1. Docs
  2. Reference
  3. API
  4. pulumi_keycloak
  5. ldap

This page documents the language specification for the keycloak package. If you're looking for help working with the inputs, outputs, or functions of keycloak resources in a Pulumi program, please see the resource documentation for examples and API reference.

ldap

class pulumi_keycloak.ldap.FullNameMapper(resource_name, opts=None, ldap_full_name_attribute=None, ldap_user_federation_id=None, name=None, read_only=None, realm_id=None, write_only=None, __props__=None, __name__=None, __opts__=None)

Allows for creating and managing full name mappers for Keycloak users federated via LDAP.

The LDAP full name mapper can map a user’s full name from an LDAP attribute to the first and last name attributes of a Keycloak user.

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    enabled=True,
    realm="test")
ldap_user_federation = keycloak.ldap.UserFederation("ldapUserFederation",
    bind_credential="admin",
    bind_dn="cn=admin,dc=example,dc=org",
    connection_url="ldap://openldap",
    rdn_ldap_attribute="cn",
    realm_id=realm.id,
    user_object_classes=[
        "simpleSecurityObject",
        "organizationalRole",
    ],
    username_ldap_attribute="cn",
    users_dn="dc=example,dc=org",
    uuid_ldap_attribute="entryDN")
ldap_full_name_mapper = keycloak.ldap.FullNameMapper("ldapFullNameMapper",
    ldap_full_name_attribute="cn",
    ldap_user_federation_id=ldap_user_federation.id,
    realm_id=realm.id)

The following arguments are supported:

  • realm_id - (Required) The realm that this LDAP mapper will exist in.

  • ldap_user_federation_id - (Required) The ID of the LDAP user federation provider to attach this mapper to.

  • name - (Required) Display name of this mapper when displayed in the console.

  • ldap_full_name_attribute - (Required) The name of the LDAP attribute containing the user’s full name.

  • read_only - (Optional) When true, updates to a user within Keycloak will not be written back to LDAP. Defaults to false.

  • write_only - (Optional) When true, this mapper will only be used to write updates to LDAP. Defaults to false.

Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

ldap_user_federation_id: pulumi.Output[str] = None

The ldap user federation provider to attach this mapper to.

name: pulumi.Output[str] = None

Display name of the mapper when displayed in the console.

realm_id: pulumi.Output[str] = None

The realm in which the ldap user federation provider exists.

static get(resource_name, id, opts=None, ldap_full_name_attribute=None, ldap_user_federation_id=None, name=None, read_only=None, realm_id=None, write_only=None)

Get an existing FullNameMapper resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_keycloak.ldap.GroupMapper(resource_name, opts=None, drop_non_existing_groups_during_sync=None, group_name_ldap_attribute=None, group_object_classes=None, groups_ldap_filter=None, ignore_missing_groups=None, ldap_groups_dn=None, ldap_user_federation_id=None, mapped_group_attributes=None, memberof_ldap_attribute=None, membership_attribute_type=None, membership_ldap_attribute=None, membership_user_ldap_attribute=None, mode=None, name=None, preserve_group_inheritance=None, realm_id=None, user_roles_retrieve_strategy=None, __props__=None, __name__=None, __opts__=None)

Allows for creating and managing group mappers for Keycloak users federated via LDAP.

The LDAP group mapper can be used to map an LDAP user’s groups from some DN to Keycloak groups. This group mapper will also create the groups within Keycloak if they do not already exist.

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    enabled=True,
    realm="test")
ldap_user_federation = keycloak.ldap.UserFederation("ldapUserFederation",
    bind_credential="admin",
    bind_dn="cn=admin,dc=example,dc=org",
    connection_url="ldap://openldap",
    rdn_ldap_attribute="cn",
    realm_id=realm.id,
    user_object_classes=[
        "simpleSecurityObject",
        "organizationalRole",
    ],
    username_ldap_attribute="cn",
    users_dn="dc=example,dc=org",
    uuid_ldap_attribute="entryDN")
ldap_group_mapper = keycloak.ldap.GroupMapper("ldapGroupMapper",
    group_name_ldap_attribute="cn",
    group_object_classes=["groupOfNames"],
    ldap_groups_dn="dc=example,dc=org",
    ldap_user_federation_id=ldap_user_federation.id,
    memberof_ldap_attribute="memberOf",
    membership_attribute_type="DN",
    membership_ldap_attribute="member",
    membership_user_ldap_attribute="cn",
    realm_id=realm.id)

The following arguments are supported:

  • realm_id - (Required) The realm that this LDAP mapper will exist in.

