pulumi-keycloak-kotlin/com.pulumi.keycloak.ldap.kotlin/UserFederation

UserFederation

class UserFederation : KotlinCustomResource

# keycloak.ldap.UserFederation

Allows for creating and managing LDAP user federation providers within Keycloak. Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "test",
    enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", {
    name: "openldap",
    realmId: realm.id,
    enabled: true,
    usernameLdapAttribute: "cn",
    rdnLdapAttribute: "cn",
    uuidLdapAttribute: "entryDN",
    userObjectClasses: [
        "simpleSecurityObject",
        "organizationalRole",
    ],
    connectionUrl: "ldap://openldap",
    usersDn: "dc=example,dc=org",
    bindDn: "cn=admin,dc=example,dc=org",
    bindCredential: "admin",
    connectionTimeout: "5s",
    readTimeout: "10s",
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="test",
    enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation",
    name="openldap",
    realm_id=realm.id,
    enabled=True,
    username_ldap_attribute="cn",
    rdn_ldap_attribute="cn",
    uuid_ldap_attribute="entryDN",
    user_object_classes=[
        "simpleSecurityObject",
        "organizationalRole",
    ],
    connection_url="ldap://openldap",
    users_dn="dc=example,dc=org",
    bind_dn="cn=admin,dc=example,dc=org",
    bind_credential="admin",
    connection_timeout="5s",
    read_timeout="10s")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "test",
        Enabled = true,
    });
    var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldap_user_federation", new()
    {
        Name = "openldap",
        RealmId = realm.Id,
        Enabled = true,
        UsernameLdapAttribute = "cn",
        RdnLdapAttribute = "cn",
        UuidLdapAttribute = "entryDN",
        UserObjectClasses = new[]
        {
            "simpleSecurityObject",
            "organizationalRole",
        },
        ConnectionUrl = "ldap://openldap",
        UsersDn = "dc=example,dc=org",
        BindDn = "cn=admin,dc=example,dc=org",
        BindCredential = "admin",
        ConnectionTimeout = "5s",
        ReadTimeout = "10s",
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("test"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = ldap.NewUserFederation(ctx, "ldap_user_federation", &ldap.UserFederationArgs{
			Name:                  pulumi.String("openldap"),
			RealmId:               realm.ID(),
			Enabled:               pulumi.Bool(true),
			UsernameLdapAttribute: pulumi.String("cn"),
			RdnLdapAttribute:      pulumi.String("cn"),
			UuidLdapAttribute:     pulumi.String("entryDN"),
			UserObjectClasses: pulumi.StringArray{
				pulumi.String("simpleSecurityObject"),
				pulumi.String("organizationalRole"),
			},
			ConnectionUrl:     pulumi.String("ldap://openldap"),
			UsersDn:           pulumi.String("dc=example,dc=org"),
			BindDn:            pulumi.String("cn=admin,dc=example,dc=org"),
			BindCredential:    pulumi.String("admin"),
			ConnectionTimeout: pulumi.String("5s"),
			ReadTimeout:       pulumi.String("10s"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("test")
            .enabled(true)
            .build());
        var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()
            .name("openldap")
            .realmId(realm.id())
            .enabled(true)
            .usernameLdapAttribute("cn")
            .rdnLdapAttribute("cn")
            .uuidLdapAttribute("entryDN")
            .userObjectClasses(
                "simpleSecurityObject",
                "organizationalRole")
            .connectionUrl("ldap://openldap")
            .usersDn("dc=example,dc=org")
            .bindDn("cn=admin,dc=example,dc=org")
            .bindCredential("admin")
            .connectionTimeout("5s")
            .readTimeout("10s")
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: test
      enabled: true
  ldapUserFederation:
    type: keycloak:ldap:UserFederation
    name: ldap_user_federation
    properties:
      name: openldap
      realmId: ${realm.id}
      enabled: true
      usernameLdapAttribute: cn
      rdnLdapAttribute: cn
      uuidLdapAttribute: entryDN
      userObjectClasses:
        - simpleSecurityObject
        - organizationalRole
      connectionUrl: ldap://openldap
      usersDn: dc=example,dc=org
      bindDn: cn=admin,dc=example,dc=org
      bindCredential: admin
      connectionTimeout: 5s
      readTimeout: 10s

