pulumi-keycloak-kotlin/com.pulumi.keycloak.ldap.kotlin/UserFederationArgs

UserFederationArgs

data class UserFederationArgs(val batchSizeForSync: Output<Int>? = null, val bindCredential: Output<String>? = null, val bindDn: Output<String>? = null, val cache: Output<UserFederationCacheArgs>? = null, val changedSyncPeriod: Output<Int>? = null, val connectionTimeout: Output<String>? = null, val connectionUrl: Output<String>? = null, val customUserSearchFilter: Output<String>? = null, val deleteDefaultMappers: Output<Boolean>? = null, val editMode: Output<String>? = null, val enabled: Output<Boolean>? = null, val fullSyncPeriod: Output<Int>? = null, val importEnabled: Output<Boolean>? = null, val kerberos: Output<UserFederationKerberosArgs>? = null, val name: Output<String>? = null, val pagination: Output<Boolean>? = null, val priority: Output<Int>? = null, val rdnLdapAttribute: Output<String>? = null, val readTimeout: Output<String>? = null, val realmId: Output<String>? = null, val searchScope: Output<String>? = null, val startTls: Output<Boolean>? = null, val syncRegistrations: Output<Boolean>? = null, val trustEmail: Output<Boolean>? = null, val usePasswordModifyExtendedOp: Output<Boolean>? = null, val useTruststoreSpi: Output<String>? = null, val userObjectClasses: Output<List<String>>? = null, val usernameLdapAttribute: Output<String>? = null, val usersDn: Output<String>? = null, val uuidLdapAttribute: Output<String>? = null, val validatePasswordPolicy: Output<Boolean>? = null, val vendor: Output<String>? = null) : ConvertibleToJava<UserFederationArgs>

# keycloak.ldap.UserFederation

Allows for creating and managing LDAP user federation providers within Keycloak. Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "test",
    enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", {
    name: "openldap",
    realmId: realm.id,
    enabled: true,
    usernameLdapAttribute: "cn",
    rdnLdapAttribute: "cn",
    uuidLdapAttribute: "entryDN",
    userObjectClasses: [
        "simpleSecurityObject",
        "organizationalRole",
    ],
    connectionUrl: "ldap://openldap",
    usersDn: "dc=example,dc=org",
    bindDn: "cn=admin,dc=example,dc=org",
    bindCredential: "admin",
    connectionTimeout: "5s",
    readTimeout: "10s",
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="test",
    enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation",
    name="openldap",
    realm_id=realm.id,
    enabled=True,
    username_ldap_attribute="cn",
    rdn_ldap_attribute="cn",
    uuid_ldap_attribute="entryDN",
    user_object_classes=[
        "simpleSecurityObject",
        "organizationalRole",
    ],
    connection_url="ldap://openldap",
    users_dn="dc=example,dc=org",
    bind_dn="cn=admin,dc=example,dc=org",
    bind_credential="admin",
    connection_timeout="5s",
    read_timeout="10s")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "test",
        Enabled = true,
    });
    var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldap_user_federation", new()
    {
        Name = "openldap",
        RealmId = realm.Id,
        Enabled = true,
        UsernameLdapAttribute = "cn",
        RdnLdapAttribute = "cn",
        UuidLdapAttribute = "entryDN",
        UserObjectClasses = new[]
        {
            "simpleSecurityObject",
            "organizationalRole",
        },
        ConnectionUrl = "ldap://openldap",
        UsersDn = "dc=example,dc=org",
        BindDn = "cn=admin,dc=example,dc=org",
        BindCredential = "admin",
        ConnectionTimeout = "5s",
        ReadTimeout = "10s",
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("test"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = ldap.NewUserFederation(ctx, "ldap_user_federation", &ldap.UserFederationArgs{
			Name:                  pulumi.String("openldap"),
			RealmId:               realm.ID(),
			Enabled:               pulumi.Bool(true),
			UsernameLdapAttribute: pulumi.String("cn"),
			RdnLdapAttribute:      pulumi.String("cn"),
			UuidLdapAttribute:     pulumi.String("entryDN"),
			UserObjectClasses: pulumi.StringArray{
				pulumi.String("simpleSecurityObject"),
				pulumi.String("organizationalRole"),
			},
			ConnectionUrl:     pulumi.String("ldap://openldap"),
			UsersDn:           pulumi.String("dc=example,dc=org"),
			BindDn:            pulumi.String("cn=admin,dc=example,dc=org"),
			BindCredential:    pulumi.String("admin"),
			ConnectionTimeout: pulumi.String("5s"),
			ReadTimeout:       pulumi.String("10s"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("test")
            .enabled(true)
            .build());
        var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()
            .name("openldap")
            .realmId(realm.id())
            .enabled(true)
            .usernameLdapAttribute("cn")
            .rdnLdapAttribute("cn")
            .uuidLdapAttribute("entryDN")
            .userObjectClasses(
                "simpleSecurityObject",
                "organizationalRole")
            .connectionUrl("ldap://openldap")
            .usersDn("dc=example,dc=org")
            .bindDn("cn=admin,dc=example,dc=org")
            .bindCredential("admin")
            .connectionTimeout("5s")
            .readTimeout("10s")
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: test
      enabled: true
  ldapUserFederation:
    type: keycloak:ldap:UserFederation
    name: ldap_user_federation
    properties:
      name: openldap
      realmId: ${realm.id}
      enabled: true
      usernameLdapAttribute: cn
      rdnLdapAttribute: cn
      uuidLdapAttribute: entryDN
      userObjectClasses:
        - simpleSecurityObject
        - organizationalRole
      connectionUrl: ldap://openldap
      usersDn: dc=example,dc=org
      bindDn: cn=admin,dc=example,dc=org
      bindCredential: admin
      connectionTimeout: 5s
      readTimeout: 10s

