User
data class UserFederationArgs(val batchSizeForSync: Output<Int>? = null, val bindCredential: Output<String>? = null, val bindDn: Output<String>? = null, val cache: Output<UserFederationCacheArgs>? = null, val changedSyncPeriod: Output<Int>? = null, val connectionTimeout: Output<String>? = null, val connectionUrl: Output<String>? = null, val customUserSearchFilter: Output<String>? = null, val deleteDefaultMappers: Output<Boolean>? = null, val editMode: Output<String>? = null, val enabled: Output<Boolean>? = null, val fullSyncPeriod: Output<Int>? = null, val importEnabled: Output<Boolean>? = null, val kerberos: Output<UserFederationKerberosArgs>? = null, val name: Output<String>? = null, val pagination: Output<Boolean>? = null, val priority: Output<Int>? = null, val rdnLdapAttribute: Output<String>? = null, val readTimeout: Output<String>? = null, val realmId: Output<String>? = null, val searchScope: Output<String>? = null, val startTls: Output<Boolean>? = null, val syncRegistrations: Output<Boolean>? = null, val trustEmail: Output<Boolean>? = null, val usePasswordModifyExtendedOp: Output<Boolean>? = null, val useTruststoreSpi: Output<String>? = null, val userObjectClasses: Output<List<String>>? = null, val usernameLdapAttribute: Output<String>? = null, val usersDn: Output<String>? = null, val uuidLdapAttribute: Output<String>? = null, val validatePasswordPolicy: Output<Boolean>? = null, val vendor: Output<String>? = null) : ConvertibleToJava<UserFederationArgs>
Allows for creating and managing LDAP user federation providers within Keycloak. Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", {
name: "openldap",
realmId: realm.id,
enabled: true,
usernameLdapAttribute: "cn",
rdnLdapAttribute: "cn",
uuidLdapAttribute: "entryDN",
userObjectClasses: [
"simpleSecurityObject",
"organizationalRole",
],
connectionUrl: "ldap://openldap",
usersDn: "dc=example,dc=org",
bindDn: "cn=admin,dc=example,dc=org",
bindCredential: "admin",
connectionTimeout: "5s",
readTimeout: "10s",
kerberos: {
kerberosRealm: "FOO.LOCAL",
serverPrincipal: "HTTP/host.foo.com@FOO.LOCAL",
keyTab: "/etc/host.keytab",
},
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation",
name="openldap",
realm_id=realm.id,
enabled=True,
username_ldap_attribute="cn",
rdn_ldap_attribute="cn",
uuid_ldap_attribute="entryDN",
user_object_classes=[
"simpleSecurityObject",
"organizationalRole",
],
connection_url="ldap://openldap",
users_dn="dc=example,dc=org",
bind_dn="cn=admin,dc=example,dc=org",
bind_credential="admin",
connection_timeout="5s",
read_timeout="10s",
kerberos={
"kerberos_realm": "FOO.LOCAL",
"server_principal": "HTTP/host.foo.com@FOO.LOCAL",
"key_tab": "/etc/host.keytab",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldap_user_federation", new()
{
Name = "openldap",
RealmId = realm.Id,
Enabled = true,
UsernameLdapAttribute = "cn",
RdnLdapAttribute = "cn",
UuidLdapAttribute = "entryDN",
UserObjectClasses = new[]
{
"simpleSecurityObject",
"organizationalRole",
},
ConnectionUrl = "ldap://openldap",
UsersDn = "dc=example,dc=org",
BindDn = "cn=admin,dc=example,dc=org",
BindCredential = "admin",
ConnectionTimeout = "5s",
ReadTimeout = "10s",
Kerberos = new Keycloak.Ldap.Inputs.UserFederationKerberosArgs
{
KerberosRealm = "FOO.LOCAL",
ServerPrincipal = "HTTP/host.foo.com@FOO.LOCAL",
KeyTab = "/etc/host.keytab",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/ldap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = ldap.NewUserFederation(ctx, "ldap_user_federation", &ldap.UserFederationArgs{
Name: pulumi.String("openldap"),
RealmId: realm.ID(),
Enabled: pulumi.Bool(true),
UsernameLdapAttribute: pulumi.String("cn"),
RdnLdapAttribute: pulumi.String("cn"),
UuidLdapAttribute: pulumi.String("entryDN"),
UserObjectClasses: pulumi.StringArray{
pulumi.String("simpleSecurityObject"),
pulumi.String("organizationalRole"),
},
ConnectionUrl: pulumi.String("ldap://openldap"),
UsersDn: pulumi.String("dc=example,dc=org"),
BindDn: pulumi.String("cn=admin,dc=example,dc=org"),
BindCredential: pulumi.String("admin"),
ConnectionTimeout: pulumi.String("5s"),
ReadTimeout: pulumi.String("10s"),
Kerberos: &ldap.UserFederationKerberosArgs{
KerberosRealm: pulumi.String("FOO.LOCAL"),
ServerPrincipal: pulumi.String("HTTP/host.foo.com@FOO.LOCAL"),
KeyTab: pulumi.String("/etc/host.keytab"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import com.pulumi.keycloak.ldap.inputs.UserFederationKerberosArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()
.name("openldap")
.realmId(realm.id())
.enabled(true)
.usernameLdapAttribute("cn")
.rdnLdapAttribute("cn")
.uuidLdapAttribute("entryDN")
.userObjectClasses(
"simpleSecurityObject",
"organizationalRole")
.connectionUrl("ldap://openldap")
.usersDn("dc=example,dc=org")
.bindDn("cn=admin,dc=example,dc=org")
.bindCredential("admin")
.connectionTimeout("5s")
.readTimeout("10s")
.kerberos(UserFederationKerberosArgs.builder()
.kerberosRealm("FOO.LOCAL")
.serverPrincipal("HTTP/host.foo.com@FOO.LOCAL")
.keyTab("/etc/host.keytab")
.build())
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
ldapUserFederation:
type: keycloak:ldap:UserFederation
name: ldap_user_federation
properties:
name: openldap
realmId: ${realm.id}
enabled: true
usernameLdapAttribute: cn
rdnLdapAttribute: cn
uuidLdapAttribute: entryDN
userObjectClasses:
- simpleSecurityObject
- organizationalRole
connectionUrl: ldap://openldap
usersDn: dc=example,dc=org
bindDn: cn=admin,dc=example,dc=org
bindCredential: admin
connectionTimeout: 5s
readTimeout: 10s
kerberos:
kerberosRealm: FOO.LOCAL
serverPrincipal: HTTP/host.foo.com@FOO.LOCAL
keyTab: /etc/host.keytabContent copied to clipboard
Import
LDAP user federation providers can be imported using the format {{realm_id}}/{{ldap_user_federation_id}}. The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: bash
$ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860Content copied to clipboard
Constructors
Link copied to clipboard
constructor(batchSizeForSync: Output<Int>? = null, bindCredential: Output<String>? = null, bindDn: Output<String>? = null, cache: Output<UserFederationCacheArgs>? = null, changedSyncPeriod: Output<Int>? = null, connectionTimeout: Output<String>? = null, connectionUrl: Output<String>? = null, customUserSearchFilter: Output<String>? = null, deleteDefaultMappers: Output<Boolean>? = null, editMode: Output<String>? = null, enabled: Output<Boolean>? = null, fullSyncPeriod: Output<Int>? = null, importEnabled: Output<Boolean>? = null, kerberos: Output<UserFederationKerberosArgs>? = null, name: Output<String>? = null, pagination: Output<Boolean>? = null, priority: Output<Int>? = null, rdnLdapAttribute: Output<String>? = null, readTimeout: Output<String>? = null, realmId: Output<String>? = null, searchScope: Output<String>? = null, startTls: Output<Boolean>? = null, syncRegistrations: Output<Boolean>? = null, trustEmail: Output<Boolean>? = null, usePasswordModifyExtendedOp: Output<Boolean>? = null, useTruststoreSpi: Output<String>? = null, userObjectClasses: Output<List<String>>? = null, usernameLdapAttribute: Output<String>? = null, usersDn: Output<String>? = null, uuidLdapAttribute: Output<String>? = null, validatePasswordPolicy: Output<Boolean>? = null, vendor: Output<String>? = null)
Properties
Link copied to clipboard
The number of users to sync within a single transaction. Defaults to 1000.
Link copied to clipboard
Password of LDAP admin. This attribute must be set if bind_dn is set.
Link copied to clipboard
A block containing the cache settings.
Link copied to clipboard
How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
Link copied to clipboard
LDAP connection timeout in the format of a Go duration string.
Link copied to clipboard
Connection URL to the LDAP server.
Link copied to clipboard
Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
Link copied to clipboard
When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
Link copied to clipboard
How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
Link copied to clipboard
When true, LDAP users will be imported into the Keycloak database. Defaults to true.
Link copied to clipboard
A block containing the kerberos settings.
Link copied to clipboard
When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
Link copied to clipboard
Name of the LDAP attribute to use as the relative distinguished name.
Link copied to clipboard
LDAP read timeout in the format of a Go duration string.
Link copied to clipboard
Can be one of ONE_LEVEL or SUBTREE:
Link copied to clipboard
When true, newly created users will be synced back to LDAP. Defaults to false.
Link copied to clipboard
If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
Link copied to clipboard
When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
Link copied to clipboard
Name of the LDAP attribute to use as the Keycloak username.
Link copied to clipboard
Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
Link copied to clipboard
Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:
Link copied to clipboard
Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
Link copied to clipboard
When true, Keycloak will validate passwords using the realm policy before updating it.
Link copied to clipboard