Hardcoded
Allows for creating and managing hardcoded role mappers for Keycloak users federated via LDAP. The LDAP hardcoded role mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP.
Example Usage
Realm Role)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", {
name: "openldap",
realmId: realm.id,
usernameLdapAttribute: "cn",
rdnLdapAttribute: "cn",
uuidLdapAttribute: "entryDN",
userObjectClasses: [
"simpleSecurityObject",
"organizationalRole",
],
connectionUrl: "ldap://openldap",
usersDn: "dc=example,dc=org",
bindDn: "cn=admin,dc=example,dc=org",
bindCredential: "admin",
});
const realmAdminRole = new keycloak.Role("realm_admin_role", {
realmId: realm.id,
name: "my-admin-role",
description: "My Realm Role",
});
const assignAdminRoleToAllUsers = new keycloak.ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", {
realmId: realm.id,
ldapUserFederationId: ldapUserFederation.id,
name: "assign-admin-role-to-all-users",
role: realmAdminRole.name,
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation",
name="openldap",
realm_id=realm.id,
username_ldap_attribute="cn",
rdn_ldap_attribute="cn",
uuid_ldap_attribute="entryDN",
user_object_classes=[
"simpleSecurityObject",
"organizationalRole",
],
connection_url="ldap://openldap",
users_dn="dc=example,dc=org",
bind_dn="cn=admin,dc=example,dc=org",
bind_credential="admin")
realm_admin_role = keycloak.Role("realm_admin_role",
realm_id=realm.id,
name="my-admin-role",
description="My Realm Role")
assign_admin_role_to_all_users = keycloak.ldap.HardcodedRoleMapper("assign_admin_role_to_all_users",
realm_id=realm.id,
ldap_user_federation_id=ldap_user_federation.id,
name="assign-admin-role-to-all-users",
role=realm_admin_role.name)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldap_user_federation", new()
{
Name = "openldap",
RealmId = realm.Id,
UsernameLdapAttribute = "cn",
RdnLdapAttribute = "cn",
UuidLdapAttribute = "entryDN",
UserObjectClasses = new[]
{
"simpleSecurityObject",
"organizationalRole",
},
ConnectionUrl = "ldap://openldap",
UsersDn = "dc=example,dc=org",
BindDn = "cn=admin,dc=example,dc=org",
BindCredential = "admin",
});
var realmAdminRole = new Keycloak.Role("realm_admin_role", new()
{
RealmId = realm.Id,
Name = "my-admin-role",
Description = "My Realm Role",
});
var assignAdminRoleToAllUsers = new Keycloak.Ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", new()
{
RealmId = realm.Id,
LdapUserFederationId = ldapUserFederation.Id,
Name = "assign-admin-role-to-all-users",
Role = realmAdminRole.Name,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/ldap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
ldapUserFederation, err := ldap.NewUserFederation(ctx, "ldap_user_federation", &ldap.UserFederationArgs{
Name: pulumi.String("openldap"),
RealmId: realm.ID(),
UsernameLdapAttribute: pulumi.String("cn"),
RdnLdapAttribute: pulumi.String("cn"),
UuidLdapAttribute: pulumi.String("entryDN"),
UserObjectClasses: pulumi.StringArray{
pulumi.String("simpleSecurityObject"),
pulumi.String("organizationalRole"),
},
ConnectionUrl: pulumi.String("ldap://openldap"),
UsersDn: pulumi.String("dc=example,dc=org"),
BindDn: pulumi.String("cn=admin,dc=example,dc=org"),
BindCredential: pulumi.String("admin"),
})
if err != nil {
return err
}
realmAdminRole, err := keycloak.NewRole(ctx, "realm_admin_role", &keycloak.RoleArgs{
RealmId: realm.ID(),
Name: pulumi.String("my-admin-role"),
Description: pulumi.String("My Realm Role"),
})
if err != nil {
return err
}
_, err = ldap.NewHardcodedRoleMapper(ctx, "assign_admin_role_to_all_users", &ldap.HardcodedRoleMapperArgs{
