Namespace Pulumi.Keycloak.Ldap

Classes

# keycloak.ldap.FullNameMapper

Allows for creating and managing full name mappers for Keycloak users federated via LDAP.

The LDAP full name mapper can map a user's full name from an LDAP attribute to the first and last name attributes of a Keycloak user.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
public MyStack()
{
    var realm = new Keycloak.Realm(&quot;realm&quot;, new Keycloak.RealmArgs
    {
        Enabled = true,
        Realm = &quot;test&quot;,
    });
    var ldapUserFederation = new Keycloak.Ldap.UserFederation(&quot;ldapUserFederation&quot;, new Keycloak.Ldap.UserFederationArgs
    {
        BindCredential = &quot;admin&quot;,
        BindDn = &quot;cn=admin,dc=example,dc=org&quot;,
        ConnectionUrl = &quot;ldap://openldap&quot;,
        RdnLdapAttribute = &quot;cn&quot;,
        RealmId = realm.Id,
        UserObjectClasses = 
        {
            &quot;simpleSecurityObject&quot;,
            &quot;organizationalRole&quot;,
        },
        UsernameLdapAttribute = &quot;cn&quot;,
        UsersDn = &quot;dc=example,dc=org&quot;,
        UuidLdapAttribute = &quot;entryDN&quot;,
    });
    var ldapFullNameMapper = new Keycloak.Ldap.FullNameMapper(&quot;ldapFullNameMapper&quot;, new Keycloak.Ldap.FullNameMapperArgs
    {
        LdapFullNameAttribute = &quot;cn&quot;,
        LdapUserFederationId = ldapUserFederation.Id,
        RealmId = realm.Id,
    });
}

}

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm that this LDAP mapper will exist in.
ldap_user_federation_id - (Required) The ID of the LDAP user federation provider to attach this mapper to.
name - (Required) Display name of this mapper when displayed in the console.
ldap_full_name_attribute - (Required) The name of the LDAP attribute containing the user's full name.
read_only - (Optional) When true, updates to a user within Keycloak will not be written back to LDAP. Defaults to false.
write_only - (Optional) When true, this mapper will only be used to write updates to LDAP. Defaults to false.

# keycloak.ldap.GroupMapper

Allows for creating and managing group mappers for Keycloak users federated via LDAP.

The LDAP group mapper can be used to map an LDAP user's groups from some DN to Keycloak groups. This group mapper will also create the groups within Keycloak if they do not already exist.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
public MyStack()
{
    var realm = new Keycloak.Realm(&quot;realm&quot;, new Keycloak.RealmArgs
    {
        Enabled = true,
        Realm = &quot;test&quot;,
    });
    var ldapUserFederation = new Keycloak.Ldap.UserFederation(&quot;ldapUserFederation&quot;, new Keycloak.Ldap.UserFederationArgs
    {
        BindCredential = &quot;admin&quot;,
        BindDn = &quot;cn=admin,dc=example,dc=org&quot;,
        ConnectionUrl = &quot;ldap://openldap&quot;,
        RdnLdapAttribute = &quot;cn&quot;,
        RealmId = realm.Id,
        UserObjectClasses = 
        {
            &quot;simpleSecurityObject&quot;,
            &quot;organizationalRole&quot;,
        },
        UsernameLdapAttribute = &quot;cn&quot;,
        UsersDn = &quot;dc=example,dc=org&quot;,
        UuidLdapAttribute = &quot;entryDN&quot;,
    });
    var ldapGroupMapper = new Keycloak.Ldap.GroupMapper(&quot;ldapGroupMapper&quot;, new Keycloak.Ldap.GroupMapperArgs
    {
        GroupNameLdapAttribute = &quot;cn&quot;,
        GroupObjectClasses = 
        {
            &quot;groupOfNames&quot;,
        },
        LdapGroupsDn = &quot;dc=example,dc=org&quot;,
        LdapUserFederationId = ldapUserFederation.Id,
        MemberofLdapAttribute = &quot;memberOf&quot;,
        MembershipAttributeType = &quot;DN&quot;,
        MembershipLdapAttribute = &quot;member&quot;,
        MembershipUserLdapAttribute = &quot;cn&quot;,
        RealmId = realm.Id,
    });
}

}

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm that this LDAP mapper will exist in.
ldap_user_federation_id - (Required) The ID of the LDAP user federation provider to attach this mapper to.
name - (Required) Display name of this mapper when displayed in the console.
ldap_groups_dn - (Required) The LDAP DN where groups can be found.
group_name_ldap_attribute - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically cn.
group_object_classes - (Required) Array of strings representing the object classes for the group. Must contain at least one.
preserve_group_inheritance - (Optional) When true, group inheritance will be propagated from LDAP to Keycloak. When false, all LDAP groups will be propagated as top level groups within Keycloak.
ignore_missing_groups - (Optional) When true, missing groups in the hierarchy will be ignored.
membership_ldap_attribute - (Required) The name of the LDAP attribute that is used for membership mappings.
membership_attribute_type - (Optional) Can be one of DN or UID. Defaults to DN.
membership_user_ldap_attribute - (Required) The name of the LDAP attribute on a user that is used for membership mappings.
groups_ldap_filter - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with ( and end with ).
mode - (Optional) Can be one of READ_ONLY or LDAP_ONLY. Defaults to READ_ONLY.
user_roles_retrieve_strategy - (Optional) Can be one of LOAD_GROUPS_BY_MEMBER_ATTRIBUTE, GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, or LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY. Defaults to LOAD_GROUPS_BY_MEMBER_ATTRIBUTE.
memberof_ldap_attribute - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to memberOf.
mapped_group_attributes - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group.
drop_non_existing_groups_during_sync - (Optional) When true, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to false.

# keycloak.ldap.HardcodedRoleMapper

This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
public MyStack()
{
    var realm = new Keycloak.Realm(&quot;realm&quot;, new Keycloak.RealmArgs
    {
        Realm = &quot;test&quot;,
        Enabled = true,
    });
    var ldapUserFederation = new Keycloak.Ldap.UserFederation(&quot;ldapUserFederation&quot;, new Keycloak.Ldap.UserFederationArgs
    {
        RealmId = realm.Id,
        UsernameLdapAttribute = &quot;cn&quot;,
        RdnLdapAttribute = &quot;cn&quot;,
        UuidLdapAttribute = &quot;entryDN&quot;,
        UserObjectClasses = 
        {
            &quot;simpleSecurityObject&quot;,
            &quot;organizationalRole&quot;,
        },
        ConnectionUrl = &quot;ldap://openldap&quot;,
        UsersDn = &quot;dc=example,dc=org&quot;,
        BindDn = &quot;cn=admin,dc=example,dc=org&quot;,
        BindCredential = &quot;admin&quot;,
    });
    var assignAdminRoleToAllUsers = new Keycloak.Ldap.HardcodedRoleMapper(&quot;assignAdminRoleToAllUsers&quot;, new Keycloak.Ldap.HardcodedRoleMapperArgs
    {
        RealmId = realm.Id,
        LdapUserFederationId = ldapUserFederation.Id,
        Role = &quot;admin&quot;,
    });
}

}

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm that this LDAP mapper will exist in.
ldap_user_federation_id - (Required) The ID of the LDAP user federation provider to attach this mapper to.
name - (Required) Display name of this mapper when displayed in the console.
role - (Required) The role which should be assigned to the users.

MsadLdsUserAccountControlMapper

MsadLdsUserAccountControlMapperArgs

MsadLdsUserAccountControlMapperState

# keycloak.ldap.MsadUserAccountControlMapper

Allows for creating and managing MSAD user account control mappers for Keycloak users federated via LDAP.

The MSAD (Microsoft Active Directory) user account control mapper is specific to LDAP user federation providers that are pulling from AD, and it can propagate AD user state to Keycloak in order to enforce settings like expired passwords or disabled accounts.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
public MyStack()
{
    var realm = new Keycloak.Realm(&quot;realm&quot;, new Keycloak.RealmArgs
    {
        Enabled = true,
        Realm = &quot;test&quot;,
    });
    var ldapUserFederation = new Keycloak.Ldap.UserFederation(&quot;ldapUserFederation&quot;, new Keycloak.Ldap.UserFederationArgs
    {
        BindCredential = &quot;admin&quot;,
        BindDn = &quot;cn=admin,dc=example,dc=org&quot;,
        ConnectionUrl = &quot;ldap://my-ad-server&quot;,
        RdnLdapAttribute = &quot;cn&quot;,
        RealmId = realm.Id,
        UserObjectClasses = 
        {
            &quot;person&quot;,
            &quot;organizationalPerson&quot;,
            &quot;user&quot;,
        },
        UsernameLdapAttribute = &quot;cn&quot;,
        UsersDn = &quot;dc=example,dc=org&quot;,
        UuidLdapAttribute = &quot;objectGUID&quot;,
    });
    var msadUserAccountControlMapper = new Keycloak.Ldap.MsadUserAccountControlMapper(&quot;msadUserAccountControlMapper&quot;, new Keycloak.Ldap.MsadUserAccountControlMapperArgs
    {
        LdapUserFederationId = ldapUserFederation.Id,
        RealmId = realm.Id,
    });
}

}

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm that this LDAP mapper will exist in.
ldap_user_federation_id - (Required) The ID of the LDAP user federation provider to attach this mapper to.
name - (Required) Display name of this mapper when displayed in the console.
ldap_password_policy_hints_enabled - (Optional) When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

MsadUserAccountControlMapperArgs

MsadUserAccountControlMapperState

RoleMapper

RoleMapperArgs

RoleMapperState

UserAttributeMapper

# keycloak.ldap.UserAttributeMapper

Allows for creating and managing user attribute mappers for Keycloak users federated via LDAP.

The LDAP user attribute mapper can be used to map a single LDAP attribute to an attribute on the Keycloak user model.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
public MyStack()
{
    var realm = new Keycloak.Realm(&quot;realm&quot;, new Keycloak.RealmArgs
    {
        Enabled = true,
        Realm = &quot;test&quot;,
    });
    var ldapUserFederation = new Keycloak.Ldap.UserFederation(&quot;ldapUserFederation&quot;, new Keycloak.Ldap.UserFederationArgs
    {
        BindCredential = &quot;admin&quot;,
        BindDn = &quot;cn=admin,dc=example,dc=org&quot;,
        ConnectionUrl = &quot;ldap://openldap&quot;,
        RdnLdapAttribute = &quot;cn&quot;,
        RealmId = realm.Id,
        UserObjectClasses = 
        {
            &quot;simpleSecurityObject&quot;,
            &quot;organizationalRole&quot;,
        },
        UsernameLdapAttribute = &quot;cn&quot;,
        UsersDn = &quot;dc=example,dc=org&quot;,
        UuidLdapAttribute = &quot;entryDN&quot;,
    });
    var ldapUserAttributeMapper = new Keycloak.Ldap.UserAttributeMapper(&quot;ldapUserAttributeMapper&quot;, new Keycloak.Ldap.UserAttributeMapperArgs
    {
        LdapAttribute = &quot;bar&quot;,
        LdapUserFederationId = ldapUserFederation.Id,
        RealmId = realm.Id,
        UserModelAttribute = &quot;foo&quot;,
    });
}

}

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm that this LDAP mapper will exist in.
ldap_user_federation_id - (Required) The ID of the LDAP user federation provider to attach this mapper to.
name - (Required) Display name of this mapper when displayed in the console.
user_model_attribute - (Required) Name of the user property or attribute you want to map the LDAP attribute into.
ldap_attribute - (Required) Name of the mapped attribute on the LDAP object.
read_only - (Optional) When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to false.
always_read_value_from_ldap - (Optional) When true, the value fetched from LDAP will override the value stored in Keycloak. Defaults to false.
is_mandatory_in_ldap - (Optional) When true, this attribute must exist in LDAP. Defaults to false.

UserAttributeMapperArgs

UserAttributeMapperState

UserFederation

# keycloak.ldap.UserFederation

Allows for creating and managing LDAP user federation providers within Keycloak.

Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
public MyStack()
{
    var realm = new Keycloak.Realm(&quot;realm&quot;, new Keycloak.RealmArgs
    {
        Enabled = true,
        Realm = &quot;test&quot;,
    });
    var ldapUserFederation = new Keycloak.Ldap.UserFederation(&quot;ldapUserFederation&quot;, new Keycloak.Ldap.UserFederationArgs
    {
        BindCredential = &quot;admin&quot;,
        BindDn = &quot;cn=admin,dc=example,dc=org&quot;,
        ConnectionTimeout = &quot;5s&quot;,
        ConnectionUrl = &quot;ldap://openldap&quot;,
        Enabled = true,
        RdnLdapAttribute = &quot;cn&quot;,
        ReadTimeout = &quot;10s&quot;,
        RealmId = realm.Id,
        UserObjectClasses = 
        {
            &quot;simpleSecurityObject&quot;,
            &quot;organizationalRole&quot;,
        },
        UsernameLdapAttribute = &quot;cn&quot;,
        UsersDn = &quot;dc=example,dc=org&quot;,
        UuidLdapAttribute = &quot;entryDN&quot;,
    });
}

}

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm that this provider will provide user federation for.
name - (Required) Display name of the provider when displayed in the console.
enabled - (Optional) When false, this provider will not be used when performing queries for users. Defaults to true.
priority - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to 0.
import_enabled - (Optional) When true, LDAP users will be imported into the Keycloak database. Defaults to true.
edit_mode - (Optional) Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
sync_registrations - (Optional) When true, newly created users will be synced back to LDAP. Defaults to false.
vendor - (Optional) Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OPTIONAL.
username_ldap_attribute - (Required) Name of the LDAP attribute to use as the Keycloak username.
rdn_ldap_attribute - (Required) Name of the LDAP attribute to use as the relative distinguished name.
uuid_ldap_attribute - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
user_object_classes - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
connection_url - (Required) Connection URL to the LDAP server.
users_dn - (Required) Full DN of LDAP tree where your users are.
bind_dn - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
bind_credential - (Optional) Password of LDAP admin. This attribute must be set if bind_dn is set.
custom_user_search_filter - (Optional) Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
search_scope - (Optional) Can be one of ONE_LEVEL or SUBTREE:
ONE_LEVEL: Only search for users in the DN specified by user_dn.
SUBTREE: Search entire LDAP subtree.
validate_password_policy - (Optional) When true, Keycloak will validate passwords using the realm policy before updating it.
use_truststore_spi - (Optional) Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:
ALWAYS - Always use the truststore SPI for LDAP connections.
NEVER - Never use the truststore SPI for LDAP connections.
ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
connection_timeout - (Optional) LDAP connection timeout in the format of a Go duration string.
read_timeout - (Optional) LDAP read timeout in the format of a Go duration string.
pagination - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
batch_size_for_sync - (Optional) The number of users to sync within a single transaction. Defaults to 1000.
full_sync_period - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
changed_sync_period - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
cache_policy - (Optional) Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.