pulumi-keycloak-kotlin/com.pulumi.keycloak.ldap.kotlin/RoleMapper

RoleMapper

class RoleMapper : KotlinCustomResource

Allows for creating and managing role mappers for Keycloak users federated via LDAP. The LDAP group mapper can be used to map an LDAP user's roles from some DN to Keycloak roles.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", {
    name: "openldap",
    realmId: realm.id,
    usernameLdapAttribute: "cn",
    rdnLdapAttribute: "cn",
    uuidLdapAttribute: "entryDN",
    userObjectClasses: [
        "simpleSecurityObject",
        "organizationalRole",
    ],
    connectionUrl: "ldap://openldap",
    usersDn: "dc=example,dc=org",
    bindDn: "cn=admin,dc=example,dc=org",
    bindCredential: "admin",
});
const ldapRoleMapper = new keycloak.ldap.RoleMapper("ldap_role_mapper", {
    realmId: realm.id,
    ldapUserFederationId: ldapUserFederation.id,
    name: "role-mapper",
    ldapRolesDn: "dc=example,dc=org",
    roleNameLdapAttribute: "cn",
    roleObjectClasses: ["groupOfNames"],
    membershipAttributeType: "DN",
    membershipLdapAttribute: "member",
    membershipUserLdapAttribute: "cn",
    userRolesRetrieveStrategy: "GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE",
    memberofLdapAttribute: "memberOf",
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation",
    name="openldap",
    realm_id=realm.id,
    username_ldap_attribute="cn",
    rdn_ldap_attribute="cn",
    uuid_ldap_attribute="entryDN",
    user_object_classes=[
        "simpleSecurityObject",
        "organizationalRole",
    ],
    connection_url="ldap://openldap",
    users_dn="dc=example,dc=org",
    bind_dn="cn=admin,dc=example,dc=org",
    bind_credential="admin")
ldap_role_mapper = keycloak.ldap.RoleMapper("ldap_role_mapper",
    realm_id=realm.id,
    ldap_user_federation_id=ldap_user_federation.id,
    name="role-mapper",
    ldap_roles_dn="dc=example,dc=org",
    role_name_ldap_attribute="cn",
    role_object_classes=["groupOfNames"],
    membership_attribute_type="DN",
    membership_ldap_attribute="member",
    membership_user_ldap_attribute="cn",
    user_roles_retrieve_strategy="GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE",
    memberof_ldap_attribute="memberOf")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldap_user_federation", new()
    {
        Name = "openldap",
        RealmId = realm.Id,
        UsernameLdapAttribute = "cn",
        RdnLdapAttribute = "cn",
        UuidLdapAttribute = "entryDN",
        UserObjectClasses = new[]
        {
            "simpleSecurityObject",
            "organizationalRole",
        },
        ConnectionUrl = "ldap://openldap",
        UsersDn = "dc=example,dc=org",
        BindDn = "cn=admin,dc=example,dc=org",
        BindCredential = "admin",
    });
    var ldapRoleMapper = new Keycloak.Ldap.RoleMapper("ldap_role_mapper", new()
    {
        RealmId = realm.Id,
        LdapUserFederationId = ldapUserFederation.Id,
        Name = "role-mapper",
        LdapRolesDn = "dc=example,dc=org",
        RoleNameLdapAttribute = "cn",
        RoleObjectClasses = new[]
        {
            "groupOfNames",
        },
        MembershipAttributeType = "DN",
        MembershipLdapAttribute = "member",
        MembershipUserLdapAttribute = "cn",
        UserRolesRetrieveStrategy = "GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE",
        MemberofLdapAttribute = "memberOf",
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/ldap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		ldapUserFederation, err := ldap.NewUserFederation(ctx, "ldap_user_federation", &ldap.UserFederationArgs{
			Name:                  pulumi.String("openldap"),
			RealmId:               realm.ID(),
			UsernameLdapAttribute: pulumi.String("cn"),
			RdnLdapAttribute:      pulumi.String("cn"),
			UuidLdapAttribute:     pulumi.String("entryDN"),
			UserObjectClasses: pulumi.StringArray{
				pulumi.String("simpleSecurityObject"),
				pulumi.String("organizationalRole"),
			},
			ConnectionUrl:  pulumi.String("ldap://openldap"),
			UsersDn:        pulumi.String("dc=example,dc=org"),
			BindDn:         pulumi.String("cn=admin,dc=example,dc=org"),
			BindCredential: pulumi.String("admin"),
		})
		if err != nil {
			return err
		}
		_, err = ldap.NewRoleMapper(ctx, "ldap_role_mapper", &ldap.RoleMapperArgs{
			RealmId:               realm.ID(),
			LdapUserFederationId:  ldapUserFederation.ID(),
			Name:                  pulumi.String("role-mapper"),
			LdapRolesDn:           pulumi.String("dc=example,dc=org"),
			RoleNameLdapAttribute: pulumi.String("cn"),
			RoleObjectClasses: pulumi.StringArray{
				pulumi.String("groupOfNames"),
			},
			MembershipAttributeType:     pulumi.String("DN"),
			MembershipLdapAttribute:     pulumi.String("member"),
			MembershipUserLdapAttribute: pulumi.String("cn"),
			UserRolesRetrieveStrategy:   pulumi.String("GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE"),
			MemberofLdapAttribute:       pulumi.String("memberOf"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import com.pulumi.keycloak.ldap.RoleMapper;
import com.pulumi.keycloak.ldap.RoleMapperArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()
            .name("openldap")
            .realmId(realm.id())
            .usernameLdapAttribute("cn")
            .rdnLdapAttribute("cn")
            .uuidLdapAttribute("entryDN")
            .userObjectClasses(
                "simpleSecurityObject",
                "organizationalRole")
            .connectionUrl("ldap://openldap")
            .usersDn("dc=example,dc=org")
            .bindDn("cn=admin,dc=example,dc=org")
            .bindCredential("admin")
            .build());
        var ldapRoleMapper = new RoleMapper("ldapRoleMapper", RoleMapperArgs.builder()
            .realmId(realm.id())
            .ldapUserFederationId(ldapUserFederation.id())
            .name("role-mapper")
            .ldapRolesDn("dc=example,dc=org")
            .roleNameLdapAttribute("cn")
            .roleObjectClasses("groupOfNames")
            .membershipAttributeType("DN")
            .membershipLdapAttribute("member")
            .membershipUserLdapAttribute("cn")
            .userRolesRetrieveStrategy("GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE")
            .memberofLdapAttribute("memberOf")
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  ldapUserFederation:
    type: keycloak:ldap:UserFederation
    name: ldap_user_federation
    properties:
      name: openldap
      realmId: ${realm.id}
      usernameLdapAttribute: cn
      rdnLdapAttribute: cn
      uuidLdapAttribute: entryDN
      userObjectClasses:
        - simpleSecurityObject
        - organizationalRole
      connectionUrl: ldap://openldap
      usersDn: dc=example,dc=org
      bindDn: cn=admin,dc=example,dc=org
      bindCredential: admin
  ldapRoleMapper:
    type: keycloak:ldap:RoleMapper
    name: ldap_role_mapper
    properties:
      realmId: ${realm.id}
      ldapUserFederationId: ${ldapUserFederation.id}
      name: role-mapper
      ldapRolesDn: dc=example,dc=org
      roleNameLdapAttribute: cn
      roleObjectClasses:
        - groupOfNames
      membershipAttributeType: DN
      membershipLdapAttribute: member
      membershipUserLdapAttribute: cn
      userRolesRetrieveStrategy: GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE
      memberofLdapAttribute: memberOf