RealmId: realm.ID(),
LdapUserFederationId: ldapUserFederation.ID(),
Name: pulumi.String("assign-admin-role-to-all-users"),
Role: realmAdminRole.Name,
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import com.pulumi.keycloak.Role;
import com.pulumi.keycloak.RoleArgs;
import com.pulumi.keycloak.ldap.HardcodedRoleMapper;
import com.pulumi.keycloak.ldap.HardcodedRoleMapperArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()
.name("openldap")
.realmId(realm.id())
.usernameLdapAttribute("cn")
.rdnLdapAttribute("cn")
.uuidLdapAttribute("entryDN")
.userObjectClasses(
"simpleSecurityObject",
"organizationalRole")
.connectionUrl("ldap://openldap")
.usersDn("dc=example,dc=org")
.bindDn("cn=admin,dc=example,dc=org")
.bindCredential("admin")
.build());
var realmAdminRole = new Role("realmAdminRole", RoleArgs.builder()
.realmId(realm.id())
.name("my-admin-role")
.description("My Realm Role")
.build());
var assignAdminRoleToAllUsers = new HardcodedRoleMapper("assignAdminRoleToAllUsers", HardcodedRoleMapperArgs.builder()
.realmId(realm.id())
.ldapUserFederationId(ldapUserFederation.id())
.name("assign-admin-role-to-all-users")
.role(realmAdminRole.name())
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
ldapUserFederation:
type: keycloak:ldap:UserFederation
name: ldap_user_federation
properties:
name: openldap
realmId: ${realm.id}
usernameLdapAttribute: cn
rdnLdapAttribute: cn
uuidLdapAttribute: entryDN
userObjectClasses:
- simpleSecurityObject
- organizationalRole
connectionUrl: ldap://openldap
usersDn: dc=example,dc=org
bindDn: cn=admin,dc=example,dc=org
bindCredential: admin
realmAdminRole:
type: keycloak:Role
name: realm_admin_role
properties:
realmId: ${realm.id}
name: my-admin-role
description: My Realm Role
assignAdminRoleToAllUsers:
type: keycloak:ldap:HardcodedRoleMapper
name: assign_admin_role_to_all_users
properties:
realmId: ${realm.id}
ldapUserFederationId: ${ldapUserFederation.id}
name: assign-admin-role-to-all-users
role: ${realmAdminRole.name}Content copied to clipboard
Client Role)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", {
name: "openldap",
realmId: realm.id,
usernameLdapAttribute: "cn",
rdnLdapAttribute: "cn",
uuidLdapAttribute: "entryDN",
userObjectClasses: [
"simpleSecurityObject",
"organizationalRole",
],
connectionUrl: "ldap://openldap",
usersDn: "dc=example,dc=org",
bindDn: "cn=admin,dc=example,dc=org",
bindCredential: "admin",
});
// data sources aren't technically necessary here, but they are helpful for demonstration purposes
const realmManagement = keycloak.openid.getClientOutput({
realmId: realm.id,
clientId: "realm-management",
});
const createClient = pulumi.all([realm.id, realmManagement]).apply(([id, realmManagement]) => keycloak.getRoleOutput({
realmId: id,
clientId: realmManagement.id,
name: "create-client",
}));
const assignAdminRoleToAllUsers = new keycloak.ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", {
realmId: realm.id,
ldapUserFederationId: ldapUserFederation.id,
name: "assign-admin-role-to-all-users",
role: pulumi.all([realmManagement, createClient]).apply(([realmManagement, createClient]) => `${realmManagement.clientId}.${createClient.name}`),
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation",
name="openldap",
realm_id=realm.id,
username_ldap_attribute="cn",
rdn_ldap_attribute="cn",
uuid_ldap_attribute="entryDN",
user_object_classes=[
"simpleSecurityObject",
"organizationalRole",
],
connection_url="ldap://openldap",
users_dn="dc=example,dc=org",
bind_dn="cn=admin,dc=example,dc=org",