  • ldap_user_federation_id - (Required) The ID of the LDAP user federation provider to attach this mapper to.

  • name - (Required) Display name of this mapper when displayed in the console.

  • ldap_groups_dn - (Required) The LDAP DN where groups can be found.

  • group_name_ldap_attribute - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically cn.

  • group_object_classes - (Required) Array of strings representing the object classes for the group. Must contain at least one.

  • preserve_group_inheritance - (Optional) When true, group inheritance will be propagated from LDAP to Keycloak. When false, all LDAP groups will be propagated as top level groups within Keycloak.

  • ignore_missing_groups - (Optional) When true, missing groups in the hierarchy will be ignored.

  • membership_ldap_attribute - (Required) The name of the LDAP attribute that is used for membership mappings.

  • membership_attribute_type - (Optional) Can be one of DN or UID. Defaults to DN.

  • membership_user_ldap_attribute - (Required) The name of the LDAP attribute on a user that is used for membership mappings.

  • groups_ldap_filter - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with ( and end with ).

  • mode - (Optional) Can be one of READ_ONLY or LDAP_ONLY. Defaults to READ_ONLY.

  • user_roles_retrieve_strategy - (Optional) Can be one of LOAD_GROUPS_BY_MEMBER_ATTRIBUTE, GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, or LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY. Defaults to LOAD_GROUPS_BY_MEMBER_ATTRIBUTE.

  • memberof_ldap_attribute - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to memberOf.

  • mapped_group_attributes - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group.

  • drop_non_existing_groups_during_sync - (Optional) When true, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to false.

Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

ldap_user_federation_id: pulumi.Output[str] = None

The ldap user federation provider to attach this mapper to.

name: pulumi.Output[str] = None

Display name of the mapper when displayed in the console.

realm_id: pulumi.Output[str] = None

The realm in which the ldap user federation provider exists.

static get(resource_name, id, opts=None, drop_non_existing_groups_during_sync=None, group_name_ldap_attribute=None, group_object_classes=None, groups_ldap_filter=None, ignore_missing_groups=None, ldap_groups_dn=None, ldap_user_federation_id=None, mapped_group_attributes=None, memberof_ldap_attribute=None, membership_attribute_type=None, membership_ldap_attribute=None, membership_user_ldap_attribute=None, mode=None, name=None, preserve_group_inheritance=None, realm_id=None, user_roles_retrieve_strategy=None)

Get an existing GroupMapper resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_keycloak.ldap.HardcodedGroupMapper(resource_name, opts=None, group=None, ldap_user_federation_id=None, name=None, realm_id=None, __props__=None, __name__=None, __opts__=None)

Create a HardcodedGroupMapper resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] group: Group to grant to user. :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists.

group: pulumi.Output[str] = None

Group to grant to user.

ldap_user_federation_id: pulumi.Output[str] = None

The ldap user federation provider to attach this mapper to.

name: pulumi.Output[str] = None

Display name of the mapper when displayed in the console.

realm_id: pulumi.Output[str] = None

The realm in which the ldap user federation provider exists.

static get(resource_name, id, opts=None, group=None, ldap_user_federation_id=None, name=None, realm_id=None)

Get an existing HardcodedGroupMapper resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • group (pulumi.Input[str]) – Group to grant to user.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_keycloak.ldap.HardcodedRoleMapper(resource_name, opts=None, ldap_user_federation_id=None, name=None, realm_id=None, role=None, __props__=None, __name__=None, __opts__=None)

This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP.

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="test",
    enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldapUserFederation",
    realm_id=realm.id,
    username_ldap_attribute="cn",
    rdn_ldap_attribute="cn",
    uuid_ldap_attribute="entryDN",
    user_object_classes=[
        "simpleSecurityObject",
        "organizationalRole",
    ],
    connection_url="ldap://openldap",
    users_dn="dc=example,dc=org",
    bind_dn="cn=admin,dc=example,dc=org",
    bind_credential="admin")
assign_admin_role_to_all_users = keycloak.ldap.HardcodedRoleMapper("assignAdminRoleToAllUsers",
    realm_id=realm.id,
    ldap_user_federation_id=ldap_user_federation.id,
    role="admin")

The following arguments are supported:

  • realm_id - (Required) The realm that this LDAP mapper will exist in.

