Hi,
I managed to setup a vault and that an User-Federation (ldap) makes use of it, but I have a problem to import/export this configuration.
Keycloak Version: jboss/keycloak:10.0.1
Problem
The import/export fails when using a vault for “LDAP bind credential”.
Realm: company
Bind Credential Field: ${vault.ldap-password}
Password file: /run/secrets/company_ldap-password
INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (ServerService Thread Pool -- 60) Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP Configuration: {pagination=[true], fullSyncPeriod=[86400], usersDn=[DC=intern,DC=company,DC=de], connectionPooling=[true], cachePolicy=[DEFAULT], useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true], bindDn=[CN=Adm,OU=Test,DC=intern,DC=company,DC=de], changedSyncPeriod=[3600], usernameLDAPAttribute=[cn], lastSync=[1590407853], vendor=[ad], uuidLDAPAttribute=[objectGUID], connectionUrl=[ldaps://dc3.intern.company.de], allowKerberosAuthentication=[false], syncRegistrations=[false], authType=[simple], customUserSearchFilter=[(!(|(cn=Test ID 1)(cn=Server1)))], debug=[false], searchScope=[2], useTruststoreSpi=[ldapsOnly], trustEmail=[false], priority=[0], userObjectClasses=[person, organizationalPerson, user], rdnLDAPAttribute=[cn], editMode=[WRITABLE], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
FATAL [org.keycloak.services] (ServerService Thread Pool -- 60) org.keycloak.models.ModelException: LDAP Query failed
Workaround
Disable (enabled => false) the User-Federation which makes use of the vault for the export/import.
Configuration:
Vault:
<spi name="vault">
<default-provider>files-plaintext</default-provider>
<provider name="files-plaintext" enabled="true">
<properties>
<property name="dir" value="/run/secrets"/>
</properties>
</provider>
</spi>
Export-Script
#!/bin/bash
docker exec -it $(docker ps -f name=jwt-security --format "{{.ID}}") /opt/jboss/keycloak/bin/standalone.sh -c standalone-ha.xml \
-Djboss.socket.binding.port-offset=100 \
-Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=dir \
-Dkeycloak.migration.usersExportStrategy=DIFFERENT_FILES \
-Dkeycloak.migration.dir=/tmp/config/data
Thank you in advance for any help you can offer.
Regards, Dennis Kronbügel