Export/Import fails while using a vault

deBFM · May 27, 2020, 9:53am

Hi,

I managed to setup a vault and that an User-Federation (ldap) makes use of it, but I have a problem to import/export this configuration.

Keycloak Version: jboss/keycloak:10.0.1

Problem

The import/export fails when using a vault for “LDAP bind credential”.

Realm: company
Bind Credential Field: ${vault.ldap-password}
Password file: /run/secrets/company_ldap-password

INFO  [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (ServerService Thread Pool -- 60) Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP Configuration: {pagination=[true], fullSyncPeriod=[86400], usersDn=[DC=intern,DC=company,DC=de], connectionPooling=[true], cachePolicy=[DEFAULT], useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true], bindDn=[CN=Adm,OU=Test,DC=intern,DC=company,DC=de], changedSyncPeriod=[3600], usernameLDAPAttribute=[cn], lastSync=[1590407853], vendor=[ad], uuidLDAPAttribute=[objectGUID], connectionUrl=[ldaps://dc3.intern.company.de], allowKerberosAuthentication=[false], syncRegistrations=[false], authType=[simple], customUserSearchFilter=[(!(|(cn=Test ID 1)(cn=Server1)))], debug=[false], searchScope=[2], useTruststoreSpi=[ldapsOnly], trustEmail=[false], priority=[0], userObjectClasses=[person, organizationalPerson, user], rdnLDAPAttribute=[cn], editMode=[WRITABLE], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
FATAL [org.keycloak.services] (ServerService Thread Pool -- 60) org.keycloak.models.ModelException: LDAP Query failed

Workaround

Disable (enabled => false) the User-Federation which makes use of the vault for the export/import.

Configuration:

Vault:

<spi name="vault">
    <default-provider>files-plaintext</default-provider>
    <provider name="files-plaintext" enabled="true">
        <properties>
            <property name="dir" value="/run/secrets"/>
        </properties>
    </provider>
</spi>

Export-Script

#!/bin/bash
docker exec -it $(docker ps -f name=jwt-security --format "{{.ID}}") /opt/jboss/keycloak/bin/standalone.sh -c standalone-ha.xml \
    -Djboss.socket.binding.port-offset=100 \
    -Dkeycloak.migration.action=export \
    -Dkeycloak.migration.provider=dir \
    -Dkeycloak.migration.usersExportStrategy=DIFFERENT_FILES \
    -Dkeycloak.migration.dir=/tmp/config/data

Thank you in advance for any help you can offer.
Regards, Dennis Kronbügel

Dacit · June 10, 2020, 4:25pm

I have the same problem. Found any solution?

Topic		Replies	Views
Cannot use ${vault.ID} inside Bind Credentials field in LDAP User Federation Getting advice user-federation , ldap	1	741	January 11, 2023
Keycloak 22 does not work with LDAP server Configuring the server authentication	1	421	October 29, 2023
LDAPS Test Authentication failing by using User Federation module in keycloak Getting advice authentication , ldap	0	280	November 25, 2022
Error when import LDAP Federation with Hardcoded Group Mapper Configuring the server user-federation	0	504	July 26, 2021
Error on LDAP user federation - Test authentication on version v16.1.1 Configuring the server user-federation	1	1227	February 10, 2022