bind_credential="admin")
# data sources aren't technically necessary here, but they are helpful for demonstration purposes
realm_management = keycloak.openid.get_client_output(realm_id=realm.id,
client_id="realm-management")
create_client = pulumi.Output.all(
id=realm.id,
realm_management=realm_management
).apply(lambda resolved_outputs: keycloak.get_role_output(realm_id=resolved_outputs['id'],
client_id=resolved_outputs['realm_management'],
name="create-client"))
assign_admin_role_to_all_users = keycloak.ldap.HardcodedRoleMapper("assign_admin_role_to_all_users",
realm_id=realm.id,
ldap_user_federation_id=ldap_user_federation.id,
name="assign-admin-role-to-all-users",
role=pulumi.Output.all(
realm_management=realm_management,
create_client=create_client
).apply(lambda resolved_outputs: f"{resolved_outputs['realm_management']}.{resolved_outputs['create_client']}")
)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldap_user_federation", new()
{
Name = "openldap",
RealmId = realm.Id,
UsernameLdapAttribute = "cn",
RdnLdapAttribute = "cn",
UuidLdapAttribute = "entryDN",
UserObjectClasses = new[]
{
"simpleSecurityObject",
"organizationalRole",
},
ConnectionUrl = "ldap://openldap",
UsersDn = "dc=example,dc=org",
BindDn = "cn=admin,dc=example,dc=org",
BindCredential = "admin",
});
// data sources aren't technically necessary here, but they are helpful for demonstration purposes
var realmManagement = Keycloak.OpenId.GetClient.Invoke(new()
{
RealmId = realm.Id,
ClientId = "realm-management",
});
var createClient = Keycloak.GetRole.Invoke(new()
{
RealmId = realm.Id,
ClientId = realmManagement.Apply(getClientResult => getClientResult.Id),
Name = "create-client",
});
var assignAdminRoleToAllUsers = new Keycloak.Ldap.HardcodedRoleMapper("assign_admin_role_to_all_users", new()
{
RealmId = realm.Id,
LdapUserFederationId = ldapUserFederation.Id,
Name = "assign-admin-role-to-all-users",
Role = Output.Tuple(realmManagement, createClient).Apply(values =>
{
var realmManagement = values.Item1;
var createClient = values.Item2;
return $"{realmManagement.Apply(getClientResult => getClientResult.ClientId)}.{createClient.Apply(getRoleResult => getRoleResult.Name)}";
}),
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/ldap"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
ldapUserFederation, err := ldap.NewUserFederation(ctx, "ldap_user_federation", &ldap.UserFederationArgs{
Name: pulumi.String("openldap"),
RealmId: realm.ID(),
UsernameLdapAttribute: pulumi.String("cn"),
RdnLdapAttribute: pulumi.String("cn"),
UuidLdapAttribute: pulumi.String("entryDN"),
UserObjectClasses: pulumi.StringArray{
pulumi.String("simpleSecurityObject"),
pulumi.String("organizationalRole"),
},
ConnectionUrl: pulumi.String("ldap://openldap"),
UsersDn: pulumi.String("dc=example,dc=org"),
BindDn: pulumi.String("cn=admin,dc=example,dc=org"),
BindCredential: pulumi.String("admin"),
})
if err != nil {
return err
}
// data sources aren't technically necessary here, but they are helpful for demonstration purposes
realmManagement := openid.LookupClientOutput(ctx, openid.GetClientOutputArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("realm-management"),
}, nil)
createClient := pulumi.All(realm.ID(), realmManagement).ApplyT(func(_args []interface{}) (keycloak.GetRoleResult, error) {
id := _args[0].(string)
realmManagement := _args[1].(openid.GetClientResult)
return keycloak.GetRoleResult(interface{}(keycloak.LookupRoleOutput(ctx, keycloak.GetRoleOutputArgs{
RealmId: id,
ClientId: realmManagement.Id,
Name: "create-client",
}, nil))), nil
