feature/sso-hardening #9
@ -2,7 +2,7 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: keycloak-ldap-federation-2
|
||||
name: keycloak-ldap-federation-3
|
||||
namespace: sso
|
||||
spec:
|
||||
backoffLimit: 2
|
||||
@ -127,6 +127,45 @@ spec:
|
||||
raise SystemExit(f"Unable to resolve realm id for {realm} (status={status})")
|
||||
realm_id = realm_rep["id"]
|
||||
|
||||
# Some historical LDAP federation components were created with parentId=<realm name>.
|
||||
# That makes realm resolution null in Keycloak internals and breaks authentication.
|
||||
status, all_components, _ = http_json(
|
||||
"GET",
|
||||
f"{base_url}/admin/realms/{realm}/components",
|
||||
token,
|
||||
)
|
||||
if status != 200:
|
||||
raise SystemExit(f"Unexpected components response: {status}")
|
||||
all_components = all_components or []
|
||||
|
||||
for c in all_components:
|
||||
if c.get("providerId") != "ldap":
|
||||
continue
|
||||
if c.get("providerType") != "org.keycloak.storage.UserStorageProvider":
|
||||
continue
|
||||
if c.get("parentId") == realm_id:
|
||||
continue
|
||||
cid = c.get("id")
|
||||
if not cid:
|
||||
continue
|
||||
print(f"Fixing LDAP federation parentId for {cid} (was {c.get('parentId')})")
|
||||
status, comp, _ = http_json(
|
||||
"GET",
|
||||
f"{base_url}/admin/realms/{realm}/components/{cid}",
|
||||
token,
|
||||
)
|
||||
if status != 200 or not comp:
|
||||
raise SystemExit(f"Unable to fetch component {cid} (status={status})")
|
||||
comp["parentId"] = realm_id
|
||||
status, _, _ = http_json(
|
||||
"PUT",
|
||||
f"{base_url}/admin/realms/{realm}/components/{cid}",
|
||||
token,
|
||||
comp,
|
||||
)
|
||||
if status not in (200, 204):
|
||||
raise SystemExit(f"Unexpected parentId repair status for {cid}: {status}")
|
||||
|
||||
# Find existing LDAP user federation provider (if any)
|
||||
status, components, _ = http_json(
|
||||
"GET",
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user