Docs
PackagesKeycloak v5.3.2 published on Friday, May 10, 2024 by Pulumi
keycloak.ldap.UserFederation
Explore with Pulumi AI
# keycloak.ldap.UserFederation
Allows for creating and managing LDAP user federation providers within Keycloak.
Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "test",
enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", {
name: "openldap",
realmId: realm.id,
enabled: true,
usernameLdapAttribute: "cn",
rdnLdapAttribute: "cn",
uuidLdapAttribute: "entryDN",
userObjectClasses: [
"simpleSecurityObject",
"organizationalRole",
],
connectionUrl: "ldap://openldap",
usersDn: "dc=example,dc=org",
bindDn: "cn=admin,dc=example,dc=org",
bindCredential: "admin",
connectionTimeout: "5s",
readTimeout: "10s",
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="test",
enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation",
name="openldap",
realm_id=realm.id,
enabled=True,
username_ldap_attribute="cn",
rdn_ldap_attribute="cn",
uuid_ldap_attribute="entryDN",
user_object_classes=[
"simpleSecurityObject",
"organizationalRole",
],
connection_url="ldap://openldap",
users_dn="dc=example,dc=org",
bind_dn="cn=admin,dc=example,dc=org",
bind_credential="admin",
connection_timeout="5s",
read_timeout="10s")
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("test"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = ldap.NewUserFederation(ctx, "ldap_user_federation", &ldap.UserFederationArgs{
Name: pulumi.String("openldap"),
RealmId: realm.ID(),
Enabled: pulumi.Bool(true),
UsernameLdapAttribute: pulumi.String("cn"),
RdnLdapAttribute: pulumi.String("cn"),
UuidLdapAttribute: pulumi.String("entryDN"),
UserObjectClasses: pulumi.StringArray{
pulumi.String("simpleSecurityObject"),
pulumi.String("organizationalRole"),
},
ConnectionUrl: pulumi.String("ldap://openldap"),
UsersDn: pulumi.String("dc=example,dc=org"),
BindDn: pulumi.String("cn=admin,dc=example,dc=org"),
BindCredential: pulumi.String("admin"),
ConnectionTimeout: pulumi.String("5s"),
ReadTimeout: pulumi.String("10s"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "test",
Enabled = true,
});
var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldap_user_federation", new()
{
Name = "openldap",
RealmId = realm.Id,
Enabled = true,
UsernameLdapAttribute = "cn",
RdnLdapAttribute = "cn",
UuidLdapAttribute = "entryDN",
UserObjectClasses = new[]
{
"simpleSecurityObject",
"organizationalRole",
},
ConnectionUrl = "ldap://openldap",
UsersDn = "dc=example,dc=org",
BindDn = "cn=admin,dc=example,dc=org",
BindCredential = "admin",
ConnectionTimeout = "5s",
ReadTimeout = "10s",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("test")
.enabled(true)
.build());
var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()
.name("openldap")
.realmId(realm.id())
.enabled(true)
.usernameLdapAttribute("cn")
.rdnLdapAttribute("cn")
.uuidLdapAttribute("entryDN")
.userObjectClasses(
"simpleSecurityObject",
"organizationalRole")
.connectionUrl("ldap://openldap")
.usersDn("dc=example,dc=org")
.bindDn("cn=admin,dc=example,dc=org")
.bindCredential("admin")
.connectionTimeout("5s")
.readTimeout("10s")
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: test
enabled: true
ldapUserFederation:
type: keycloak:ldap:UserFederation
name: ldap_user_federation
properties:
name: openldap
realmId: ${realm.id}
enabled: true
usernameLdapAttribute: cn
rdnLdapAttribute: cn
uuidLdapAttribute: entryDN
userObjectClasses:
- simpleSecurityObject
- organizationalRole
connectionUrl: ldap://openldap
usersDn: dc=example,dc=org
bindDn: cn=admin,dc=example,dc=org
bindCredential: admin
connectionTimeout: 5s
readTimeout: 10s
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm that this provider will provide user federation for.name- (Required) Display name of the provider when displayed in the console.enabled- (Optional) Whenfalse, this provider will not be used when performing queries for users. Defaults totrue.priority- (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to0.import_enabled- (Optional) Whentrue, LDAP users will be imported into the Keycloak database. Defaults totrue.edit_mode- (Optional) Can be one ofREAD_ONLY,WRITABLE, orUNSYNCED.UNSYNCEDallows user data to be imported but not synced back to LDAP. Defaults toREAD_ONLY.sync_registrations- (Optional) Whentrue, newly created users will be synced back to LDAP. Defaults tofalse.vendor- (Optional) Can be one ofOTHER,EDIRECTORY,AD,RHDS, orTIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults toOPTIONAL.username_ldap_attribute- (Required) Name of the LDAP attribute to use as the Keycloak username.rdn_ldap_attribute- (Required) Name of the LDAP attribute to use as the relative distinguished name.uuid_ldap_attribute- (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.user_object_classes- (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.connection_url- (Required) Connection URL to the LDAP server.users_dn- (Required) Full DN of LDAP tree where your users are.bind_dn- (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set ifbind_credentialis set.bind_credential- (Optional) Password of LDAP admin. This attribute must be set ifbind_dnis set.custom_user_search_filter- (Optional) Additional LDAP filter for filtering searched users. Must begin with(and end with).search_scope- (Optional) Can be one ofONE_LEVELorSUBTREE:ONE_LEVEL: Only search for users in the DN specified byuser_dn.SUBTREE: Search entire LDAP subtree.