Import

LDAP mappers can be imported using the format {{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Example: bash

$ pulumi import keycloak:ldap/roleMapper:RoleMapper ldap_role_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67

Properties

clientId

val clientId: Output<String>?

When specified, LDAP role mappings will be mapped to client role mappings tied to this client ID. Can only be set if use_realm_roles_mapping is false.

val id: Output<String>

ldapRolesDn

val ldapRolesDn: Output<String>

The LDAP DN where roles can be found.

ldapUserFederationId

val ldapUserFederationId: Output<String>

The ID of the LDAP user federation provider to attach this mapper to.

memberofLdapAttribute

val memberofLdapAttribute: Output<String>?

Specifies the name of the LDAP attribute on the LDAP user that contains the roles the user has. Defaults to memberOf. This is only used when

membershipAttributeType

val membershipAttributeType: Output<String>?

Can be one of DN or UID. Defaults to DN.

membershipLdapAttribute

val membershipLdapAttribute: Output<String>

The name of the LDAP attribute that is used for membership mappings.

membershipUserLdapAttribute

val membershipUserLdapAttribute: Output<String>

The name of the LDAP attribute on a user that is used for membership mappings.

mode

val mode: Output<String>?

Can be one of READ_ONLY, LDAP_ONLY or IMPORT. Defaults to READ_ONLY.

name

val name: Output<String>

Display name of this mapper when displayed in the console.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

realmId

val realmId: Output<String>

The realm that this LDAP mapper will exist in.

roleNameLdapAttribute

val roleNameLdapAttribute: Output<String>

The name of the LDAP attribute that is used in role objects for the name and RDN of the role. Typically cn.

roleObjectClasses

val roleObjectClasses: Output<List<String>>

List of strings representing the object classes for the role. Must contain at least one.

rolesLdapFilter

val rolesLdapFilter: Output<String>?

When specified, adds a custom filter to be used when querying for roles. Must start with ( and end with ).

urn

val urn: Output<String>

useRealmRolesMapping

val useRealmRolesMapping: Output<Boolean>?

When true, LDAP role mappings will be mapped to realm roles within Keycloak. Defaults to true.

userRolesRetrieveStrategy

val userRolesRetrieveStrategy: Output<String>?

Can be one of LOAD_ROLES_BY_MEMBER_ATTRIBUTE, GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE, or LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY. Defaults to LOAD_ROLES_BY_MEMBER_ATTRIBUTE.