  • ldap_user_federation_id - (Required) The ID of the LDAP user federation provider to attach this mapper to.

  • name - (Required) Display name of this mapper when displayed in the console.

  • role - (Required) The role which should be assigned to the users.

Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

  • role (pulumi.Input[str]) – Role to grant to user.

ldap_user_federation_id: pulumi.Output[str] = None

The ldap user federation provider to attach this mapper to.

name: pulumi.Output[str] = None

Display name of the mapper when displayed in the console.

realm_id: pulumi.Output[str] = None

The realm in which the ldap user federation provider exists.

role: pulumi.Output[str] = None

Role to grant to user.

static get(resource_name, id, opts=None, ldap_user_federation_id=None, name=None, realm_id=None, role=None)

Get an existing HardcodedRoleMapper resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

  • role (pulumi.Input[str]) – Role to grant to user.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_keycloak.ldap.MsadLdsUserAccountControlMapper(resource_name, opts=None, ldap_user_federation_id=None, name=None, realm_id=None, __props__=None, __name__=None, __opts__=None)

Create a MsadLdsUserAccountControlMapper resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists.

ldap_user_federation_id: pulumi.Output[str] = None

The ldap user federation provider to attach this mapper to.

name: pulumi.Output[str] = None

Display name of the mapper when displayed in the console.

realm_id: pulumi.Output[str] = None

The realm in which the ldap user federation provider exists.

static get(resource_name, id, opts=None, ldap_user_federation_id=None, name=None, realm_id=None)

Get an existing MsadLdsUserAccountControlMapper resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_keycloak.ldap.MsadUserAccountControlMapper(resource_name, opts=None, ldap_password_policy_hints_enabled=None, ldap_user_federation_id=None, name=None, realm_id=None, __props__=None, __name__=None, __opts__=None)

Allows for creating and managing MSAD user account control mappers for Keycloak users federated via LDAP.

The MSAD (Microsoft Active Directory) user account control mapper is specific to LDAP user federation providers that are pulling from AD, and it can propagate AD user state to Keycloak in order to enforce settings like expired passwords or disabled accounts.

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    enabled=True,
    realm="test")
ldap_user_federation = keycloak.ldap.UserFederation("ldapUserFederation",
    bind_credential="admin",
    bind_dn="cn=admin,dc=example,dc=org",
    connection_url="ldap://my-ad-server",
    rdn_ldap_attribute="cn",
    realm_id=realm.id,
    user_object_classes=[
        "person",
        "organizationalPerson",
        "user",
    ],
    username_ldap_attribute="cn",
    users_dn="dc=example,dc=org",
    uuid_ldap_attribute="objectGUID")
msad_user_account_control_mapper = keycloak.ldap.MsadUserAccountControlMapper("msadUserAccountControlMapper",
    ldap_user_federation_id=ldap_user_federation.id,
    realm_id=realm.id)

The following arguments are supported:

  • realm_id - (Required) The realm that this LDAP mapper will exist in.

  • ldap_user_federation_id - (Required) The ID of the LDAP user federation provider to attach this mapper to.

  • name - (Required) Display name of this mapper when displayed in the console.

  • ldap_password_policy_hints_enabled - (Optional) When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

ldap_user_federation_id: pulumi.Output[str] = None

The ldap user federation provider to attach this mapper to.

name: pulumi.Output[str] = None

Display name of the mapper when displayed in the console.

realm_id: pulumi.Output[str] = None

The realm in which the ldap user federation provider exists.

static get(resource_name, id, opts=None, ldap_password_policy_hints_enabled=None, ldap_user_federation_id=None, name=None, realm_id=None)

Get an existing MsadUserAccountControlMapper resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_keycloak.ldap.RoleMapper(resource_name, opts=None, client_id=None, ldap_roles_dn=None, ldap_user_federation_id=None, memberof_ldap_attribute=None, membership_attribute_type=None, membership_ldap_attribute=None, membership_user_ldap_attribute=None, mode=None, name=None, realm_id=None, role_name_ldap_attribute=None, role_object_classes=None, roles_ldap_filter=None, use_realm_roles_mapping=None, user_roles_retrieve_strategy=None, __props__=None, __name__=None, __opts__=None)