validate_password_policy- (Optional) Whentrue, Keycloak will validate passwords using the realm policy before updating it.use_truststore_spi- (Optional) Can be one ofALWAYS,ONLY_FOR_LDAPS, orNEVER:ALWAYS- Always use the truststore SPI for LDAP connections.NEVER- Never use the truststore SPI for LDAP connections.ONLY_FOR_LDAPS- Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
connection_timeout- (Optional) LDAP connection timeout in the format of a Go duration string.read_timeout- (Optional) LDAP read timeout in the format of a Go duration string.pagination- (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults totrue.batch_size_for_sync- (Optional) The number of users to sync within a single transaction. Defaults to1000.full_sync_period- (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.changed_sync_period- (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.cache_policy- (Optional) Can be one ofDEFAULT,EVICT_DAILY,EVICT_WEEKLY,MAX_LIFESPAN, orNO_CACHE. Defaults toDEFAULT.
Import
LDAP user federation providers can be imported using the format {{realm_id}}/{{ldap_user_federation_id}}.
The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID:
$ terraform import keycloak_ldap_user_federation.ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860
Create UserFederation Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new UserFederation(name: string, args: UserFederationArgs, opts?: CustomResourceOptions);@overload
def UserFederation(resource_name: str,
args: UserFederationArgs,
opts: Optional[ResourceOptions] = None)
@overload
def UserFederation(resource_name: str,
opts: Optional[ResourceOptions] = None,
rdn_ldap_attribute: Optional[str] = None,
uuid_ldap_attribute: Optional[str] = None,
users_dn: Optional[str] = None,
username_ldap_attribute: Optional[str] = None,
user_object_classes: Optional[Sequence[str]] = None,
realm_id: Optional[str] = None,
connection_url: Optional[str] = None,
priority: Optional[int] = None,
search_scope: Optional[str] = None,
edit_mode: Optional[str] = None,
enabled: Optional[bool] = None,
full_sync_period: Optional[int] = None,
import_enabled: Optional[bool] = None,
kerberos: Optional[UserFederationKerberosArgs] = None,
name: Optional[str] = None,
pagination: Optional[bool] = None,
batch_size_for_sync: Optional[int] = None,
custom_user_search_filter: Optional[str] = None,
read_timeout: Optional[str] = None,
connection_timeout: Optional[str] = None,
delete_default_mappers: Optional[bool] = None,
start_tls: Optional[bool] = None,
sync_registrations: Optional[bool] = None,
trust_email: Optional[bool] = None,
use_password_modify_extended_op: Optional[bool] = None,
use_truststore_spi: Optional[str] = None,
changed_sync_period: Optional[int] = None,
cache: Optional[UserFederationCacheArgs] = None,
bind_dn: Optional[str] = None,
bind_credential: Optional[str] = None,
validate_password_policy: Optional[bool] = None,
vendor: Optional[str] = None)func NewUserFederation(ctx *Context, name string, args UserFederationArgs, opts ...ResourceOption) (*UserFederation, error)public UserFederation(string name, UserFederationArgs args, CustomResourceOptions? opts = null)
public UserFederation(String name, UserFederationArgs args)
public UserFederation(String name, UserFederationArgs args, CustomResourceOptions options)
type: keycloak:ldap:UserFederation
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args UserFederationArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args UserFederationArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args UserFederationArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args UserFederationArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args UserFederationArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var userFederationResource = new Keycloak.Ldap.UserFederation("userFederationResource", new()
{
RdnLdapAttribute = "string",
UuidLdapAttribute = "string",
UsersDn = "string",
UsernameLdapAttribute = "string",
UserObjectClasses = new[]
{
"string",
},
RealmId = "string",
ConnectionUrl = "string",
Priority = 0,
SearchScope = "string",
EditMode = "string",
Enabled = false,
FullSyncPeriod = 0,
ImportEnabled = false,
Kerberos = new Keycloak.Ldap.Inputs.UserFederationKerberosArgs
{
KerberosRealm = "string",
KeyTab = "string",
ServerPrincipal = "string",
UseKerberosForPasswordAuthentication = false,
},
Name = "string",
Pagination = false,
BatchSizeForSync = 0,
CustomUserSearchFilter = "string",
ReadTimeout = "string",
ConnectionTimeout = "string",
DeleteDefaultMappers = false,
StartTls = false,
SyncRegistrations = false,
TrustEmail = false,
UsePasswordModifyExtendedOp = false,
UseTruststoreSpi = "string",
ChangedSyncPeriod = 0,
Cache = new Keycloak.Ldap.Inputs.UserFederationCacheArgs
{
EvictionDay = 0,
EvictionHour = 0,
EvictionMinute = 0,
MaxLifespan = "string",
Policy = "string",
},
BindDn = "string",
BindCredential = "string",
ValidatePasswordPolicy = false,
Vendor = "string",
});
example, err := ldap.NewUserFederation(ctx, "userFederationResource", &ldap.UserFederationArgs{
RdnLdapAttribute: pulumi.String("string"),
UuidLdapAttribute: pulumi.String("string"),
UsersDn: pulumi.String("string"),
UsernameLdapAttribute: pulumi.String("string"),
UserObjectClasses: pulumi.StringArray{
pulumi.String("string"),
},
RealmId: pulumi.String("string"),
ConnectionUrl: pulumi.String("string"),
Priority: pulumi.Int(0),
SearchScope: pulumi.String("string"),
EditMode: pulumi.String("string"),
Enabled: pulumi.Bool(false),
