Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PR #8785/ac302eb7 backport][stable-9] keycloak_user_federation: set krbPrincipalAttribute to '' if unset in kc responses #8892

Merged
merged 1 commit into from
Sep 21, 2024
Merged

[PR #8785/ac302eb7 backport][stable-9] keycloak_user_federation: set krbPrincipalAttribute to '' if unset in kc responses #8892

merged 1 commit into from
Sep 21, 2024

Conversation

patchback[bot]
Copy link

@patchback patchback bot commented Sep 21, 2024

This is a backport of PR #8785 as merged into main (ac302eb).

SUMMARY

Issue:
The keycloak_user_federation module always detects a change in check mode if the parameter krbPrincipalAttribute is set to ''. The empty string is a valid value:

community.general/plugins/modules/keycloak_user_federation.py

Line 354 in 96d5e6e

When this is empty, the LDAP user will be looked based on LDAP username corresponding

Keycloak completely removes the parameter krbPrincipalAttribute if it is set to ''. So subsequent check runs always detect a change. In a normal run the module would always make an update (its the same change check), but compare the before and after responses afterwards, in both of which the parameter is not present. In the check diff this is already fixed by setting '' in the sanitize function if the parameter is not present (see 8320).

Proposed solution:
Normalize the keycloak responses (before and after) by setting krbPrincipalAttribute = '' if the parameter is not present in the response.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

keycloak_user_federation

ADDITIONAL INFORMATION
  1. set krbPrincipalAttribute = '' for the module
  2. do a normal module run to set the parameter
  3. subsequent check runs always detect a change

@fgruenbauer @patchback
keycloak_user_federation: set krbPrincipalAttribute to '' if unse…
c8dfc92 
…t in kc responses (#8785)

* set `krbPrincipalAttribute` to `''` if unset in kc before and after responses

* add changelog fragment

* Update changelogs/fragments/8785-keycloak_user_federation-set-krbPrincipalAttribute-to-empty-string-if-missing.yaml

Co-authored-by: Felix Fontein <[email protected]>

---------

Co-authored-by: Felix Fontein <[email protected]>
(cherry picked from commit ac302eb)
@patchback patchback bot mentioned this pull request Sep 21, 2024
Merged
@ansibullbot
Copy link
Collaborator

cc @eikef @laurpaum @mattock @ndclt @thomasbach-dev
click here for bot help

@ansibullbot ansibullbot added backport bug This issue/PR relates to a bug module module new_contributor Help guide this first time contributor plugins plugin (any type) labels Sep 21, 2024
@felixfontein felixfontein merged commit 8152cb3 into stable-9 Sep 21, 2024
146 checks passed
@felixfontein felixfontein deleted the patchback/backports/stable-9/ac302eb77d82f5ed87cf8b037297c3482622247d/pr-8785 branch September 21, 2024 07:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
backport bug This issue/PR relates to a bug module module new_contributor Help guide this first time contributor plugins plugin (any type)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ansibullbot @felixfontein @fgruenbauer