Msad
Allows for creating and managing MSAD user account control mappers for Keycloak users federated via LDAP. The MSAD (Microsoft Active Directory) user account control mapper is specific to LDAP user federation providers that are pulling from AD, and it can propagate AD user state to Keycloak in order to enforce settings like expired passwords or disabled accounts.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", {
name: "ad",
realmId: realm.id,
usernameLdapAttribute: "cn",
rdnLdapAttribute: "cn",
uuidLdapAttribute: "objectGUID",
userObjectClasses: [
"person",
"organizationalPerson",
"user",
],
connectionUrl: "ldap://my-ad-server",
usersDn: "dc=example,dc=org",
bindDn: "cn=admin,dc=example,dc=org",
bindCredential: "admin",
});
const msadUserAccountControlMapper = new keycloak.ldap.MsadUserAccountControlMapper("msad_user_account_control_mapper", {
realmId: realm.id,
ldapUserFederationId: ldapUserFederation.id,
name: "msad-user-account-control-mapper",
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation",
name="ad",
realm_id=realm.id,
username_ldap_attribute="cn",
rdn_ldap_attribute="cn",
uuid_ldap_attribute="objectGUID",
user_object_classes=[
"person",
"organizationalPerson",
"user",
],
connection_url="ldap://my-ad-server",
users_dn="dc=example,dc=org",
bind_dn="cn=admin,dc=example,dc=org",
bind_credential="admin")
msad_user_account_control_mapper = keycloak.ldap.MsadUserAccountControlMapper("msad_user_account_control_mapper",
realm_id=realm.id,
ldap_user_federation_id=ldap_user_federation.id,
name="msad-user-account-control-mapper")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldap_user_federation", new()
{
Name = "ad",
RealmId = realm.Id,
UsernameLdapAttribute = "cn",
RdnLdapAttribute = "cn",
UuidLdapAttribute = "objectGUID",
UserObjectClasses = new[]
{
"person",
"organizationalPerson",
"user",
},
ConnectionUrl = "ldap://my-ad-server",
UsersDn = "dc=example,dc=org",
BindDn = "cn=admin,dc=example,dc=org",
BindCredential = "admin",
});
var msadUserAccountControlMapper = new Keycloak.Ldap.MsadUserAccountControlMapper("msad_user_account_control_mapper", new()
{
RealmId = realm.Id,
LdapUserFederationId = ldapUserFederation.Id,
Name = "msad-user-account-control-mapper",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
ldapUserFederation, err := ldap.NewUserFederation(ctx, "ldap_user_federation", &ldap.UserFederationArgs{
Name: pulumi.String("ad"),
RealmId: realm.ID(),
UsernameLdapAttribute: pulumi.String("cn"),
RdnLdapAttribute: pulumi.String("cn"),
UuidLdapAttribute: pulumi.String("objectGUID"),
UserObjectClasses: pulumi.StringArray{
pulumi.String("person"),
pulumi.String("organizationalPerson"),
pulumi.String("user"),
},
ConnectionUrl: pulumi.String("ldap://my-ad-server"),
UsersDn: pulumi.String("dc=example,dc=org"),
BindDn: pulumi.String("cn=admin,dc=example,dc=org"),
BindCredential: pulumi.String("admin"),
})
if err != nil {
return err
}
_, err = ldap.NewMsadUserAccountControlMapper(ctx, "msad_user_account_control_mapper", &ldap.MsadUserAccountControlMapperArgs{
RealmId: realm.ID(),
LdapUserFederationId: ldapUserFederation.ID(),
Name: pulumi.String("msad-user-account-control-mapper"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import com.pulumi.keycloak.ldap.MsadUserAccountControlMapper;
import com.pulumi.keycloak.ldap.MsadUserAccountControlMapperArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()
.name("ad")
.realmId(realm.id())
.usernameLdapAttribute("cn")
.rdnLdapAttribute("cn")
.uuidLdapAttribute("objectGUID")
.userObjectClasses(
"person",
"organizationalPerson",
"user")
.connectionUrl("ldap://my-ad-server")
.usersDn("dc=example,dc=org")
.bindDn("cn=admin,dc=example,dc=org")
.bindCredential("admin")
.build());
var msadUserAccountControlMapper = new MsadUserAccountControlMapper("msadUserAccountControlMapper", MsadUserAccountControlMapperArgs.builder()
.realmId(realm.id())
.ldapUserFederationId(ldapUserFederation.id())
.name("msad-user-account-control-mapper")
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
ldapUserFederation:
type: keycloak:ldap:UserFederation
name: ldap_user_federation
properties:
name: ad
realmId: ${realm.id}
usernameLdapAttribute: cn
rdnLdapAttribute: cn
uuidLdapAttribute: objectGUID
userObjectClasses:
- person
- organizationalPerson
- user
connectionUrl: ldap://my-ad-server
usersDn: dc=example,dc=org
bindDn: cn=admin,dc=example,dc=org
bindCredential: admin
msadUserAccountControlMapper:
type: keycloak:ldap:MsadUserAccountControlMapper
name: msad_user_account_control_mapper
properties:
realmId: ${realm.id}
ldapUserFederationId: ${ldapUserFederation.id}
name: msad-user-account-control-mapperContent copied to clipboard
Import
LDAP mappers can be imported using the format {{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Example: bash
$ pulumi import keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67Content copied to clipboard
Properties
Link copied to clipboard
When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.
Link copied to clipboard
The ID of the LDAP user federation provider to attach this mapper to.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard