UserFederation

# keycloak.ldap.UserFederation

Allows for creating and managing LDAP user federation providers within Keycloak.

Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    enabled: true,
    realm: "test",
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", {
    bindCredential: "admin",
    bindDn: "cn=admin,dc=example,dc=org",
    connectionTimeout: "5s",
    connectionUrl: "ldap://openldap",
    enabled: true,
    rdnLdapAttribute: "cn",
    readTimeout: "10s",
    realmId: realm.id,
    userObjectClasses: [
        "simpleSecurityObject",
        "organizationalRole",
    ],
    usernameLdapAttribute: "cn",
    usersDn: "dc=example,dc=org",
    uuidLdapAttribute: "entryDN",
});

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    enabled=True,
    realm="test")
ldap_user_federation = keycloak.ldap.UserFederation("ldapUserFederation",
    bind_credential="admin",
    bind_dn="cn=admin,dc=example,dc=org",
    connection_timeout="5s",
    connection_url="ldap://openldap",
    enabled=True,
    rdn_ldap_attribute="cn",
    read_timeout="10s",
    realm_id=realm.id,
    user_object_classes=[
        "simpleSecurityObject",
        "organizationalRole",
    ],
    username_ldap_attribute="cn",
    users_dn="dc=example,dc=org",
    uuid_ldap_attribute="entryDN")

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
    public MyStack()
    {
        var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
        {
            Enabled = true,
            Realm = "test",
        });
        var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldapUserFederation", new Keycloak.Ldap.UserFederationArgs
        {
            BindCredential = "admin",
            BindDn = "cn=admin,dc=example,dc=org",
            ConnectionTimeout = "5s",
            ConnectionUrl = "ldap://openldap",
            Enabled = true,
            RdnLdapAttribute = "cn",
            ReadTimeout = "10s",
            RealmId = realm.Id,
            UserObjectClasses = 
            {
                "simpleSecurityObject",
                "organizationalRole",
            },
            UsernameLdapAttribute = "cn",
            UsersDn = "dc=example,dc=org",
            UuidLdapAttribute = "entryDN",
        });
    }

}

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm that this provider will provide user federation for.
name - (Required) Display name of the provider when displayed in the console.
enabled - (Optional) When false, this provider will not be used when performing queries for users. Defaults to true.
priority - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to 0.
import_enabled - (Optional) When true, LDAP users will be imported into the Keycloak database. Defaults to true.
edit_mode - (Optional) Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
sync_registrations - (Optional) When true, newly created users will be synced back to LDAP. Defaults to false.
vendor - (Optional) Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OPTIONAL.
username_ldap_attribute - (Required) Name of the LDAP attribute to use as the Keycloak username.
rdn_ldap_attribute - (Required) Name of the LDAP attribute to use as the relative distinguished name.
uuid_ldap_attribute - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
user_object_classes - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
connection_url - (Required) Connection URL to the LDAP server.
users_dn - (Required) Full DN of LDAP tree where your users are.
bind_dn - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
bind_credential - (Optional) Password of LDAP admin. This attribute must be set if bind_dn is set.
custom_user_search_filter - (Optional) Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
search_scope - (Optional) Can be one of ONE_LEVEL or SUBTREE:
- ONE_LEVEL: Only search for users in the DN specified by user_dn.
- SUBTREE: Search entire LDAP subtree.
validate_password_policy - (Optional) When true, Keycloak will validate passwords using the realm policy before updating it.
use_truststore_spi - (Optional) Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:
- ALWAYS - Always use the truststore SPI for LDAP connections.
- NEVER - Never use the truststore SPI for LDAP connections.
- ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
connection_timeout - (Optional) LDAP connection timeout in the format of a Go duration string.
read_timeout - (Optional) LDAP read timeout in the format of a Go duration string.
pagination - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
batch_size_for_sync - (Optional) The number of users to sync within a single transaction. Defaults to 1000.
full_sync_period - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
changed_sync_period - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
cache_policy - (Optional) Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

Create a UserFederation Resource

new UserFederation(name: string, args: UserFederationArgs, opts?: CustomResourceOptions);

def UserFederation(resource_name, opts=None, batch_size_for_sync=None, bind_credential=None, bind_dn=None, cache_policy=None, changed_sync_period=None, connection_timeout=None, connection_url=None, custom_user_search_filter=None, edit_mode=None, enabled=None, full_sync_period=None, import_enabled=None, kerberos=None, name=None, pagination=None, priority=None, rdn_ldap_attribute=None, read_timeout=None, realm_id=None, search_scope=None, sync_registrations=None, use_truststore_spi=None, user_object_classes=None, username_ldap_attribute=None, users_dn=None, uuid_ldap_attribute=None, validate_password_policy=None, vendor=None, __props__=None);

func NewUserFederation(ctx *Context, name string, args UserFederationArgs, opts ...ResourceOption) (*UserFederation, error)

public UserFederation(string name, UserFederationArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args UserFederationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args UserFederationArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args UserFederationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

UserFederation Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The UserFederation resource accepts the following input properties:

ConnectionUrl string: Connection URL to the LDAP server.
RdnLdapAttribute string: Name of the LDAP attribute to use as the relative distinguished name.
RealmId string: The realm this provider will provide user federation for.
UserObjectClasses List<string>: All values of LDAP objectClass attribute for users in LDAP.
UsernameLdapAttribute string: Name of the LDAP attribute to use as the Keycloak username.
UsersDn string: Full DN of LDAP tree where your users are.
UuidLdapAttribute string: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
BatchSizeForSync int: The number of users to sync within a single transaction.
BindCredential string: Password of LDAP admin.
BindDn string: DN of LDAP admin, which will be used by Keycloak to access LDAP server.
CachePolicy string
ChangedSyncPeriod int: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
ConnectionTimeout string: LDAP connection timeout (duration string)
CustomUserSearchFilter string: Additional LDAP filter for filtering searched users. Must begin with ‘(’ and end with ‘)’.
EditMode string: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
Enabled bool: When false, this provider will not be used when performing queries for users.
FullSyncPeriod int: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
ImportEnabled bool: When true, LDAP users will be imported into the Keycloak database.
Kerberos UserFederationKerberosArgs: Settings regarding kerberos authentication for this realm.
Name string: Display name of the provider when displayed in the console.
Pagination bool: When true, Keycloak assumes the LDAP server supports pagination.
Priority int: Priority of this provider when looking up users. Lower values are first.
ReadTimeout string: LDAP read timeout (duration string)
SearchScope string: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
SyncRegistrations bool: When true, newly created users will be synced back to LDAP.
UseTruststoreSpi string
ValidatePasswordPolicy bool: When true, Keycloak will validate passwords using the realm policy before updating it.
Vendor string: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

ConnectionUrl string: Connection URL to the LDAP server.
RdnLdapAttribute string: Name of the LDAP attribute to use as the relative distinguished name.
RealmId string: The realm this provider will provide user federation for.
UserObjectClasses []string: All values of LDAP objectClass attribute for users in LDAP.
UsernameLdapAttribute string: Name of the LDAP attribute to use as the Keycloak username.
UsersDn string: Full DN of LDAP tree where your users are.
UuidLdapAttribute string: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
BatchSizeForSync int: The number of users to sync within a single transaction.
BindCredential string: Password of LDAP admin.
BindDn string: DN of LDAP admin, which will be used by Keycloak to access LDAP server.
CachePolicy string
ChangedSyncPeriod int: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
ConnectionTimeout string: LDAP connection timeout (duration string)
CustomUserSearchFilter string: Additional LDAP filter for filtering searched users. Must begin with ‘(’ and end with ‘)’.
EditMode string: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
Enabled bool: When false, this provider will not be used when performing queries for users.
FullSyncPeriod int: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
ImportEnabled bool: When true, LDAP users will be imported into the Keycloak database.
Kerberos UserFederationKerberos: Settings regarding kerberos authentication for this realm.
Name string: Display name of the provider when displayed in the console.
Pagination bool: When true, Keycloak assumes the LDAP server supports pagination.
Priority int: Priority of this provider when looking up users. Lower values are first.
ReadTimeout string: LDAP read timeout (duration string)
SearchScope string: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
SyncRegistrations bool: When true, newly created users will be synced back to LDAP.
UseTruststoreSpi string
ValidatePasswordPolicy bool: When true, Keycloak will validate passwords using the realm policy before updating it.
Vendor string: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