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm that this provider will provide user federation for.
name - (Required) Display name of the provider when displayed in the console.
enabled - (Optional) When false, this provider will not be used when performing queries for users. Defaults to true.
priority - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to 0.
import_enabled - (Optional) When true, LDAP users will be imported into the Keycloak database. Defaults to true.
edit_mode - (Optional) Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
sync_registrations - (Optional) When true, newly created users will be synced back to LDAP. Defaults to false.
vendor - (Optional) Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OPTIONAL.
username_ldap_attribute - (Required) Name of the LDAP attribute to use as the Keycloak username.
rdn_ldap_attribute - (Required) Name of the LDAP attribute to use as the relative distinguished name.
uuid_ldap_attribute - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
user_object_classes - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
connection_url - (Required) Connection URL to the LDAP server.
users_dn - (Required) Full DN of LDAP tree where your users are.
bind_dn - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
bind_credential - (Optional) Password of LDAP admin. This attribute must be set if bind_dn is set.
custom_user_search_filter - (Optional) Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
search_scope - (Optional) Can be one of ONE_LEVEL or SUBTREE:

ONE_LEVEL: Only search for users in the DN specified by user_dn.
SUBTREE: Search entire LDAP subtree.

validate_password_policy - (Optional) When true, Keycloak will validate passwords using the realm policy before updating it.
use_truststore_spi - (Optional) Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

ALWAYS - Always use the truststore SPI for LDAP connections.
NEVER - Never use the truststore SPI for LDAP connections.
ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.

connection_timeout - (Optional) LDAP connection timeout in the format of a Go duration string.
read_timeout - (Optional) LDAP read timeout in the format of a Go duration string.
pagination - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
batch_size_for_sync - (Optional) The number of users to sync within a single transaction. Defaults to 1000.
full_sync_period - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
changed_sync_period - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
cache_policy - (Optional) Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

Import

LDAP user federation providers can be imported using the format {{realm_id}}/{{ldap_user_federation_id}}. The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID:

$ terraform import keycloak_ldap_user_federation.ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860