FullSyncPeriod: pulumi.Int(0),
ImportEnabled: pulumi.Bool(false),
Kerberos: &ldap.UserFederationKerberosArgs{
KerberosRealm: pulumi.String("string"),
KeyTab: pulumi.String("string"),
ServerPrincipal: pulumi.String("string"),
UseKerberosForPasswordAuthentication: pulumi.Bool(false),
},
Name: pulumi.String("string"),
Pagination: pulumi.Bool(false),
BatchSizeForSync: pulumi.Int(0),
CustomUserSearchFilter: pulumi.String("string"),
ReadTimeout: pulumi.String("string"),
ConnectionTimeout: pulumi.String("string"),
DeleteDefaultMappers: pulumi.Bool(false),
StartTls: pulumi.Bool(false),
SyncRegistrations: pulumi.Bool(false),
TrustEmail: pulumi.Bool(false),
UsePasswordModifyExtendedOp: pulumi.Bool(false),
UseTruststoreSpi: pulumi.String("string"),
ChangedSyncPeriod: pulumi.Int(0),
Cache: &ldap.UserFederationCacheArgs{
EvictionDay: pulumi.Int(0),
EvictionHour: pulumi.Int(0),
EvictionMinute: pulumi.Int(0),
MaxLifespan: pulumi.String("string"),
Policy: pulumi.String("string"),
},
BindDn: pulumi.String("string"),
BindCredential: pulumi.String("string"),
ValidatePasswordPolicy: pulumi.Bool(false),
Vendor: pulumi.String("string"),
})
var userFederationResource = new UserFederation("userFederationResource", UserFederationArgs.builder()
.rdnLdapAttribute("string")
.uuidLdapAttribute("string")
.usersDn("string")
.usernameLdapAttribute("string")
.userObjectClasses("string")
.realmId("string")
.connectionUrl("string")
.priority(0)
.searchScope("string")
.editMode("string")
.enabled(false)
.fullSyncPeriod(0)
.importEnabled(false)
.kerberos(UserFederationKerberosArgs.builder()
.kerberosRealm("string")
.keyTab("string")
.serverPrincipal("string")
.useKerberosForPasswordAuthentication(false)
.build())
.name("string")
.pagination(false)
.batchSizeForSync(0)
.customUserSearchFilter("string")
.readTimeout("string")
.connectionTimeout("string")
.deleteDefaultMappers(false)
.startTls(false)
.syncRegistrations(false)
.trustEmail(false)
.usePasswordModifyExtendedOp(false)
.useTruststoreSpi("string")
.changedSyncPeriod(0)
.cache(UserFederationCacheArgs.builder()
.evictionDay(0)
.evictionHour(0)
.evictionMinute(0)
.maxLifespan("string")
.policy("string")
.build())
.bindDn("string")
.bindCredential("string")
.validatePasswordPolicy(false)
.vendor("string")
.build());
user_federation_resource = keycloak.ldap.UserFederation("userFederationResource",
rdn_ldap_attribute="string",
uuid_ldap_attribute="string",
users_dn="string",
username_ldap_attribute="string",
user_object_classes=["string"],
realm_id="string",
connection_url="string",
priority=0,
search_scope="string",
edit_mode="string",
enabled=False,
full_sync_period=0,
import_enabled=False,
kerberos=keycloak.ldap.UserFederationKerberosArgs(
kerberos_realm="string",
key_tab="string",
server_principal="string",
use_kerberos_for_password_authentication=False,
),
name="string",
pagination=False,
batch_size_for_sync=0,
custom_user_search_filter="string",
read_timeout="string",
connection_timeout="string",
delete_default_mappers=False,
start_tls=False,
sync_registrations=False,
trust_email=False,
use_password_modify_extended_op=False,
use_truststore_spi="string",
changed_sync_period=0,
cache=keycloak.ldap.UserFederationCacheArgs(
eviction_day=0,
eviction_hour=0,
eviction_minute=0,
max_lifespan="string",
policy="string",
),
bind_dn="string",
bind_credential="string",
validate_password_policy=False,
vendor="string")
const userFederationResource = new keycloak.ldap.UserFederation("userFederationResource", {
rdnLdapAttribute: "string",
uuidLdapAttribute: "string",
usersDn: "string",
usernameLdapAttribute: "string",
userObjectClasses: ["string"],
realmId: "string",
connectionUrl: "string",
priority: 0,
searchScope: "string",
editMode: "string",
enabled: false,
fullSyncPeriod: 0,
importEnabled: false,
kerberos: {
kerberosRealm: "string",
keyTab: "string",
serverPrincipal: "string",
useKerberosForPasswordAuthentication: false,
},
name: "string",
pagination: false,
batchSizeForSync: 0,
customUserSearchFilter: "string",
readTimeout: "string",
connectionTimeout: "string",
deleteDefaultMappers: false,
startTls: false,
syncRegistrations: false,
trustEmail: false,
usePasswordModifyExtendedOp: false,
useTruststoreSpi: "string",
changedSyncPeriod: 0,
cache: {
evictionDay: 0,
evictionHour: 0,
evictionMinute: 0,
maxLifespan: "string",
policy: "string",
},
bindDn: "string",
bindCredential: "string",
validatePasswordPolicy: false,
vendor: "string",
});
type: keycloak:ldap:UserFederation
properties:
batchSizeForSync: 0
bindCredential: string
bindDn: string
cache:
evictionDay: 0
evictionHour: 0
evictionMinute: 0
maxLifespan: string
policy: string
changedSyncPeriod: 0
connectionTimeout: string
connectionUrl: string
customUserSearchFilter: string
deleteDefaultMappers: false
editMode: string
enabled: false
fullSyncPeriod: 0
importEnabled: false
kerberos:
kerberosRealm: string
keyTab: string
serverPrincipal: string
useKerberosForPasswordAuthentication: false
name: string
pagination: false
priority: 0
rdnLdapAttribute: string
readTimeout: string
realmId: string
searchScope: string
startTls: false
syncRegistrations: false
trustEmail: false
usePasswordModifyExtendedOp: false
useTruststoreSpi: string
userObjectClasses:
- string
usernameLdapAttribute: string
usersDn: string
uuidLdapAttribute: string
validatePasswordPolicy: false
vendor: string
UserFederation Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The UserFederation resource accepts the following input properties:
- Connection
Url string - Connection URL to the LDAP server.