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm that this provider will provide user federation for.
name - (Required) Display name of the provider when displayed in the console.
enabled - (Optional) When false, this provider will not be used when performing queries for users. Defaults to true.
priority - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to 0.
import_enabled - (Optional) When true, LDAP users will be imported into the Keycloak database. Defaults to true.
edit_mode - (Optional) Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
sync_registrations - (Optional) When true, newly created users will be synced back to LDAP. Defaults to false.
vendor - (Optional) Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OPTIONAL.
username_ldap_attribute - (Required) Name of the LDAP attribute to use as the Keycloak username.
rdn_ldap_attribute - (Required) Name of the LDAP attribute to use as the relative distinguished name.
uuid_ldap_attribute - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
user_object_classes - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
connection_url - (Required) Connection URL to the LDAP server.
users_dn - (Required) Full DN of LDAP tree where your users are.
bind_dn - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
bind_credential - (Optional) Password of LDAP admin. This attribute must be set if bind_dn is set.
custom_user_search_filter - (Optional) Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
search_scope - (Optional) Can be one of ONE_LEVEL or SUBTREE:

ONE_LEVEL: Only search for users in the DN specified by user_dn.
SUBTREE: Search entire LDAP subtree.

validate_password_policy - (Optional) When true, Keycloak will validate passwords using the realm policy before updating it.
use_truststore_spi - (Optional) Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

ALWAYS - Always use the truststore SPI for LDAP connections.
NEVER - Never use the truststore SPI for LDAP connections.
ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.

connection_timeout - (Optional) LDAP connection timeout in the format of a Go duration string.
read_timeout - (Optional) LDAP read timeout in the format of a Go duration string.
pagination - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
batch_size_for_sync - (Optional) The number of users to sync within a single transaction. Defaults to 1000.
full_sync_period - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
changed_sync_period - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
cache_policy - (Optional) Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

Import

LDAP user federation providers can be imported using the format {{realm_id}}/{{ldap_user_federation_id}}. The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID:

$ terraform import keycloak_ldap_user_federation.ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860

Properties

batchSizeForSync

val batchSizeForSync: Output<Int>?

The number of users to sync within a single transaction.

bindCredential

val bindCredential: Output<String>?

Password of LDAP admin.

bindDn

val bindDn: Output<String>?

DN of LDAP admin, which will be used by Keycloak to access LDAP server.

cache

val cache: Output<UserFederationCache>?

Settings regarding cache policy for this realm.

changedSyncPeriod

val changedSyncPeriod: Output<Int>?

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

connectionTimeout

val connectionTimeout: Output<String>?

LDAP connection timeout (duration string)

connectionUrl

val connectionUrl: Output<String>

Connection URL to the LDAP server.

customUserSearchFilter

val customUserSearchFilter: Output<String>?

Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.

deleteDefaultMappers

val deleteDefaultMappers: Output<Boolean>?

When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.

editMode

val editMode: Output<String>?

READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.

enabled

val enabled: Output<Boolean>?

When false, this provider will not be used when performing queries for users.

fullSyncPeriod

val fullSyncPeriod: Output<Int>?

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

val id: Output<String>

importEnabled

val importEnabled: Output<Boolean>?

When true, LDAP users will be imported into the Keycloak database.

kerberos

val kerberos: Output<UserFederationKerberos>?

Settings regarding kerberos authentication for this realm.

name

val name: Output<String>

Display name of the provider when displayed in the console.

pagination

val pagination: Output<Boolean>?

When true, Keycloak assumes the LDAP server supports pagination.

priority

val priority: Output<Int>?

Priority of this provider when looking up users. Lower values are first.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

rdnLdapAttribute

val rdnLdapAttribute: Output<String>

Name of the LDAP attribute to use as the relative distinguished name.

readTimeout

val readTimeout: Output<String>?

LDAP read timeout (duration string)

realmId

val realmId: Output<String>

The realm this provider will provide user federation for.

searchScope

val searchScope: Output<String>?

ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.

startTls

val startTls: Output<Boolean>?

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

syncRegistrations

val syncRegistrations: Output<Boolean>?

When true, newly created users will be synced back to LDAP.

trustEmail

val trustEmail: Output<Boolean>?

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

urn

val urn: Output<String>

usePasswordModifyExtendedOp

val usePasswordModifyExtendedOp: Output<Boolean>?

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

usernameLdapAttribute

val usernameLdapAttribute: Output<String>

Name of the LDAP attribute to use as the Keycloak username.

userObjectClasses

val userObjectClasses: Output<List<String>>

All values of LDAP objectClass attribute for users in LDAP.

usersDn

val usersDn: Output<String>

Full DN of LDAP tree where your users are.

useTruststoreSpi

val useTruststoreSpi: Output<String>?

uuidLdapAttribute

val uuidLdapAttribute: Output<String>

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

validatePasswordPolicy

val validatePasswordPolicy: Output<Boolean>?

When true, Keycloak will validate passwords using the realm policy before updating it.

vendor

val vendor: Output<String>?

LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.