Create a RoleMapper resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists.

ldap_user_federation_id: pulumi.Output[str] = None

The ldap user federation provider to attach this mapper to.

name: pulumi.Output[str] = None

Display name of the mapper when displayed in the console.

realm_id: pulumi.Output[str] = None

The realm in which the ldap user federation provider exists.

static get(resource_name, id, opts=None, client_id=None, ldap_roles_dn=None, ldap_user_federation_id=None, memberof_ldap_attribute=None, membership_attribute_type=None, membership_ldap_attribute=None, membership_user_ldap_attribute=None, mode=None, name=None, realm_id=None, role_name_ldap_attribute=None, role_object_classes=None, roles_ldap_filter=None, use_realm_roles_mapping=None, user_roles_retrieve_strategy=None)

Get an existing RoleMapper resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_keycloak.ldap.UserAttributeMapper(resource_name, opts=None, always_read_value_from_ldap=None, is_mandatory_in_ldap=None, ldap_attribute=None, ldap_user_federation_id=None, name=None, read_only=None, realm_id=None, user_model_attribute=None, __props__=None, __name__=None, __opts__=None)

Allows for creating and managing user attribute mappers for Keycloak users federated via LDAP.

The LDAP user attribute mapper can be used to map a single LDAP attribute to an attribute on the Keycloak user model.

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    enabled=True,
    realm="test")
ldap_user_federation = keycloak.ldap.UserFederation("ldapUserFederation",
    bind_credential="admin",
    bind_dn="cn=admin,dc=example,dc=org",
    connection_url="ldap://openldap",
    rdn_ldap_attribute="cn",
    realm_id=realm.id,
    user_object_classes=[
        "simpleSecurityObject",
        "organizationalRole",
    ],
    username_ldap_attribute="cn",
    users_dn="dc=example,dc=org",
    uuid_ldap_attribute="entryDN")
ldap_user_attribute_mapper = keycloak.ldap.UserAttributeMapper("ldapUserAttributeMapper",
    ldap_attribute="bar",
    ldap_user_federation_id=ldap_user_federation.id,
    realm_id=realm.id,
    user_model_attribute="foo")

The following arguments are supported:

  • realm_id - (Required) The realm that this LDAP mapper will exist in.

  • ldap_user_federation_id - (Required) The ID of the LDAP user federation provider to attach this mapper to.

  • name - (Required) Display name of this mapper when displayed in the console.

  • user_model_attribute - (Required) Name of the user property or attribute you want to map the LDAP attribute into.

  • ldap_attribute - (Required) Name of the mapped attribute on the LDAP object.

  • read_only - (Optional) When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to false.

  • always_read_value_from_ldap - (Optional) When true, the value fetched from LDAP will override the value stored in Keycloak. Defaults to false.

  • is_mandatory_in_ldap - (Optional) When true, this attribute must exist in LDAP. Defaults to false.

Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • always_read_value_from_ldap (pulumi.Input[bool]) – When true, the value fetched from LDAP will override the value stored in Keycloak.

  • is_mandatory_in_ldap (pulumi.Input[bool]) – When true, this attribute must exist in LDAP.

  • ldap_attribute (pulumi.Input[str]) – Name of the mapped attribute on LDAP object.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • read_only (pulumi.Input[bool]) – When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

  • user_model_attribute (pulumi.Input[str]) – Name of the UserModel property or attribute you want to map the LDAP attribute into.

always_read_value_from_ldap: pulumi.Output[bool] = None

When true, the value fetched from LDAP will override the value stored in Keycloak.

is_mandatory_in_ldap: pulumi.Output[bool] = None

When true, this attribute must exist in LDAP.

ldap_attribute: pulumi.Output[str] = None

Name of the mapped attribute on LDAP object.

ldap_user_federation_id: pulumi.Output[str] = None

The ldap user federation provider to attach this mapper to.

name: pulumi.Output[str] = None

Display name of the mapper when displayed in the console.

read_only: pulumi.Output[bool] = None

When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak.

realm_id: pulumi.Output[str] = None

The realm in which the ldap user federation provider exists.

user_model_attribute: pulumi.Output[str] = None

Name of the UserModel property or attribute you want to map the LDAP attribute into.

static get(resource_name, id, opts=None, always_read_value_from_ldap=None, is_mandatory_in_ldap=None, ldap_attribute=None, ldap_user_federation_id=None, name=None, read_only=None, realm_id=None, user_model_attribute=None)

Get an existing UserAttributeMapper resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • always_read_value_from_ldap (pulumi.Input[bool]) – When true, the value fetched from LDAP will override the value stored in Keycloak.