- Rdn
Ldap stringAttribute - Name of the LDAP attribute to use as the relative distinguished name.
- Realm
Id string - The realm this provider will provide user federation for.
- User
Object List<string>Classes - All values of LDAP objectClass attribute for users in LDAP.
- Username
Ldap stringAttribute - Name of the LDAP attribute to use as the Keycloak username.
- Users
Dn string - Full DN of LDAP tree where your users are.
- Uuid
Ldap stringAttribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- Batch
Size intFor Sync - The number of users to sync within a single transaction.
- Bind
Credential string - Password of LDAP admin.
- Bind
Dn string - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- Cache
User
Federation Cache - Settings regarding cache policy for this realm.
- Changed
Sync intPeriod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- Connection
Timeout string - LDAP connection timeout (duration string)
- Custom
User stringSearch Filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- Delete
Default boolMappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- Edit
Mode string - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- Enabled bool
- When false, this provider will not be used when performing queries for users.
- Full
Sync intPeriod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- Import
Enabled bool - When true, LDAP users will be imported into the Keycloak database.
- Kerberos
User
Federation Kerberos - Settings regarding kerberos authentication for this realm.
- Name string
- Display name of the provider when displayed in the console.
- Pagination bool
- When true, Keycloak assumes the LDAP server supports pagination.
- Priority int
- Priority of this provider when looking up users. Lower values are first.
- Read
Timeout string - LDAP read timeout (duration string)
- Search
Scope string - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- Start
Tls bool - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- Sync
Registrations bool - When true, newly created users will be synced back to LDAP.
- Trust
Email bool - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- Use
Password boolModify Extended Op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - Use
Truststore stringSpi - Validate
Password boolPolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- Vendor string
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
- Connection
Url string - Connection URL to the LDAP server.
- Rdn
Ldap stringAttribute - Name of the LDAP attribute to use as the relative distinguished name.
- Realm
Id string - The realm this provider will provide user federation for.
- User
Object []stringClasses - All values of LDAP objectClass attribute for users in LDAP.
- Username
Ldap stringAttribute - Name of the LDAP attribute to use as the Keycloak username.
- Users
Dn string - Full DN of LDAP tree where your users are.
- Uuid
Ldap stringAttribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- Batch
Size intFor Sync - The number of users to sync within a single transaction.
- Bind
Credential string - Password of LDAP admin.
- Bind
Dn string - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- Cache
User
Federation Cache Args - Settings regarding cache policy for this realm.
- Changed
Sync intPeriod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- Connection
Timeout string - LDAP connection timeout (duration string)
- Custom
User stringSearch Filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- Delete
Default boolMappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- Edit
Mode string - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- Enabled bool
- When false, this provider will not be used when performing queries for users.
- Full
Sync intPeriod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- Import
Enabled bool - When true, LDAP users will be imported into the Keycloak database.
- Kerberos
User
Federation Kerberos Args - Settings regarding kerberos authentication for this realm.
- Name string
- Display name of the provider when displayed in the console.
- Pagination bool
- When true, Keycloak assumes the LDAP server supports pagination.
- Priority int
- Priority of this provider when looking up users. Lower values are first.
- Read
Timeout string - LDAP read timeout (duration string)
- Search
Scope string - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- Start
Tls bool - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- Sync
Registrations bool - When true, newly created users will be synced back to LDAP.
- Trust
Email bool - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- Use
Password boolModify Extended Op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - Use
Truststore stringSpi - Validate
Password boolPolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- Vendor string
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
- connection
Url String - Connection URL to the LDAP server.
- rdn
Ldap StringAttribute - Name of the LDAP attribute to use as the relative distinguished name.
- realm
Id String - The realm this provider will provide user federation for.
- user
Object List<String>Classes - All values of LDAP objectClass attribute for users in LDAP.
- username
Ldap StringAttribute - Name of the LDAP attribute to use as the Keycloak username.
- users
Dn String - Full DN of LDAP tree where your users are.
- uuid
Ldap StringAttribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- batch
Size IntegerFor Sync - The number of users to sync within a single transaction.
- bind
Credential String - Password of LDAP admin.
- bind
Dn String - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- cache
User
Federation Cache - Settings regarding cache policy for this realm.
- changed
Sync IntegerPeriod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- connection
Timeout String - LDAP connection timeout (duration string)
- custom
User StringSearch Filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- delete
Default BooleanMappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- edit
Mode String - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- enabled Boolean
- When false, this provider will not be used when performing queries for users.
- full
Sync IntegerPeriod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- import
Enabled Boolean - When true, LDAP users will be imported into the Keycloak database.
- kerberos
User
Federation Kerberos - Settings regarding kerberos authentication for this realm.
- name String
- Display name of the provider when displayed in the console.
- pagination Boolean
- When true, Keycloak assumes the LDAP server supports pagination.
- priority Integer
- Priority of this provider when looking up users. Lower values are first.
- read
Timeout String - LDAP read timeout (duration string)
- search
Scope String - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- start
Tls Boolean - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- sync
Registrations Boolean - When true, newly created users will be synced back to LDAP.
- trust
Email Boolean - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- use
Password BooleanModify Extended Op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - use
Truststore StringSpi - validate
Password BooleanPolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- vendor String
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
- connection
Url string - Connection URL to the LDAP server.
- rdn
Ldap stringAttribute - Name of the LDAP attribute to use as the relative distinguished name.
- realm
Id string - The realm this provider will provide user federation for.
- user
Object string[]Classes - All values of LDAP objectClass attribute for users in LDAP.
- username
Ldap stringAttribute - Name of the LDAP attribute to use as the Keycloak username.
- users
Dn string - Full DN of LDAP tree where your users are.
- uuid
Ldap stringAttribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- batch
Size numberFor Sync - The number of users to sync within a single transaction.
- bind
Credential string - Password of LDAP admin.
- bind
Dn string - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- cache
User
Federation Cache - Settings regarding cache policy for this realm.
- changed
Sync numberPeriod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- connection
Timeout string - LDAP connection timeout (duration string)
- custom
User stringSearch Filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- delete
Default booleanMappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- edit
Mode string - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- enabled boolean
- When false, this provider will not be used when performing queries for users.
- full
Sync numberPeriod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- import
Enabled boolean - When true, LDAP users will be imported into the Keycloak database.
- kerberos
User
Federation Kerberos - Settings regarding kerberos authentication for this realm.
- name string
- Display name of the provider when displayed in the console.
- pagination boolean
- When true, Keycloak assumes the LDAP server supports pagination.
- priority number
- Priority of this provider when looking up users. Lower values are first.
- read
Timeout string - LDAP read timeout (duration string)
- search
Scope string - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- start
Tls boolean - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- sync
Registrations boolean - When true, newly created users will be synced back to LDAP.
- trust
Email boolean - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- use
Password booleanModify Extended Op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - use
Truststore stringSpi - validate
Password booleanPolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- vendor string
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
- connection_
url str - Connection URL to the LDAP server.
- rdn_
ldap_ strattribute - Name of the LDAP attribute to use as the relative distinguished name.
- realm_
id str - The realm this provider will provide user federation for.
- user_
object_ Sequence[str]classes - All values of LDAP objectClass attribute for users in LDAP.
- username_
ldap_ strattribute - Name of the LDAP attribute to use as the Keycloak username.
- users_
dn str - Full DN of LDAP tree where your users are.
- uuid_
ldap_ strattribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- batch_
size_ intfor_ sync - The number of users to sync within a single transaction.
- bind_
credential str - Password of LDAP admin.
- bind_
dn str - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- cache
User
Federation Cache Args - Settings regarding cache policy for this realm.
- changed_
sync_ intperiod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- connection_
timeout str - LDAP connection timeout (duration string)
- custom_
user_ strsearch_ filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- delete_
default_ boolmappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- edit_
mode str - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- enabled bool
- When false, this provider will not be used when performing queries for users.
- full_
sync_ intperiod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- import_
enabled bool - When true, LDAP users will be imported into the Keycloak database.
- kerberos
User
Federation Kerberos Args - Settings regarding kerberos authentication for this realm.
- name str
- Display name of the provider when displayed in the console.
- pagination bool
- When true, Keycloak assumes the LDAP server supports pagination.
- priority int
- Priority of this provider when looking up users. Lower values are first.
- read_
timeout str - LDAP read timeout (duration string)
- search_
scope str - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- start_
tls bool - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- sync_
registrations bool - When true, newly created users will be synced back to LDAP.
- trust_
email bool - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- use_
password_ boolmodify_ extended_ op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - use_
truststore_ strspi - validate_
password_ boolpolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- vendor str
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
- connection
Url String - Connection URL to the LDAP server.
- rdn
Ldap StringAttribute - Name of the LDAP attribute to use as the relative distinguished name.
- realm
Id String - The realm this provider will provide user federation for.
- user
Object List<String>Classes - All values of LDAP objectClass attribute for users in LDAP.
- username
Ldap StringAttribute - Name of the LDAP attribute to use as the Keycloak username.
- users
Dn String - Full DN of LDAP tree where your users are.
- uuid
Ldap StringAttribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- batch
Size NumberFor Sync - The number of users to sync within a single transaction.
- bind
Credential String - Password of LDAP admin.
- bind
Dn String - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- cache Property Map
- Settings regarding cache policy for this realm.
- changed
Sync NumberPeriod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- connection
Timeout String - LDAP connection timeout (duration string)
- custom
User StringSearch Filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- delete
Default BooleanMappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- edit
Mode String - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- enabled Boolean
- When false, this provider will not be used when performing queries for users.
- full
Sync NumberPeriod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- import
Enabled Boolean - When true, LDAP users will be imported into the Keycloak database.
- kerberos Property Map
- Settings regarding kerberos authentication for this realm.
- name String
- Display name of the provider when displayed in the console.
- pagination Boolean
- When true, Keycloak assumes the LDAP server supports pagination.
- priority Number
- Priority of this provider when looking up users. Lower values are first.
- read
Timeout String - LDAP read timeout (duration string)
- search
Scope String - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- start
Tls Boolean - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- sync
Registrations Boolean - When true, newly created users will be synced back to LDAP.
- trust
Email Boolean - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- use
Password BooleanModify Extended Op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - use
Truststore StringSpi - validate
Password BooleanPolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- vendor String
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
Outputs
All input properties are implicitly available as output properties. Additionally, the UserFederation resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing UserFederation Resource
Get an existing UserFederation resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: UserFederationState, opts?: CustomResourceOptions): UserFederation@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
batch_size_for_sync: Optional[int] = None,
bind_credential: Optional[str] = None,
bind_dn: Optional[str] = None,
cache: Optional[UserFederationCacheArgs] = None,
changed_sync_period: Optional[int] = None,
connection_timeout: Optional[str] = None,
connection_url: Optional[str] = None,
custom_user_search_filter: Optional[str] = None,
delete_default_mappers: Optional[bool] = None,
edit_mode: Optional[str] = None,
enabled: Optional[bool] = None,
full_sync_period: Optional[int] = None,
import_enabled: Optional[bool] = None,
kerberos: Optional[UserFederationKerberosArgs] = None,
name: Optional[str] = None,
pagination: Optional[bool] = None,
priority: Optional[int] = None,
rdn_ldap_attribute: Optional[str] = None,
read_timeout: Optional[str] = None,
realm_id: Optional[str] = None,
search_scope: Optional[str] = None,
start_tls: Optional[bool] = None,
sync_registrations: Optional[bool] = None,
trust_email: Optional[bool] = None,
use_password_modify_extended_op: Optional[bool] = None,
use_truststore_spi: Optional[str] = None,
user_object_classes: Optional[Sequence[str]] = None,
username_ldap_attribute: Optional[str] = None,
users_dn: Optional[str] = None,
uuid_ldap_attribute: Optional[str] = None,
validate_password_policy: Optional[bool] = None,
vendor: Optional[str] = None) -> UserFederationfunc GetUserFederation(ctx *Context, name string, id IDInput, state *UserFederationState, opts ...ResourceOption) (*UserFederation, error)public static UserFederation Get(string name, Input<string> id, UserFederationState? state, CustomResourceOptions? opts = null)public static UserFederation get(String name, Output<String> id, UserFederationState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Batch
Size intFor Sync - The number of users to sync within a single transaction.
- Bind
Credential string - Password of LDAP admin.
- Bind
Dn string - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- Cache
User
Federation Cache - Settings regarding cache policy for this realm.
- Changed
Sync intPeriod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- Connection
Timeout string - LDAP connection timeout (duration string)
- Connection
Url string - Connection URL to the LDAP server.
- Custom
User stringSearch Filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- Delete
Default boolMappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- Edit
Mode string - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- Enabled bool
- When false, this provider will not be used when performing queries for users.
- Full
Sync intPeriod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- Import
Enabled bool - When true, LDAP users will be imported into the Keycloak database.
- Kerberos
User
Federation Kerberos - Settings regarding kerberos authentication for this realm.
- Name string
- Display name of the provider when displayed in the console.
- Pagination bool
- When true, Keycloak assumes the LDAP server supports pagination.
- Priority int
- Priority of this provider when looking up users. Lower values are first.
- Rdn
Ldap stringAttribute - Name of the LDAP attribute to use as the relative distinguished name.
- Read
Timeout string - LDAP read timeout (duration string)
- Realm
Id string - The realm this provider will provide user federation for.
- Search
Scope string - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- Start
Tls bool - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- Sync
Registrations bool - When true, newly created users will be synced back to LDAP.
- Trust
Email bool - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- Use
Password boolModify Extended Op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - Use
Truststore stringSpi - User
Object List<string>Classes - All values of LDAP objectClass attribute for users in LDAP.
- Username
Ldap stringAttribute - Name of the LDAP attribute to use as the Keycloak username.
- Users
Dn string - Full DN of LDAP tree where your users are.
- Uuid
Ldap stringAttribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- Validate
Password boolPolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- Vendor string
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
- Batch
Size intFor Sync - The number of users to sync within a single transaction.
- Bind
Credential string - Password of LDAP admin.
- Bind
Dn string - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- Cache
User
Federation Cache Args - Settings regarding cache policy for this realm.
- Changed
Sync intPeriod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- Connection
Timeout string - LDAP connection timeout (duration string)
- Connection
Url string - Connection URL to the LDAP server.
- Custom
User stringSearch Filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- Delete
Default boolMappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- Edit
Mode string - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- Enabled bool
- When false, this provider will not be used when performing queries for users.
- Full
Sync intPeriod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- Import
Enabled bool - When true, LDAP users will be imported into the Keycloak database.
- Kerberos
User
Federation Kerberos Args - Settings regarding kerberos authentication for this realm.
- Name string
- Display name of the provider when displayed in the console.
- Pagination bool
- When true, Keycloak assumes the LDAP server supports pagination.
- Priority int
- Priority of this provider when looking up users. Lower values are first.
- Rdn
Ldap stringAttribute - Name of the LDAP attribute to use as the relative distinguished name.
- Read
Timeout string - LDAP read timeout (duration string)
- Realm
Id string - The realm this provider will provide user federation for.
- Search
Scope string - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- Start
Tls bool - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- Sync
Registrations bool - When true, newly created users will be synced back to LDAP.
- Trust
Email bool - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- Use
Password boolModify Extended Op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - Use
Truststore stringSpi - User
Object []stringClasses - All values of LDAP objectClass attribute for users in LDAP.
- Username
Ldap stringAttribute - Name of the LDAP attribute to use as the Keycloak username.
- Users
Dn string - Full DN of LDAP tree where your users are.
- Uuid
Ldap stringAttribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- Validate
Password boolPolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- Vendor string
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
- batch
Size IntegerFor Sync - The number of users to sync within a single transaction.
- bind
Credential String - Password of LDAP admin.
- bind
Dn String - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- cache
User
Federation Cache - Settings regarding cache policy for this realm.
- changed
Sync IntegerPeriod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- connection
Timeout String - LDAP connection timeout (duration string)
- connection
Url String - Connection URL to the LDAP server.
- custom
User StringSearch Filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- delete
Default BooleanMappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- edit
Mode String - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- enabled Boolean
- When false, this provider will not be used when performing queries for users.
- full
Sync IntegerPeriod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- import
Enabled Boolean - When true, LDAP users will be imported into the Keycloak database.
- kerberos
User
Federation Kerberos - Settings regarding kerberos authentication for this realm.
- name String
- Display name of the provider when displayed in the console.
- pagination Boolean
- When true, Keycloak assumes the LDAP server supports pagination.
- priority Integer
- Priority of this provider when looking up users. Lower values are first.
- rdn
Ldap StringAttribute - Name of the LDAP attribute to use as the relative distinguished name.
- read
Timeout String - LDAP read timeout (duration string)
- realm
Id String - The realm this provider will provide user federation for.
- search
Scope String - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- start
Tls Boolean - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- sync
Registrations Boolean - When true, newly created users will be synced back to LDAP.
- trust
Email Boolean - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- use
Password BooleanModify Extended Op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - use
Truststore StringSpi - user
Object List<String>Classes - All values of LDAP objectClass attribute for users in LDAP.
- username
Ldap StringAttribute - Name of the LDAP attribute to use as the Keycloak username.
- users
Dn String - Full DN of LDAP tree where your users are.
- uuid
Ldap StringAttribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- validate
Password BooleanPolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- vendor String
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
- batch
Size numberFor Sync - The number of users to sync within a single transaction.
- bind
Credential string - Password of LDAP admin.
- bind
Dn string - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- cache
User
Federation Cache - Settings regarding cache policy for this realm.
- changed
Sync numberPeriod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- connection
Timeout string - LDAP connection timeout (duration string)
- connection
Url string - Connection URL to the LDAP server.
- custom
User stringSearch Filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- delete
Default booleanMappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- edit
Mode string - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- enabled boolean
- When false, this provider will not be used when performing queries for users.
- full
Sync numberPeriod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- import
Enabled boolean - When true, LDAP users will be imported into the Keycloak database.
- kerberos
User
Federation Kerberos - Settings regarding kerberos authentication for this realm.
- name string
- Display name of the provider when displayed in the console.
- pagination boolean
- When true, Keycloak assumes the LDAP server supports pagination.
- priority number
- Priority of this provider when looking up users. Lower values are first.
- rdn
Ldap stringAttribute - Name of the LDAP attribute to use as the relative distinguished name.
- read
Timeout string - LDAP read timeout (duration string)
- realm
Id string - The realm this provider will provide user federation for.
- search
Scope string - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- start
Tls boolean - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- sync
Registrations boolean - When true, newly created users will be synced back to LDAP.
- trust
Email boolean - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- use
Password booleanModify Extended Op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - use
Truststore stringSpi - user
Object string[]Classes - All values of LDAP objectClass attribute for users in LDAP.
- username
Ldap stringAttribute - Name of the LDAP attribute to use as the Keycloak username.
- users
Dn string - Full DN of LDAP tree where your users are.
- uuid
Ldap stringAttribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- validate
Password booleanPolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- vendor string
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
- batch_
size_ intfor_ sync - The number of users to sync within a single transaction.
- bind_
credential str - Password of LDAP admin.
- bind_
dn str - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- cache
User
Federation Cache Args - Settings regarding cache policy for this realm.
- changed_
sync_ intperiod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- connection_
timeout str - LDAP connection timeout (duration string)
- connection_
url str - Connection URL to the LDAP server.
- custom_
user_ strsearch_ filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- delete_
default_ boolmappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- edit_
mode str - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- enabled bool
- When false, this provider will not be used when performing queries for users.
- full_
sync_ intperiod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- import_
enabled bool - When true, LDAP users will be imported into the Keycloak database.
- kerberos
User
Federation Kerberos Args - Settings regarding kerberos authentication for this realm.
- name str
- Display name of the provider when displayed in the console.
- pagination bool
- When true, Keycloak assumes the LDAP server supports pagination.
- priority int
- Priority of this provider when looking up users. Lower values are first.
- rdn_
ldap_ strattribute - Name of the LDAP attribute to use as the relative distinguished name.
- read_
timeout str - LDAP read timeout (duration string)
- realm_
id str - The realm this provider will provide user federation for.
- search_
scope str - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- start_
tls bool - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- sync_
registrations bool - When true, newly created users will be synced back to LDAP.
- trust_
email bool - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- use_
password_ boolmodify_ extended_ op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - use_
truststore_ strspi - user_
object_ Sequence[str]classes - All values of LDAP objectClass attribute for users in LDAP.
- username_
ldap_ strattribute - Name of the LDAP attribute to use as the Keycloak username.
- users_
dn str - Full DN of LDAP tree where your users are.
- uuid_
ldap_ strattribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- validate_
password_ boolpolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- vendor str
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
- batch
Size NumberFor Sync - The number of users to sync within a single transaction.
- bind
Credential String - Password of LDAP admin.
- bind
Dn String - DN of LDAP admin, which will be used by Keycloak to access LDAP server.
