+                  if not cid:
+                      continue
+                  print(f"Fixing LDAP federation parentId for {cid} (was {c.get('parentId')})")
+                  status, comp, _ = http_json(
+                      "GET",
+                      f"{base_url}/admin/realms/{realm}/components/{cid}",
+                      token,
+                  )
+                  if status != 200 or not comp:
+                      raise SystemExit(f"Unable to fetch component {cid} (status={status})")
+                  comp["parentId"] = realm_id
+                  status, _, _ = http_json(
+                      "PUT",
+                      f"{base_url}/admin/realms/{realm}/components/{cid}",
+                      token,
+                      comp,
+                  )
+                  if status not in (200, 204):
+                      raise SystemExit(f"Unexpected parentId repair status for {cid}: {status}")
+
               # Find existing LDAP user federation provider (if any)
               status, components, _ = http_json(
                   "GET",