Class UserFederation

# keycloak.ldap.UserFederation

Allows for creating and managing LDAP user federation providers within Keycloak.

Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
public MyStack()
{
    var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
    {
        Enabled = true,
        Realm = "test",
    });
    var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldapUserFederation", new Keycloak.Ldap.UserFederationArgs
    {
        BindCredential = "admin",
        BindDn = "cn=admin,dc=example,dc=org",
        ConnectionTimeout = "5s",
        ConnectionUrl = "ldap://openldap",
        Enabled = true,
        RdnLdapAttribute = "cn",
        ReadTimeout = "10s",
        RealmId = realm.Id,
        UserObjectClasses = 
        {
            "simpleSecurityObject",
            "organizationalRole",
        },
        UsernameLdapAttribute = "cn",
        UsersDn = "dc=example,dc=org",
        UuidLdapAttribute = "entryDN",
    });
}

}

Argument Reference

The following arguments are supported:

  • realm_id - (Required) The realm that this provider will provide user federation for.
  • name - (Required) Display name of the provider when displayed in the console.
  • enabled - (Optional) When false, this provider will not be used when performing queries for users. Defaults to true.
  • priority - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to 0.
  • import_enabled - (Optional) When true, LDAP users will be imported into the Keycloak database. Defaults to true.
  • edit_mode - (Optional) Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
  • sync_registrations - (Optional) When true, newly created users will be synced back to LDAP. Defaults to false.
  • vendor - (Optional) Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OPTIONAL.
  • username_ldap_attribute - (Required) Name of the LDAP attribute to use as the Keycloak username.
  • rdn_ldap_attribute - (Required) Name of the LDAP attribute to use as the relative distinguished name.
  • uuid_ldap_attribute - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
  • user_object_classes - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
  • connection_url - (Required) Connection URL to the LDAP server.
  • users_dn - (Required) Full DN of LDAP tree where your users are.
  • bind_dn - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
  • bind_credential - (Optional) Password of LDAP admin. This attribute must be set if bind_dn is set.
  • custom_user_search_filter - (Optional) Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
  • search_scope - (Optional) Can be one of ONE_LEVEL or SUBTREE:
  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
  • validate_password_policy - (Optional) When true, Keycloak will validate passwords using the realm policy before updating it.
  • use_truststore_spi - (Optional) Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:
  • ALWAYS - Always use the truststore SPI for LDAP connections.
  • NEVER - Never use the truststore SPI for LDAP connections.
  • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
  • connection_timeout - (Optional) LDAP connection timeout in the format of a Go duration string.
  • read_timeout - (Optional) LDAP read timeout in the format of a Go duration string.
  • pagination - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
  • batch_size_for_sync - (Optional) The number of users to sync within a single transaction. Defaults to 1000.
  • full_sync_period - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
  • changed_sync_period - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
  • cache_policy - (Optional) Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.
Inheritance
System.Object
Resource
CustomResource
UserFederation
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Pulumi.Keycloak.Ldap
Assembly: Pulumi.Keycloak.dll
Syntax
public class UserFederation : CustomResource

Constructors

View Source

UserFederation(String, UserFederationArgs, CustomResourceOptions)

Create a UserFederation resource with the given unique name, arguments, and options.

Declaration
public UserFederation(string name, UserFederationArgs args, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resource
UserFederationArgs args

The arguments used to populate this resource's properties
CustomResourceOptions options

A bag of options that control this resource's behavior

Properties

View Source

BatchSizeForSync

The number of users to sync within a single transaction.

Declaration
public Output<int?> BatchSizeForSync { get; }
Property Value
Type Description
Output<System.Nullable<System.Int32>>
View Source

BindCredential

Password of LDAP admin.

Declaration
public Output<string> BindCredential { get; }
Property Value
Type Description
Output<System.String>
View Source

BindDn

DN of LDAP admin, which will be used by Keycloak to access LDAP server.

Declaration
public Output<string> BindDn { get; }
Property Value
Type Description
Output<System.String>
View Source

CachePolicy

Declaration
public Output<string> CachePolicy { get; }
Property Value
Type Description
Output<System.String>
View Source

ChangedSyncPeriod

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

Declaration
public Output<int?> ChangedSyncPeriod { get; }
Property Value
Type Description
Output<System.Nullable<System.Int32>>
View Source

ConnectionTimeout

LDAP connection timeout (duration string)

Declaration
public Output<string> ConnectionTimeout { get; }
Property Value
Type Description
Output<System.String>
View Source

ConnectionUrl

Connection URL to the LDAP server.

Declaration
public Output<string> ConnectionUrl { get; }
Property Value
Type Description
Output<System.String>
View Source

CustomUserSearchFilter

Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.

Declaration
public Output<string> CustomUserSearchFilter { get; }
Property Value
Type Description
Output<System.String>
View Source

EditMode

READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.

Declaration
public Output<string> EditMode { get; }
Property Value
Type Description
Output<System.String>
View Source

Enabled

When false, this provider will not be used when performing queries for users.

Declaration
public Output<bool?> Enabled { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

FullSyncPeriod

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

Declaration
public Output<int?> FullSyncPeriod { get; }
Property Value
Type Description
Output<System.Nullable<System.Int32>>
View Source

ImportEnabled

When true, LDAP users will be imported into the Keycloak database.

Declaration
public Output<bool?> ImportEnabled { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

Name

Display name of the provider when displayed in the console.

Declaration
public Output<string> Name { get; }
Property Value
Type Description
Output<System.String>
View Source

Pagination

When true, Keycloak assumes the LDAP server supports pagination.

Declaration
public Output<bool?> Pagination { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

Priority

Priority of this provider when looking up users. Lower values are first.

Declaration
public Output<int?> Priority { get; }
Property Value
Type Description
Output<System.Nullable<System.Int32>>
View Source

RdnLdapAttribute

Name of the LDAP attribute to use as the relative distinguished name.

Declaration
public Output<string> RdnLdapAttribute { get; }
Property Value
Type Description
Output<System.String>
View Source

ReadTimeout

LDAP read timeout (duration string)

Declaration
public Output<string> ReadTimeout { get; }
Property Value
Type Description
Output<System.String>
View Source

RealmId

The realm this provider will provide user federation for.

Declaration
public Output<string> RealmId { get; }
Property Value
Type Description
Output<System.String>
View Source

SearchScope

ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.

Declaration
public Output<string> SearchScope { get; }
Property Value
Type Description
Output<System.String>
View Source

SyncRegistrations

When true, newly created users will be synced back to LDAP.

Declaration
public Output<bool?> SyncRegistrations { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

UsernameLdapAttribute

Name of the LDAP attribute to use as the Keycloak username.

Declaration
public Output<string> UsernameLdapAttribute { get; }
Property Value
Type Description
Output<System.String>
View Source

UserObjectClasses

All values of LDAP objectClass attribute for users in LDAP.

Declaration
public Output<ImmutableArray<string>> UserObjectClasses { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableArray<System.String>>
View Source

UsersDn

Full DN of LDAP tree where your users are.

Declaration
public Output<string> UsersDn { get; }
Property Value
Type Description
Output<System.String>
View Source

UseTruststoreSpi

Declaration
public Output<string> UseTruststoreSpi { get; }
Property Value
Type Description
Output<System.String>
View Source

UuidLdapAttribute

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

Declaration
public Output<string> UuidLdapAttribute { get; }
Property Value
Type Description
Output<System.String>
View Source

ValidatePasswordPolicy

When true, Keycloak will validate passwords using the realm policy before updating it.

Declaration
public Output<bool?> ValidatePasswordPolicy { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

Vendor

LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

Declaration
public Output<string> Vendor { get; }
Property Value
Type Description
Output<System.String>

Methods

View Source

Get(String, Input<String>, UserFederationState, CustomResourceOptions)

Get an existing UserFederation resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

Declaration
public static UserFederation Get(string name, Input<string> id, UserFederationState state = null, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resulting resource.
Input<System.String> id

The unique provider ID of the resource to lookup.
UserFederationState state

Any extra arguments used during the lookup.
CustomResourceOptions options

A bag of options that control this resource's behavior
Returns
Type Description
UserFederation