keycloak: repair ldap federation parentId

2026-01-02 14:12:20 -03:00 · 2026-01-02 14:12:20 -03:00 · 1346ccd31b
commit 1346ccd31b
parent 8a2f3c733e
1 changed files with 40 additions and 1 deletions
--- a/services/keycloak/ldap-federation-job.yaml
+++ b/services/keycloak/ldap-federation-job.yaml
@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-ldap-federation-2
+  name: keycloak-ldap-federation-3
  namespace: sso
 spec:
  backoffLimit: 2
@ -127,6 +127,45 @@ spec:
                  raise SystemExit(f"Unable to resolve realm id for {realm} (status={status})")
              realm_id = realm_rep["id"]
              # Some historical LDAP federation components were created with parentId=<realm name>.
              # That makes realm resolution null in Keycloak internals and breaks authentication.
              status, all_components, _ = http_json(
                  "GET",
                  f"{base_url}/admin/realms/{realm}/components",
                  token,
              )
              if status != 200:
                  raise SystemExit(f"Unexpected components response: {status}")
              all_components = all_components or []
              for c in all_components:
                  if c.get("providerId") != "ldap":
                      continue
                  if c.get("providerType") != "org.keycloak.storage.UserStorageProvider":
                      continue
                  if c.get("parentId") == realm_id:
                      continue
                  cid = c.get("id")
                  if not cid:
                      continue
                  print(f"Fixing LDAP federation parentId for {cid} (was {c.get('parentId')})")
                  status, comp, _ = http_json(
                      "GET",
                      f"{base_url}/admin/realms/{realm}/components/{cid}",
                      token,
                  )
                  if status != 200 or not comp:
                      raise SystemExit(f"Unable to fetch component {cid} (status={status})")
                  comp["parentId"] = realm_id
                  status, _, _ = http_json(
                      "PUT",
                      f"{base_url}/admin/realms/{realm}/components/{cid}",
                      token,
                      comp,
                  )
                  if status not in (200, 204):
                      raise SystemExit(f"Unexpected parentId repair status for {cid}: {status}")
              # Find existing LDAP user federation provider (if any)
              status, components, _ = http_json(
                  "GET",