connectionUrl string: Connection URL to the LDAP server.
rdnLdapAttribute string: Name of the LDAP attribute to use as the relative distinguished name.
realmId string: The realm this provider will provide user federation for.
userObjectClasses string[]: All values of LDAP objectClass attribute for users in LDAP.
usernameLdapAttribute string: Name of the LDAP attribute to use as the Keycloak username.
usersDn string: Full DN of LDAP tree where your users are.
uuidLdapAttribute string: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
batchSizeForSync number: The number of users to sync within a single transaction.
bindCredential string: Password of LDAP admin.
bindDn string: DN of LDAP admin, which will be used by Keycloak to access LDAP server.
cachePolicy string
changedSyncPeriod number: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
connectionTimeout string: LDAP connection timeout (duration string)
customUserSearchFilter string: Additional LDAP filter for filtering searched users. Must begin with ‘(’ and end with ‘)’.
editMode string: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
enabled boolean: When false, this provider will not be used when performing queries for users.
fullSyncPeriod number: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
importEnabled boolean: When true, LDAP users will be imported into the Keycloak database.
kerberos UserFederationKerberos: Settings regarding kerberos authentication for this realm.
name string: Display name of the provider when displayed in the console.
pagination boolean: When true, Keycloak assumes the LDAP server supports pagination.
priority number: Priority of this provider when looking up users. Lower values are first.
readTimeout string: LDAP read timeout (duration string)
searchScope string: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
syncRegistrations boolean: When true, newly created users will be synced back to LDAP.
useTruststoreSpi string
validatePasswordPolicy boolean: When true, Keycloak will validate passwords using the realm policy before updating it.
vendor string: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

connection_url str: Connection URL to the LDAP server.
rdn_ldap_attribute str: Name of the LDAP attribute to use as the relative distinguished name.
realm_id str: The realm this provider will provide user federation for.
user_object_classes List[str]: All values of LDAP objectClass attribute for users in LDAP.
username_ldap_attribute str: Name of the LDAP attribute to use as the Keycloak username.
users_dn str: Full DN of LDAP tree where your users are.
uuid_ldap_attribute str: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
batch_size_for_sync float: The number of users to sync within a single transaction.
bind_credential str: Password of LDAP admin.
bind_dn str: DN of LDAP admin, which will be used by Keycloak to access LDAP server.
cache_policy str
changed_sync_period float: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
connection_timeout str: LDAP connection timeout (duration string)
custom_user_search_filter str: Additional LDAP filter for filtering searched users. Must begin with ‘(’ and end with ‘)’.
edit_mode str: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
enabled bool: When false, this provider will not be used when performing queries for users.
full_sync_period float: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
import_enabled bool: When true, LDAP users will be imported into the Keycloak database.
kerberos Dict[UserFederationKerberos]: Settings regarding kerberos authentication for this realm.
name str: Display name of the provider when displayed in the console.
pagination bool: When true, Keycloak assumes the LDAP server supports pagination.
priority float: Priority of this provider when looking up users. Lower values are first.
read_timeout str: LDAP read timeout (duration string)
search_scope str: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
sync_registrations bool: When true, newly created users will be synced back to LDAP.
use_truststore_spi str
validate_password_policy bool: When true, Keycloak will validate passwords using the realm policy before updating it.
vendor str: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

Outputs

All input properties are implicitly available as output properties. Additionally, the UserFederation resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