}).(keycloak.GetRoleResultOutput)
_, err = ldap.NewHardcodedRoleMapper(ctx, "assign_admin_role_to_all_users", &ldap.HardcodedRoleMapperArgs{
RealmId: realm.ID(),
LdapUserFederationId: ldapUserFederation.ID(),
Name: pulumi.String("assign-admin-role-to-all-users"),
Role: pulumi.All(realmManagement, createClient).ApplyT(func(_args []interface{}) (string, error) {
realmManagement := _args[0].(openid.GetClientResult)
createClient := _args[1].(keycloak.GetRoleResult)
return fmt.Sprintf("%v.%v", realmManagement.ClientId, createClient.Name), nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientArgs;
import com.pulumi.keycloak.KeycloakFunctions;
import com.pulumi.keycloak.inputs.GetRoleArgs;
import com.pulumi.keycloak.ldap.HardcodedRoleMapper;
import com.pulumi.keycloak.ldap.HardcodedRoleMapperArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()
.name("openldap")
.realmId(realm.id())
.usernameLdapAttribute("cn")
.rdnLdapAttribute("cn")
.uuidLdapAttribute("entryDN")
.userObjectClasses(
"simpleSecurityObject",
"organizationalRole")
.connectionUrl("ldap://openldap")
.usersDn("dc=example,dc=org")
.bindDn("cn=admin,dc=example,dc=org")
.bindCredential("admin")
.build());
// data sources aren't technically necessary here, but they are helpful for demonstration purposes
final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder()
.realmId(realm.id())
.clientId("realm-management")
.build());
final var createClient = Output.tuple(realm.id(), realmManagement).applyValue(values -> {
var id = values.t1;
var realmManagement = values.t2;
return KeycloakFunctions.getRole(GetRoleArgs.builder()
.realmId(id)
.clientId(realmManagement.id())
.name("create-client")
.build());
});
var assignAdminRoleToAllUsers = new HardcodedRoleMapper("assignAdminRoleToAllUsers", HardcodedRoleMapperArgs.builder()
.realmId(realm.id())
.ldapUserFederationId(ldapUserFederation.id())
.name("assign-admin-role-to-all-users")
.role(Output.tuple(realmManagement, createClient).applyValue(values -> {
var realmManagement = values.t1;
var createClient = values.t2;
return String.format("%s.%s", realmManagement.clientId(),createClient.name());
}))
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
ldapUserFederation:
type: keycloak:ldap:UserFederation
name: ldap_user_federation
properties:
name: openldap
realmId: ${realm.id}
usernameLdapAttribute: cn
rdnLdapAttribute: cn
uuidLdapAttribute: entryDN
userObjectClasses:
- simpleSecurityObject
- organizationalRole
connectionUrl: ldap://openldap
usersDn: dc=example,dc=org
bindDn: cn=admin,dc=example,dc=org
bindCredential: admin
assignAdminRoleToAllUsers:
type: keycloak:ldap:HardcodedRoleMapper
name: assign_admin_role_to_all_users
properties:
realmId: ${realm.id}
ldapUserFederationId: ${ldapUserFederation.id}
name: assign-admin-role-to-all-users
role: ${realmManagement.clientId}.${createClient.name}
variables:
# data sources aren't technically necessary here, but they are helpful for demonstration purposes
realmManagement:
fn::invoke:
function: keycloak:openid:getClient
arguments:
realmId: ${realm.id}
clientId: realm-management
createClient:
fn::invoke:
function: keycloak:getRole
arguments:
realmId: ${realm.id}
clientId: ${realmManagement.id}
name: create-clientContent copied to clipboard
Import
LDAP mappers can be imported using the format {{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Example: bash
$ pulumi import keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper assign_admin_role_to_all_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67Content copied to clipboard