Constructors

UserFederationArgs

constructor(batchSizeForSync: Output<Int>? = null, bindCredential: Output<String>? = null, bindDn: Output<String>? = null, cache: Output<UserFederationCacheArgs>? = null, changedSyncPeriod: Output<Int>? = null, connectionTimeout: Output<String>? = null, connectionUrl: Output<String>? = null, customUserSearchFilter: Output<String>? = null, deleteDefaultMappers: Output<Boolean>? = null, editMode: Output<String>? = null, enabled: Output<Boolean>? = null, fullSyncPeriod: Output<Int>? = null, importEnabled: Output<Boolean>? = null, kerberos: Output<UserFederationKerberosArgs>? = null, name: Output<String>? = null, pagination: Output<Boolean>? = null, priority: Output<Int>? = null, rdnLdapAttribute: Output<String>? = null, readTimeout: Output<String>? = null, realmId: Output<String>? = null, searchScope: Output<String>? = null, startTls: Output<Boolean>? = null, syncRegistrations: Output<Boolean>? = null, trustEmail: Output<Boolean>? = null, usePasswordModifyExtendedOp: Output<Boolean>? = null, useTruststoreSpi: Output<String>? = null, userObjectClasses: Output<List<String>>? = null, usernameLdapAttribute: Output<String>? = null, usersDn: Output<String>? = null, uuidLdapAttribute: Output<String>? = null, validatePasswordPolicy: Output<Boolean>? = null, vendor: Output<String>? = null)

Properties

batchSizeForSync

val batchSizeForSync: Output<Int>? = null

The number of users to sync within a single transaction.

bindCredential

val bindCredential: Output<String>? = null

Password of LDAP admin.

bindDn

val bindDn: Output<String>? = null

DN of LDAP admin, which will be used by Keycloak to access LDAP server.

cache

val cache: Output<UserFederationCacheArgs>? = null

Settings regarding cache policy for this realm.

changedSyncPeriod

val changedSyncPeriod: Output<Int>? = null

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

connectionTimeout

val connectionTimeout: Output<String>? = null

LDAP connection timeout (duration string)

connectionUrl

val connectionUrl: Output<String>? = null

Connection URL to the LDAP server.

customUserSearchFilter

val customUserSearchFilter: Output<String>? = null

Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.

deleteDefaultMappers

val deleteDefaultMappers: Output<Boolean>? = null

When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.

editMode

val editMode: Output<String>? = null

READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.

enabled

val enabled: Output<Boolean>? = null

When false, this provider will not be used when performing queries for users.

fullSyncPeriod

val fullSyncPeriod: Output<Int>? = null

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

importEnabled

val importEnabled: Output<Boolean>? = null

When true, LDAP users will be imported into the Keycloak database.

kerberos

val kerberos: Output<UserFederationKerberosArgs>? = null

Settings regarding kerberos authentication for this realm.

name

val name: Output<String>? = null

Display name of the provider when displayed in the console.

pagination

val pagination: Output<Boolean>? = null

When true, Keycloak assumes the LDAP server supports pagination.

priority

val priority: Output<Int>? = null

Priority of this provider when looking up users. Lower values are first.

rdnLdapAttribute

val rdnLdapAttribute: Output<String>? = null

Name of the LDAP attribute to use as the relative distinguished name.

readTimeout

val readTimeout: Output<String>? = null

LDAP read timeout (duration string)

realmId

val realmId: Output<String>? = null

The realm this provider will provide user federation for.

searchScope

val searchScope: Output<String>? = null

ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.

startTls

val startTls: Output<Boolean>? = null

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

syncRegistrations

val syncRegistrations: Output<Boolean>? = null

When true, newly created users will be synced back to LDAP.

trustEmail

val trustEmail: Output<Boolean>? = null

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

usePasswordModifyExtendedOp

val usePasswordModifyExtendedOp: Output<Boolean>? = null

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

usernameLdapAttribute

val usernameLdapAttribute: Output<String>? = null

Name of the LDAP attribute to use as the Keycloak username.

userObjectClasses

val userObjectClasses: Output<List<String>>? = null

All values of LDAP objectClass attribute for users in LDAP.

usersDn

val usersDn: Output<String>? = null

Full DN of LDAP tree where your users are.

useTruststoreSpi

val useTruststoreSpi: Output<String>? = null

uuidLdapAttribute

val uuidLdapAttribute: Output<String>? = null

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

validatePasswordPolicy

val validatePasswordPolicy: Output<Boolean>? = null

When true, Keycloak will validate passwords using the realm policy before updating it.

vendor

val vendor: Output<String>? = null

LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

Functions

toJava

open override fun toJava(): UserFederationArgs