  • is_mandatory_in_ldap (pulumi.Input[bool]) – When true, this attribute must exist in LDAP.

  • ldap_attribute (pulumi.Input[str]) – Name of the mapped attribute on LDAP object.

  • ldap_user_federation_id (pulumi.Input[str]) – The ldap user federation provider to attach this mapper to.

  • name (pulumi.Input[str]) – Display name of the mapper when displayed in the console.

  • read_only (pulumi.Input[bool]) – When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak.

  • realm_id (pulumi.Input[str]) – The realm in which the ldap user federation provider exists.

  • user_model_attribute (pulumi.Input[str]) – Name of the UserModel property or attribute you want to map the LDAP attribute into.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_keycloak.ldap.UserFederation(resource_name, opts=None, batch_size_for_sync=None, bind_credential=None, bind_dn=None, cache_policy=None, changed_sync_period=None, connection_timeout=None, connection_url=None, custom_user_search_filter=None, edit_mode=None, enabled=None, full_sync_period=None, import_enabled=None, kerberos=None, name=None, pagination=None, priority=None, rdn_ldap_attribute=None, read_timeout=None, realm_id=None, search_scope=None, sync_registrations=None, use_truststore_spi=None, user_object_classes=None, username_ldap_attribute=None, users_dn=None, uuid_ldap_attribute=None, validate_password_policy=None, vendor=None, __props__=None, __name__=None, __opts__=None)

Allows for creating and managing LDAP user federation providers within Keycloak.

Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    enabled=True,
    realm="test")
ldap_user_federation = keycloak.ldap.UserFederation("ldapUserFederation",
    bind_credential="admin",
    bind_dn="cn=admin,dc=example,dc=org",
    connection_timeout="5s",
    connection_url="ldap://openldap",
    enabled=True,
    rdn_ldap_attribute="cn",
    read_timeout="10s",
    realm_id=realm.id,
    user_object_classes=[
        "simpleSecurityObject",
        "organizationalRole",
    ],
    username_ldap_attribute="cn",
    users_dn="dc=example,dc=org",
    uuid_ldap_attribute="entryDN")

The following arguments are supported:

  • realm_id - (Required) The realm that this provider will provide user federation for.

  • name - (Required) Display name of the provider when displayed in the console.

  • enabled - (Optional) When false, this provider will not be used when performing queries for users. Defaults to true.

  • priority - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to 0.

  • import_enabled - (Optional) When true, LDAP users will be imported into the Keycloak database. Defaults to true.

  • edit_mode - (Optional) Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

  • sync_registrations - (Optional) When true, newly created users will be synced back to LDAP. Defaults to false.

  • vendor - (Optional) Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OPTIONAL.

  • username_ldap_attribute - (Required) Name of the LDAP attribute to use as the Keycloak username.

  • rdn_ldap_attribute - (Required) Name of the LDAP attribute to use as the relative distinguished name.

  • uuid_ldap_attribute - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

  • user_object_classes - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

  • connection_url - (Required) Connection URL to the LDAP server.

  • users_dn - (Required) Full DN of LDAP tree where your users are.

  • bind_dn - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

  • bind_credential - (Optional) Password of LDAP admin. This attribute must be set if bind_dn is set.

  • custom_user_search_filter - (Optional) Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

  • search_scope - (Optional) Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.

    • SUBTREE: Search entire LDAP subtree.

  • validate_password_policy - (Optional) When true, Keycloak will validate passwords using the realm policy before updating it.

  • use_truststore_spi - (Optional) Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.

    • NEVER - Never use the truststore SPI for LDAP connections.

    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.

  • connection_timeout - (Optional) LDAP connection timeout in the format of a Go duration string.

  • read_timeout - (Optional) LDAP read timeout in the format of a Go duration string.

  • pagination - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

  • batch_size_for_sync - (Optional) The number of users to sync within a single transaction. Defaults to 1000.

