Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Testing ldap connection should not process or bind the credentials #31081

Merged
merged 1 commit into from
Jul 8, 2024
Merged

Testing ldap connection should not process or bind the credentials #31081

merged 1 commit into from
Jul 8, 2024

Conversation

pedroigor
Copy link
Contributor

@pedroigor pedroigor commented Jul 5, 2024
edited
Loading

Closes #30821
Closes #31001

@pedroigor
Testing ldap connection should not process or bind the credentials
a23ecde 
Closes keycloak#30821

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
@pedroigor pedroigor requested review from a team as code owners July 5, 2024 14:12
@pedroigor pedroigor mentioned this pull request Jul 5, 2024
Closed
2 tasks
rmartinc
rmartinc approved these changes Jul 5, 2024
View reviewed changes
Copy link
Contributor

@rmartinc rmartinc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @pedroigor! LGTM!

stianst
stianst approved these changes Jul 8, 2024
View reviewed changes
Copy link
Contributor

@stianst stianst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving based on previous reviews

@stianst stianst merged commit ead1b4a into keycloak:main Jul 8, 2024
68 checks passed
pedroigor added a commit to pedroigor/keycloak that referenced this pull request Jul 8, 2024
@pedroigor
Testing ldap connection should not process or bind the credentials (k…
b9c469e 
…eycloak#31081)

Closes keycloak#30821

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
pedroigor added a commit to pedroigor/keycloak that referenced this pull request Jul 8, 2024
@pedroigor
Testing ldap connection should not process or bind the credentials (k…
64c7f04 
…eycloak#31081)

Closes keycloak#30821

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
pedroigor added a commit to pedroigor/keycloak that referenced this pull request Jul 8, 2024
@pedroigor
Testing ldap connection should not process or bind the credentials (k…
e927195 
…eycloak#31081)

Closes keycloak#30821

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
@puggimer
Copy link

puggimer commented Jul 10, 2024
edited
Loading

I tested this by running from quay.io/keycloak/keycloak:nightly today (July 9th, 2024). It still failed.
To make a better test case (I hope), I created a new realm. Then I added an Active Directory ldap. I tested connection, it passed. I tested authentication, it passed (though the message it gave was "Successfully connected to LDAP". Then I saved it. Clicked test connection and it now fails. Clicked test authentication it now fails. Reset the BindCredentials to the original value and both test succeed until I save it, then they fail again. (see #31001 ).

This now seems to be happening consistently - I cannot save and use an AD federation on the nightly build because the bindCredentials is always reset (since it is masked I don't know what it is set to).

I am attaching the new realm, and the trace log (though there is nothing in the log when the errors occur)

One note - this only happens when using ACTIVE DIRECTORY as the vendor. Using OTHER it works as expected. (I don't have Red Hat, Tivoli or Novell to test against)

realm-export.zip
keycloak.zip

@rmartinc
Copy link
Contributor

Argggh! It's because you are using email format for the bind DN and not a proper DN. If you use a Dn instead of the email of the admin proxy user in ldap it will work. I'm going to file a new issue. It's incredible the mess I did with such a simple change. Sorry.

@puggimer
Copy link

Hmmm - when I was given the credentials is was the email address and password which worked before.
Took me a while to find the DN for the account, but using that the issue goes away (well the mask still changes size, which is a bit weird to me, but inconsequential.
Thanks!!!

@rmartinc
Copy link
Contributor

rmartinc commented Jul 10, 2024
edited
Loading

I created #31196 for the samaccountname@domain format.

@puggimer
Copy link

Thanks - but I think you meant to reference #31196

ahus1 pushed a commit that referenced this pull request Jul 10, 2024
@pedroigor @ahus1
Testing ldap connection should not process or bind the credentials (#…
234d69d 
…31081)

Closes #30821

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
ahus1 pushed a commit that referenced this pull request Jul 10, 2024
@pedroigor @ahus1
Testing ldap connection should not process or bind the credentials (#…
c4ef3a3 
…31081)

Closes #30821

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
ahus1 pushed a commit that referenced this pull request Jul 10, 2024
@pedroigor @ahus1
Testing ldap connection should not process or bind the credentials (#…
7c9ffe0 
…31081)

Closes #30821

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Captain-P-Goldfish pushed a commit to Captain-P-Goldfish/keycloak that referenced this pull request Jul 17, 2024
@pedroigor @Captain-P-Goldfish
Testing ldap connection should not process or bind the credentials (k…
7917af2 
…eycloak#31081)

Closes keycloak#30821

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
@stianst stianst mentioned this pull request Sep 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmartinc rmartinc rmartinc approved these changes

@stianst stianst stianst approved these changes

@jonkoops jonkoops jonkoops approved these changes

Assignees
No one assigned
Labels
team/cloud-native team/core-clients team/core-iam
Projects
None yet
Milestone
No milestone
5 participants
@pedroigor @puggimer @rmartinc @jonkoops @stianst