- cache Property Map
- Settings regarding cache policy for this realm.
- changed
Sync NumberPeriod - How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
- connection
Timeout String - LDAP connection timeout (duration string)
- connection
Url String - Connection URL to the LDAP server.
- custom
User StringSearch Filter - Additional LDAP filter for filtering searched users. Must begin with '(' and end with ')'.
- delete
Default BooleanMappers - When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider.
- edit
Mode String - READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.
- enabled Boolean
- When false, this provider will not be used when performing queries for users.
- full
Sync NumberPeriod - How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
- import
Enabled Boolean - When true, LDAP users will be imported into the Keycloak database.
- kerberos Property Map
- Settings regarding kerberos authentication for this realm.
- name String
- Display name of the provider when displayed in the console.
- pagination Boolean
- When true, Keycloak assumes the LDAP server supports pagination.
- priority Number
- Priority of this provider when looking up users. Lower values are first.
- rdn
Ldap StringAttribute - Name of the LDAP attribute to use as the relative distinguished name.
- read
Timeout String - LDAP read timeout (duration string)
- realm
Id String - The realm this provider will provide user federation for.
- search
Scope String - ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.
- start
Tls Boolean - When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- sync
Registrations Boolean - When true, newly created users will be synced back to LDAP.
- trust
Email Boolean - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
- use
Password BooleanModify Extended Op - When
true, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - use
Truststore StringSpi - user
Object List<String>Classes - All values of LDAP objectClass attribute for users in LDAP.
- username
Ldap StringAttribute - Name of the LDAP attribute to use as the Keycloak username.
- users
Dn String - Full DN of LDAP tree where your users are.
- uuid
Ldap StringAttribute - Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
- validate
Password BooleanPolicy - When true, Keycloak will validate passwords using the realm policy before updating it.
- vendor String
- LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.
Supporting Types
UserFederationCache, UserFederationCacheArgs
- Eviction
Day int - Day of the week the entry will become invalid on.
- Eviction
Hour int - Hour of day the entry will become invalid on.
- Eviction
Minute int - Minute of day the entry will become invalid on.
- Max
Lifespan string - Max lifespan of cache entry (duration string).
- Policy string
- Eviction
Day int - Day of the week the entry will become invalid on.
- Eviction
Hour int - Hour of day the entry will become invalid on.
- Eviction
Minute int - Minute of day the entry will become invalid on.
- Max
Lifespan string - Max lifespan of cache entry (duration string).
- Policy string
- eviction
Day Integer - Day of the week the entry will become invalid on.
- eviction
Hour Integer - Hour of day the entry will become invalid on.
- eviction
Minute Integer - Minute of day the entry will become invalid on.
- max
Lifespan String - Max lifespan of cache entry (duration string).
- policy String
- eviction
Day number - Day of the week the entry will become invalid on.
- eviction
Hour number - Hour of day the entry will become invalid on.
- eviction
Minute number - Minute of day the entry will become invalid on.
- max
Lifespan string - Max lifespan of cache entry (duration string).
- policy string
- eviction_
day int - Day of the week the entry will become invalid on.
- eviction_
hour int - Hour of day the entry will become invalid on.
- eviction_
minute int - Minute of day the entry will become invalid on.
- max_
lifespan str - Max lifespan of cache entry (duration string).
- policy str
- eviction
Day Number - Day of the week the entry will become invalid on.
- eviction
Hour Number - Hour of day the entry will become invalid on.
- eviction
Minute Number - Minute of day the entry will become invalid on.
- max
Lifespan String - Max lifespan of cache entry (duration string).
- policy String
UserFederationKerberos, UserFederationKerberosArgs
- Kerberos
Realm string - The name of the kerberos realm, e.g. FOO.LOCAL
- Key
Tab string - Path to the kerberos keytab file on the server with credentials of the service principal.
- Server
Principal string - The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
- Use
Kerberos boolFor Password Authentication - Use kerberos login module instead of ldap service api. Defaults to
false.
- Kerberos
Realm string - The name of the kerberos realm, e.g. FOO.LOCAL
- Key
Tab string - Path to the kerberos keytab file on the server with credentials of the service principal.
- Server
Principal string - The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
- Use
Kerberos boolFor Password Authentication - Use kerberos login module instead of ldap service api. Defaults to
false.
- kerberos
Realm String - The name of the kerberos realm, e.g. FOO.LOCAL
- key
Tab String - Path to the kerberos keytab file on the server with credentials of the service principal.
- server
Principal String - The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
- use
Kerberos BooleanFor Password Authentication - Use kerberos login module instead of ldap service api. Defaults to
false.
- kerberos
Realm string - The name of the kerberos realm, e.g. FOO.LOCAL
- key
Tab string - Path to the kerberos keytab file on the server with credentials of the service principal.
- server
Principal string - The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
- use
Kerberos booleanFor Password Authentication - Use kerberos login module instead of ldap service api. Defaults to
false.
- kerberos_
realm str - The name of the kerberos realm, e.g. FOO.LOCAL
- key_
tab str - Path to the kerberos keytab file on the server with credentials of the service principal.
- server_
principal str - The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
- use_
kerberos_ boolfor_ password_ authentication - Use kerberos login module instead of ldap service api. Defaults to
false.
- kerberos
Realm String - The name of the kerberos realm, e.g. FOO.LOCAL
- key
Tab String - Path to the kerberos keytab file on the server with credentials of the service principal.
- server
Principal String - The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
- use
Kerberos BooleanFor Password Authentication - Use kerberos login module instead of ldap service api. Defaults to
false.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.