  • full_sync_period - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

  • changed_sync_period - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

  • cache_policy - (Optional) Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • batch_size_for_sync (pulumi.Input[float]) – The number of users to sync within a single transaction.

  • bind_credential (pulumi.Input[str]) – Password of LDAP admin.

  • bind_dn (pulumi.Input[str]) – DN of LDAP admin, which will be used by Keycloak to access LDAP server.

  • changed_sync_period (pulumi.Input[float]) – How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

  • connection_timeout (pulumi.Input[str]) – LDAP connection timeout (duration string)

  • connection_url (pulumi.Input[str]) – Connection URL to the LDAP server.

  • custom_user_search_filter (pulumi.Input[str]) – Additional LDAP filter for filtering searched users. Must begin with ‘(‘ and end with ‘)’.

  • edit_mode (pulumi.Input[str]) – READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.

  • enabled (pulumi.Input[bool]) – When false, this provider will not be used when performing queries for users.

  • full_sync_period (pulumi.Input[float]) – How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

  • import_enabled (pulumi.Input[bool]) – When true, LDAP users will be imported into the Keycloak database.

  • kerberos (pulumi.Input[dict]) – Settings regarding kerberos authentication for this realm.

  • name (pulumi.Input[str]) – Display name of the provider when displayed in the console.

  • pagination (pulumi.Input[bool]) – When true, Keycloak assumes the LDAP server supports pagination.

  • priority (pulumi.Input[float]) – Priority of this provider when looking up users. Lower values are first.

  • rdn_ldap_attribute (pulumi.Input[str]) – Name of the LDAP attribute to use as the relative distinguished name.

  • read_timeout (pulumi.Input[str]) – LDAP read timeout (duration string)

  • realm_id (pulumi.Input[str]) – The realm this provider will provide user federation for.

  • search_scope (pulumi.Input[str]) – ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.

  • sync_registrations (pulumi.Input[bool]) – When true, newly created users will be synced back to LDAP.

  • user_object_classes (pulumi.Input[list]) – All values of LDAP objectClass attribute for users in LDAP.

  • username_ldap_attribute (pulumi.Input[str]) – Name of the LDAP attribute to use as the Keycloak username.

  • users_dn (pulumi.Input[str]) – Full DN of LDAP tree where your users are.

  • uuid_ldap_attribute (pulumi.Input[str]) – Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

  • validate_password_policy (pulumi.Input[bool]) – When true, Keycloak will validate passwords using the realm policy before updating it.

  • vendor (pulumi.Input[str]) – LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

The kerberos object supports the following:

  • kerberosRealm (pulumi.Input[str])

  • keyTab (pulumi.Input[str])

  • serverPrincipal (pulumi.Input[str])

  • useKerberosForPasswordAuthentication (pulumi.Input[bool])

batch_size_for_sync: pulumi.Output[float] = None

The number of users to sync within a single transaction.

bind_credential: pulumi.Output[str] = None

Password of LDAP admin.

bind_dn: pulumi.Output[str] = None

DN of LDAP admin, which will be used by Keycloak to access LDAP server.

changed_sync_period: pulumi.Output[float] = None

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

connection_timeout: pulumi.Output[str] = None

LDAP connection timeout (duration string)

connection_url: pulumi.Output[str] = None

Connection URL to the LDAP server.

custom_user_search_filter: pulumi.Output[str] = None

Additional LDAP filter for filtering searched users. Must begin with ‘(‘ and end with ‘)’.

edit_mode: pulumi.Output[str] = None

READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.

enabled: pulumi.Output[bool] = None

When false, this provider will not be used when performing queries for users.

full_sync_period: pulumi.Output[float] = None

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

import_enabled: pulumi.Output[bool] = None

When true, LDAP users will be imported into the Keycloak database.

kerberos: pulumi.Output[dict] = None

Settings regarding kerberos authentication for this realm.

  • kerberosRealm (str)

  • keyTab (str)

  • serverPrincipal (str)

  • useKerberosForPasswordAuthentication (bool)

name: pulumi.Output[str] = None

Display name of the provider when displayed in the console.

pagination: pulumi.Output[bool] = None

When true, Keycloak assumes the LDAP server supports pagination.

priority: pulumi.Output[float] = None

Priority of this provider when looking up users. Lower values are first.

rdn_ldap_attribute: pulumi.Output[str] = None

Name of the LDAP attribute to use as the relative distinguished name.

read_timeout: pulumi.Output[str] = None

LDAP read timeout (duration string)

realm_id: pulumi.Output[str] = None

The realm this provider will provide user federation for.

search_scope: pulumi.Output[str] = None

ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.

sync_registrations: pulumi.Output[bool] = None

When true, newly created users will be synced back to LDAP.

user_object_classes: pulumi.Output[list] = None

All values of LDAP objectClass attribute for users in LDAP.

username_ldap_attribute: pulumi.Output[str] = None

Name of the LDAP attribute to use as the Keycloak username.

users_dn: pulumi.Output[str] = None

Full DN of LDAP tree where your users are.

uuid_ldap_attribute: pulumi.Output[str] = None

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

validate_password_policy: pulumi.Output[bool] = None

When true, Keycloak will validate passwords using the realm policy before updating it.

vendor: pulumi.Output[str] = None

LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

static get(resource_name, id, opts=None, batch_size_for_sync=None, bind_credential=None, bind_dn=None, cache_policy=None, changed_sync_period=None, connection_timeout=None, connection_url=None, custom_user_search_filter=None, edit_mode=None, enabled=None, full_sync_period=None, import_enabled=None, kerberos=None, name=None, pagination=None, priority=None, rdn_ldap_attribute=None, read_timeout=None, realm_id=None, search_scope=None, sync_registrations=None, use_truststore_spi=None, user_object_classes=None, username_ldap_attribute=None, users_dn=None, uuid_ldap_attribute=None, validate_password_policy=None, vendor=None)

Get an existing UserFederation resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • batch_size_for_sync (pulumi.Input[float]) – The number of users to sync within a single transaction.

  • bind_credential (pulumi.Input[str]) – Password of LDAP admin.

  • bind_dn (pulumi.Input[str]) – DN of LDAP admin, which will be used by Keycloak to access LDAP server.

  • changed_sync_period (pulumi.Input[float]) – How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

  • connection_timeout (pulumi.Input[str]) – LDAP connection timeout (duration string)

  • connection_url (pulumi.Input[str]) – Connection URL to the LDAP server.

  • custom_user_search_filter (pulumi.Input[str]) – Additional LDAP filter for filtering searched users. Must begin with ‘(‘ and end with ‘)’.

  • edit_mode (pulumi.Input[str]) – READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.

  • enabled (pulumi.Input[bool]) – When false, this provider will not be used when performing queries for users.

  • full_sync_period (pulumi.Input[float]) – How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

  • import_enabled (pulumi.Input[bool]) – When true, LDAP users will be imported into the Keycloak database.

  • kerberos (pulumi.Input[dict]) – Settings regarding kerberos authentication for this realm.

  • name (pulumi.Input[str]) – Display name of the provider when displayed in the console.

  • pagination (pulumi.Input[bool]) – When true, Keycloak assumes the LDAP server supports pagination.

  • priority (pulumi.Input[float]) – Priority of this provider when looking up users. Lower values are first.

  • rdn_ldap_attribute (pulumi.Input[str]) – Name of the LDAP attribute to use as the relative distinguished name.

  • read_timeout (pulumi.Input[str]) – LDAP read timeout (duration string)

  • realm_id (pulumi.Input[str]) – The realm this provider will provide user federation for.

  • search_scope (pulumi.Input[str]) – ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.

  • sync_registrations (pulumi.Input[bool]) – When true, newly created users will be synced back to LDAP.

  • user_object_classes (pulumi.Input[list]) – All values of LDAP objectClass attribute for users in LDAP.

  • username_ldap_attribute (pulumi.Input[str]) – Name of the LDAP attribute to use as the Keycloak username.

  • users_dn (pulumi.Input[str]) – Full DN of LDAP tree where your users are.

  • uuid_ldap_attribute (pulumi.Input[str]) – Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

  • validate_password_policy (pulumi.Input[bool]) – When true, Keycloak will validate passwords using the realm policy before updating it.

  • vendor (pulumi.Input[str]) – LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

The kerberos object supports the following:

  • kerberosRealm (pulumi.Input[str])

  • keyTab (pulumi.Input[str])

  • serverPrincipal (pulumi.Input[str])

  • useKerberosForPasswordAuthentication (pulumi.Input[bool])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str