Look up an Existing UserFederation Resource

Get an existing UserFederation resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: UserFederationState, opts?: CustomResourceOptions): UserFederation

static get(resource_name, id, opts=None, batch_size_for_sync=None, bind_credential=None, bind_dn=None, cache_policy=None, changed_sync_period=None, connection_timeout=None, connection_url=None, custom_user_search_filter=None, edit_mode=None, enabled=None, full_sync_period=None, import_enabled=None, kerberos=None, name=None, pagination=None, priority=None, rdn_ldap_attribute=None, read_timeout=None, realm_id=None, search_scope=None, sync_registrations=None, use_truststore_spi=None, user_object_classes=None, username_ldap_attribute=None, users_dn=None, uuid_ldap_attribute=None, validate_password_policy=None, vendor=None, __props__=None);

func GetUserFederation(ctx *Context, name string, id IDInput, state *UserFederationState, opts ...ResourceOption) (*UserFederation, error)

public static UserFederation Get(string name, Input<string> id, UserFederationState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

BatchSizeForSync int: The number of users to sync within a single transaction.
BindCredential string: Password of LDAP admin.
BindDn string: DN of LDAP admin, which will be used by Keycloak to access LDAP server.
CachePolicy string
ChangedSyncPeriod int: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
ConnectionTimeout string: LDAP connection timeout (duration string)
ConnectionUrl string: Connection URL to the LDAP server.
CustomUserSearchFilter string: Additional LDAP filter for filtering searched users. Must begin with ‘(’ and end with ‘)’.
EditMode string: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
Enabled bool: When false, this provider will not be used when performing queries for users.
FullSyncPeriod int: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
ImportEnabled bool: When true, LDAP users will be imported into the Keycloak database.
Kerberos UserFederationKerberosArgs: Settings regarding kerberos authentication for this realm.
Name string: Display name of the provider when displayed in the console.
Pagination bool: When true, Keycloak assumes the LDAP server supports pagination.
Priority int: Priority of this provider when looking up users. Lower values are first.
RdnLdapAttribute string: Name of the LDAP attribute to use as the relative distinguished name.
ReadTimeout string: LDAP read timeout (duration string)
RealmId string: The realm this provider will provide user federation for.
SearchScope string: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
SyncRegistrations bool: When true, newly created users will be synced back to LDAP.
UseTruststoreSpi string
UserObjectClasses List<string>: All values of LDAP objectClass attribute for users in LDAP.
UsernameLdapAttribute string: Name of the LDAP attribute to use as the Keycloak username.
UsersDn string: Full DN of LDAP tree where your users are.
UuidLdapAttribute string: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
ValidatePasswordPolicy bool: When true, Keycloak will validate passwords using the realm policy before updating it.
Vendor string: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

BatchSizeForSync int: The number of users to sync within a single transaction.
BindCredential string: Password of LDAP admin.
BindDn string: DN of LDAP admin, which will be used by Keycloak to access LDAP server.
CachePolicy string
ChangedSyncPeriod int: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
ConnectionTimeout string: LDAP connection timeout (duration string)
ConnectionUrl string: Connection URL to the LDAP server.
CustomUserSearchFilter string: Additional LDAP filter for filtering searched users. Must begin with ‘(’ and end with ‘)’.
EditMode string: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
Enabled bool: When false, this provider will not be used when performing queries for users.
FullSyncPeriod int: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
ImportEnabled bool: When true, LDAP users will be imported into the Keycloak database.
Kerberos UserFederationKerberos: Settings regarding kerberos authentication for this realm.
Name string: Display name of the provider when displayed in the console.
Pagination bool: When true, Keycloak assumes the LDAP server supports pagination.
Priority int: Priority of this provider when looking up users. Lower values are first.
RdnLdapAttribute string: Name of the LDAP attribute to use as the relative distinguished name.
ReadTimeout string: LDAP read timeout (duration string)
RealmId string: The realm this provider will provide user federation for.
SearchScope string: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
SyncRegistrations bool: When true, newly created users will be synced back to LDAP.
UseTruststoreSpi string
UserObjectClasses []string: All values of LDAP objectClass attribute for users in LDAP.
UsernameLdapAttribute string: Name of the LDAP attribute to use as the Keycloak username.
UsersDn string: Full DN of LDAP tree where your users are.
UuidLdapAttribute string: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
ValidatePasswordPolicy bool: When true, Keycloak will validate passwords using the realm policy before updating it.
Vendor string: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

