From eb781dbf8b034eca73417de22d8ed200310c7148 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Sat, 23 Aug 2025 22:05:26 +0200 Subject: [PATCH] fix(keycloak/ldap): make userObjectClasses JSON-safe and exclude posixAccount MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Render userObjectClasses via `tojson` (and trim) to avoid invalid control characters and ensure valid realm import parsing. - Introduce KEYCLOAK_LDAP_USER_OBJECT_CLASSES in vars; exclude `posixAccount` for Keycloak’s LDAP config while keeping it for Ansible-managed UNIX users. - Update UserStorageProvider template to use the new variable. Rationale: Keycloak must not require `posixAccount` on every LDAP user. We keep `posixAccount` structural for Ansible provisioning, but filter it out for Keycloak to prevent sync/import errors on entries without POSIX attributes. Touched: - roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2 - roles/web-app-keycloak/vars/main.yml Refs: conversation https://chatgpt.com/share/68aa1ef0-3658-800f-bdf4-5b57131d03b4 --- .../org.keycloak.storage.UserStorageProvider.json.j2 | 2 +- roles/web-app-keycloak/vars/main.yml | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2 b/roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2 index 882b16e8..73b2715c 100644 --- a/roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2 +++ b/roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2 @@ -245,7 +245,7 @@ {# Build objectClasses from structural + auxiliary definitions #} "userObjectClasses": [ - "{{ (ldap.user.objects.structural + (ldap.user.objects.auxiliary | dict2items | map(attribute='value') | list)) | join(', ') }}" + {{ KEYCLOAK_LDAP_USER_OBJECT_CLASSES | trim | tojson }} ], "rdnLDAPAttribute": [ "{{ ldap.user.attributes.id }}" ], diff --git a/roles/web-app-keycloak/vars/main.yml b/roles/web-app-keycloak/vars/main.yml index 0680f04d..1ce46f1a 100644 --- a/roles/web-app-keycloak/vars/main.yml +++ b/roles/web-app-keycloak/vars/main.yml @@ -60,6 +60,15 @@ KEYCLOAK_LDAP_BIND_DN: "{{ ldap.dn.administrator.data }}" KEYCLOAK_LDAP_BIND_PW: "{{ ldap.bind_credential }}" KEYCLOAK_LDAP_URL: "{{ ldap.server.uri }}" +# It's important to filter the posixAccount class out, because it is just used by ansible +KEYCLOAK_LDAP_USER_OBJECT_CLASSES: > + {{ + ( + (ldap.user.objects.structural | reject('equalto','posixAccount') | list) + + (ldap.user.objects.auxiliary | dict2items | map(attribute='value') | list) + ) | join(', ') + }} + ## API KEYCLOAK_MASTER_API_USER: "{{ applications | get_app_conf(application_id, 'users.administrator') }}" # Master Administrator KEYCLOAK_MASTER_API_USER_NAME: "{{ KEYCLOAK_MASTER_API_USER.username }}" # Master Administrator Username