User
Allows for creating and managing LDAP user federation providers within Keycloak. Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", {
name: "openldap",
realmId: realm.id,
enabled: true,
usernameLdapAttribute: "cn",
rdnLdapAttribute: "cn",
uuidLdapAttribute: "entryDN",
userObjectClasses: [
"simpleSecurityObject",
"organizationalRole",
],
connectionUrl: "ldap://openldap",
usersDn: "dc=example,dc=org",
bindDn: "cn=admin,dc=example,dc=org",
bindCredential: "admin",
connectionTimeout: "5s",
readTimeout: "10s",
kerberos: {
kerberosRealm: "FOO.LOCAL",
serverPrincipal: "HTTP/host.foo.com@FOO.LOCAL",
keyTab: "/etc/host.keytab",
},
});import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation",
name="openldap",
realm_id=realm.id,
enabled=True,
username_ldap_attribute="cn",
rdn_ldap_attribute="cn",
uuid_ldap_attribute="entryDN",
user_object_classes=[
"simpleSecurityObject",
"organizationalRole",
],
connection_url="ldap://openldap",
users_dn="dc=example,dc=org",
bind_dn="cn=admin,dc=example,dc=org",
bind_credential="admin",
connection_timeout="5s",
read_timeout="10s",
kerberos={
"kerberos_realm": "FOO.LOCAL",
"server_principal": "HTTP/host.foo.com@FOO.LOCAL",
"key_tab": "/etc/host.keytab",
})using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldap_user_federation", new()
{
Name = "openldap",
RealmId = realm.Id,
Enabled = true,
UsernameLdapAttribute = "cn",
RdnLdapAttribute = "cn",
UuidLdapAttribute = "entryDN",
UserObjectClasses = new[]
{
"simpleSecurityObject",
"organizationalRole",
},
ConnectionUrl = "ldap://openldap",
UsersDn = "dc=example,dc=org",
BindDn = "cn=admin,dc=example,dc=org",
BindCredential = "admin",
ConnectionTimeout = "5s",
ReadTimeout = "10s",
Kerberos = new Keycloak.Ldap.Inputs.UserFederationKerberosArgs
{
KerberosRealm = "FOO.LOCAL",
ServerPrincipal = "HTTP/host.foo.com@FOO.LOCAL",
KeyTab = "/etc/host.keytab",
},
});
});package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/ldap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = ldap.NewUserFederation(ctx, "ldap_user_federation", &ldap.UserFederationArgs{
Name: pulumi.String("openldap"),
RealmId: realm.ID(),
Enabled: pulumi.Bool(true),
UsernameLdapAttribute: pulumi.String("cn"),
RdnLdapAttribute: pulumi.String("cn"),
UuidLdapAttribute: pulumi.String("entryDN"),
UserObjectClasses: pulumi.StringArray{
pulumi.String("simpleSecurityObject"),
pulumi.String("organizationalRole"),
},
ConnectionUrl: pulumi.String("ldap://openldap"),
UsersDn: pulumi.String("dc=example,dc=org"),
BindDn: pulumi.String("cn=admin,dc=example,dc=org"),
BindCredential: pulumi.String("admin"),
ConnectionTimeout: pulumi.String("5s"),
ReadTimeout: pulumi.String("10s"),
Kerberos: &ldap.UserFederationKerberosArgs{
KerberosRealm: pulumi.String("FOO.LOCAL"),
ServerPrincipal: pulumi.String("HTTP/host.foo.com@FOO.LOCAL"),
KeyTab: pulumi.String("/etc/host.keytab"),
},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import com.pulumi.keycloak.ldap.inputs.UserFederationKerberosArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()
.name("openldap")
.realmId(realm.id())
.enabled(true)
.usernameLdapAttribute("cn")
.rdnLdapAttribute("cn")
.uuidLdapAttribute("entryDN")
.userObjectClasses(
"simpleSecurityObject",
"organizationalRole")
.connectionUrl("ldap://openldap")
.usersDn("dc=example,dc=org")
.bindDn("cn=admin,dc=example,dc=org")
.bindCredential("admin")
.connectionTimeout("5s")
.readTimeout("10s")
.kerberos(UserFederationKerberosArgs.builder()
.kerberosRealm("FOO.LOCAL")
.serverPrincipal("HTTP/host.foo.com@FOO.LOCAL")
.keyTab("/etc/host.keytab")
.build())
.build());
}
}resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
ldapUserFederation:
type: keycloak:ldap:UserFederation
name: ldap_user_federation
properties:
name: openldap
realmId: ${realm.id}
enabled: true
usernameLdapAttribute: cn
rdnLdapAttribute: cn
uuidLdapAttribute: entryDN
userObjectClasses:
- simpleSecurityObject
- organizationalRole
connectionUrl: ldap://openldap
usersDn: dc=example,dc=org
bindDn: cn=admin,dc=example,dc=org
bindCredential: admin
connectionTimeout: 5s
readTimeout: 10s
kerberos:
kerberosRealm: FOO.LOCAL
serverPrincipal: HTTP/host.foo.com@FOO.LOCAL
keyTab: /etc/host.keytabImport
LDAP user federation providers can be imported using the format {{realm_id}}/{{ldap_user_federation_id}}. The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: bash
$ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860Properties
The number of users to sync within a single transaction. Defaults to 1000.
Password of LDAP admin. This attribute must be set if bind_dn is set.
A block containing the cache settings.
How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
LDAP connection timeout in the format of a Go duration string.
Connection URL to the LDAP server.
Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
When true, LDAP users will be imported into the Keycloak database. Defaults to true.
A block containing the kerberos settings.
When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
Name of the LDAP attribute to use as the relative distinguished name.
LDAP read timeout in the format of a Go duration string.
Can be one of ONE_LEVEL or SUBTREE:
When true, newly created users will be synced back to LDAP. Defaults to false.
If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
Name of the LDAP attribute to use as the Keycloak username.
Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:
Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
When true, Keycloak will validate passwords using the realm policy before updating it.