batchSizeForSync number: The number of users to sync within a single transaction.
bindCredential string: Password of LDAP admin.
bindDn string: DN of LDAP admin, which will be used by Keycloak to access LDAP server.
cachePolicy string
changedSyncPeriod number: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
connectionTimeout string: LDAP connection timeout (duration string)
connectionUrl string: Connection URL to the LDAP server.
customUserSearchFilter string: Additional LDAP filter for filtering searched users. Must begin with ‘(’ and end with ‘)’.
editMode string: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
enabled boolean: When false, this provider will not be used when performing queries for users.
fullSyncPeriod number: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
importEnabled boolean: When true, LDAP users will be imported into the Keycloak database.
kerberos UserFederationKerberos: Settings regarding kerberos authentication for this realm.
name string: Display name of the provider when displayed in the console.
pagination boolean: When true, Keycloak assumes the LDAP server supports pagination.
priority number: Priority of this provider when looking up users. Lower values are first.
rdnLdapAttribute string: Name of the LDAP attribute to use as the relative distinguished name.
readTimeout string: LDAP read timeout (duration string)
realmId string: The realm this provider will provide user federation for.
searchScope string: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
syncRegistrations boolean: When true, newly created users will be synced back to LDAP.
useTruststoreSpi string
userObjectClasses string[]: All values of LDAP objectClass attribute for users in LDAP.
usernameLdapAttribute string: Name of the LDAP attribute to use as the Keycloak username.
usersDn string: Full DN of LDAP tree where your users are.
uuidLdapAttribute string: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
validatePasswordPolicy boolean: When true, Keycloak will validate passwords using the realm policy before updating it.
vendor string: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

batch_size_for_sync float: The number of users to sync within a single transaction.
bind_credential str: Password of LDAP admin.
bind_dn str: DN of LDAP admin, which will be used by Keycloak to access LDAP server.
cache_policy str
changed_sync_period float: How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
connection_timeout str: LDAP connection timeout (duration string)
connection_url str: Connection URL to the LDAP server.
custom_user_search_filter str: Additional LDAP filter for filtering searched users. Must begin with ‘(’ and end with ‘)’.
edit_mode str: READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
enabled bool: When false, this provider will not be used when performing queries for users.
full_sync_period float: How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
import_enabled bool: When true, LDAP users will be imported into the Keycloak database.
kerberos Dict[UserFederationKerberos]: Settings regarding kerberos authentication for this realm.
name str: Display name of the provider when displayed in the console.
pagination bool: When true, Keycloak assumes the LDAP server supports pagination.
priority float: Priority of this provider when looking up users. Lower values are first.
rdn_ldap_attribute str: Name of the LDAP attribute to use as the relative distinguished name.
read_timeout str: LDAP read timeout (duration string)
realm_id str: The realm this provider will provide user federation for.
search_scope str: ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
sync_registrations bool: When true, newly created users will be synced back to LDAP.
use_truststore_spi str
user_object_classes List[str]: All values of LDAP objectClass attribute for users in LDAP.
username_ldap_attribute str: Name of the LDAP attribute to use as the Keycloak username.
users_dn str: Full DN of LDAP tree where your users are.
uuid_ldap_attribute str: Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
validate_password_policy bool: When true, Keycloak will validate passwords using the realm policy before updating it.
vendor str: LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

Supporting Types

UserFederationKerberos

See the input and output API doc for this type.

KerberosRealm string
KeyTab string
ServerPrincipal string
UseKerberosForPasswordAuthentication bool

KerberosRealm string
KeyTab string
ServerPrincipal string
UseKerberosForPasswordAuthentication bool

kerberosRealm string
keyTab string
serverPrincipal string
useKerberosForPasswordAuthentication boolean

kerberosRealm str
keyTab str
serverPrincipal str
useKerberosForPasswordAuthentication bool

Package Details

Repository: https://github.com/pulumi/pulumi-keycloak
License: Apache-2.0
Notes: This Pulumi package is based on the keycloak Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud