Module ldap

This provider is a derived work of the Terraform Provider distributed under MIT. If you encounter a bug or missing feature, first check the pulumi/pulumi-keycloak repo; however, if that doesn’t turn up anything, please consult the source mrparkers/terraform-provider-keycloak repo.

Resources

Others

Resources

Resource FullNameMapper

class FullNameMapper extends CustomResource

# keycloak.ldap.FullNameMapper

Allows for creating and managing full name mappers for Keycloak users federated via LDAP.

The LDAP full name mapper can map a user’s full name from an LDAP attribute to the first and last name attributes of a Keycloak user.

Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    enabled: true,
    realm: "test",
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldapUserFederation", {
    bindCredential: "admin",
    bindDn: "cn=admin,dc=example,dc=org",
    connectionUrl: "ldap://openldap",
    rdnLdapAttribute: "cn",
    realmId: realm.id,
    userObjectClasses: [
        "simpleSecurityObject",
        "organizationalRole",
    ],
    usernameLdapAttribute: "cn",
    usersDn: "dc=example,dc=org",
    uuidLdapAttribute: "entryDN",
});
const ldapFullNameMapper = new keycloak.ldap.FullNameMapper("ldapFullNameMapper", {
    ldapFullNameAttribute: "cn",
    ldapUserFederationId: ldapUserFederation.id,
    realmId: realm.id,
});
Argument Reference

The following arguments are supported:

  • realmId - (Required) The realm that this LDAP mapper will exist in.
  • ldapUserFederationId - (Required) The ID of the LDAP user federation provider to attach this mapper to.
  • name - (Required) Display name of this mapper when displayed in the console.
  • ldapFullNameAttribute - (Required) The name of the LDAP attribute containing the user’s full name.
  • readOnly - (Optional) When true, updates to a user within Keycloak will not be written back to LDAP. Defaults to false.
  • writeOnly - (Optional) When true, this mapper will only be used to write updates to LDAP. Defaults to false.

This content is derived from https://github.com/mrparkers/terraform-provider-keycloak/blob/master/website/docs/r/keycloak_ldap_full_name_mapper.html.markdown.

constructor

new FullNameMapper(name: string, args: FullNameMapperArgs, opts?: pulumi.CustomResourceOptions)

Create a FullNameMapper resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: FullNameMapperState, opts?: pulumi.CustomResourceOptions): FullNameMapper

Get an existing FullNameMapper resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is FullNameMapper

Returns true if the given object is an instance of FullNameMapper. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property ldapFullNameAttribute

public ldapFullNameAttribute: pulumi.Output<string>;

property ldapUserFederationId

public ldapUserFederationId: pulumi.Output<string>;

The ldap user federation provider to attach this mapper to.

property name

public name: pulumi.Output<string>;

Display name of the mapper when displayed in the console.

property readOnly

public readOnly: pulumi.Output<boolean | undefined>;

property realmId

public realmId: pulumi.Output<string>;

The realm in which the ldap user federation provider exists.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property writeOnly

public writeOnly: pulumi.Output<boolean | undefined>;

Resource GroupMapper

class GroupMapper extends CustomResource

# keycloak.ldap.GroupMapper

Allows for creating and managing group mappers for Keycloak users federated via LDAP.

The LDAP group mapper can be used to map an LDAP user’s groups from some DN to Keycloak groups. This group mapper will also create the groups within Keycloak if they do not already exist.

Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    enabled: true,
    realm: "test",
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldapUserFederation", {
    bindCredential: "admin",
    bindDn: "cn=admin,dc=example,dc=org",
    connectionUrl: "ldap://openldap",
    rdnLdapAttribute: "cn",
    realmId: realm.id,
    userObjectClasses: [
        "simpleSecurityObject",
        "organizationalRole",
    ],
    usernameLdapAttribute: "cn",
    usersDn: "dc=example,dc=org",
    uuidLdapAttribute: "entryDN",
});
const ldapGroupMapper = new keycloak.ldap.GroupMapper("ldapGroupMapper", {
    groupNameLdapAttribute: "cn",
    groupObjectClasses: ["groupOfNames"],
    ldapGroupsDn: "dc=example,dc=org",
    ldapUserFederationId: ldapUserFederation.id,
    memberofLdapAttribute: "memberOf",
    membershipAttributeType: "DN",
    membershipLdapAttribute: "member",
    membershipUserLdapAttribute: "cn",
    realmId: realm.id,
});
Argument Reference

The following arguments are supported:

  • realmId - (Required) The realm that this LDAP mapper will exist in.
  • ldapUserFederationId - (Required) The ID of the LDAP user federation provider to attach this mapper to.
  • name - (Required) Display name of this mapper when displayed in the console.
  • ldapGroupsDn - (Required) The LDAP DN where groups can be found.
  • groupNameLdapAttribute - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically cn.
  • groupObjectClasses - (Required) Array of strings representing the object classes for the group. Must contain at least one.
  • preserveGroupInheritance - (Optional) When true, group inheritance will be propagated from LDAP to Keycloak. When false, all LDAP groups will be propagated as top level groups within Keycloak.
  • ignoreMissingGroups - (Optional) When true, missing groups in the hierarchy will be ignored.
  • membershipLdapAttribute - (Required) The name of the LDAP attribute that is used for membership mappings.
  • membershipAttributeType - (Optional) Can be one of DN or UID. Defaults to DN.
  • membershipUserLdapAttribute - (Required) The name of the LDAP attribute on a user that is used for membership mappings.
  • groupsLdapFilter - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with ( and end with ).
  • mode - (Optional) Can be one of READ_ONLY or LDAP_ONLY. Defaults to READ_ONLY.
  • userRolesRetrieveStrategy - (Optional) Can be one of LOAD_GROUPS_BY_MEMBER_ATTRIBUTE, GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, or LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY. Defaults to LOAD_GROUPS_BY_MEMBER_ATTRIBUTE.
  • memberofLdapAttribute - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to memberOf.
  • mappedGroupAttributes - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group.
  • dropNonExistingGroupsDuringSync - (Optional) When true, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to false.

This content is derived from https://github.com/mrparkers/terraform-provider-keycloak/blob/master/website/docs/r/keycloak_ldap_group_mapper.html.markdown.

constructor

new GroupMapper(name: string, args: GroupMapperArgs, opts?: pulumi.CustomResourceOptions)

Create a GroupMapper resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GroupMapperState, opts?: pulumi.CustomResourceOptions): GroupMapper

Get an existing GroupMapper resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is GroupMapper

Returns true if the given object is an instance of GroupMapper. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property dropNonExistingGroupsDuringSync

public dropNonExistingGroupsDuringSync: pulumi.Output<boolean | undefined>;

property groupNameLdapAttribute

public groupNameLdapAttribute: pulumi.Output<string>;

property groupObjectClasses

public groupObjectClasses: pulumi.Output<string[]>;

property groupsLdapFilter

public groupsLdapFilter: pulumi.Output<string | undefined>;

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property ignoreMissingGroups

public ignoreMissingGroups: pulumi.Output<boolean | undefined>;

property ldapGroupsDn

public ldapGroupsDn: pulumi.Output<string>;

property ldapUserFederationId

public ldapUserFederationId: pulumi.Output<string>;

The ldap user federation provider to attach this mapper to.

property mappedGroupAttributes

public mappedGroupAttributes: pulumi.Output<string[] | undefined>;

property memberofLdapAttribute

public memberofLdapAttribute: pulumi.Output<string | undefined>;

property membershipAttributeType

public membershipAttributeType: pulumi.Output<string | undefined>;

property membershipLdapAttribute

public membershipLdapAttribute: pulumi.Output<string>;

property membershipUserLdapAttribute

public membershipUserLdapAttribute: pulumi.Output<string>;

property mode

public mode: pulumi.Output<string | undefined>;

property name

public name: pulumi.Output<string>;

Display name of the mapper when displayed in the console.

property preserveGroupInheritance

public preserveGroupInheritance: pulumi.Output<boolean | undefined>;

property realmId

public realmId: pulumi.Output<string>;

The realm in which the ldap user federation provider exists.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property userRolesRetrieveStrategy

public userRolesRetrieveStrategy: pulumi.Output<string | undefined>;

Resource HardcodedRoleMapper

class HardcodedRoleMapper extends CustomResource

# keycloak.ldap.HardcodedRoleMapper

This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP.

Argument Reference

The following arguments are supported:

  • realmId - (Required) The realm that this LDAP mapper will exist in.
  • ldapUserFederationId - (Required) The ID of the LDAP user federation provider to attach this mapper to.
  • name - (Required) Display name of this mapper when displayed in the console.
  • role - (Required) The role which should be assigned to the users.

This content is derived from https://github.com/mrparkers/terraform-provider-keycloak/blob/master/website/docs/r/keycloak_ldap_hardcoded_role_mapper.html.markdown.

constructor

new HardcodedRoleMapper(name: string, args: HardcodedRoleMapperArgs, opts?: pulumi.CustomResourceOptions)

Create a HardcodedRoleMapper resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: HardcodedRoleMapperState, opts?: pulumi.CustomResourceOptions): HardcodedRoleMapper

Get an existing HardcodedRoleMapper resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is HardcodedRoleMapper

Returns true if the given object is an instance of HardcodedRoleMapper. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property ldapUserFederationId

public ldapUserFederationId: pulumi.Output<string>;

The ldap user federation provider to attach this mapper to.

property name

public name: pulumi.Output<string>;

Display name of the mapper when displayed in the console.

property realmId

public realmId: pulumi.Output<string>;

The realm in which the ldap user federation provider exists.

property role

public role: pulumi.Output<string>;

Role to grant to user.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource MsadLdsUserAccountControlMapper

class MsadLdsUserAccountControlMapper extends CustomResource

constructor

new MsadLdsUserAccountControlMapper(name: string, args: MsadLdsUserAccountControlMapperArgs, opts?: pulumi.CustomResourceOptions)

Create a MsadLdsUserAccountControlMapper resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: MsadLdsUserAccountControlMapperState, opts?: pulumi.CustomResourceOptions): MsadLdsUserAccountControlMapper

Get an existing MsadLdsUserAccountControlMapper resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is MsadLdsUserAccountControlMapper

Returns true if the given object is an instance of MsadLdsUserAccountControlMapper. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property ldapUserFederationId

public ldapUserFederationId: pulumi.Output<string>;

The ldap user federation provider to attach this mapper to.

property name

public name: pulumi.Output<string>;

Display name of the mapper when displayed in the console.

property realmId

public realmId: pulumi.Output<string>;

The realm in which the ldap user federation provider exists.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource MsadUserAccountControlMapper

class MsadUserAccountControlMapper extends CustomResource

# keycloak.ldap.MsadUserAccountControlMapper

Allows for creating and managing MSAD user account control mappers for Keycloak users federated via LDAP.

The MSAD (Microsoft Active Directory) user account control mapper is specific to LDAP user federation providers that are pulling from AD, and it can propagate AD user state to Keycloak in order to enforce settings like expired passwords or disabled accounts.

Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    enabled: true,
    realm: "test",
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldapUserFederation", {
    bindCredential: "admin",
    bindDn: "cn=admin,dc=example,dc=org",
    connectionUrl: "ldap://my-ad-server",
    rdnLdapAttribute: "cn",
    realmId: realm.id,
    userObjectClasses: [
        "person",
        "organizationalPerson",
        "user",
    ],
    usernameLdapAttribute: "cn",
    usersDn: "dc=example,dc=org",
    uuidLdapAttribute: "objectGUID",
});
const msadUserAccountControlMapper = new keycloak.ldap.MsadUserAccountControlMapper("msadUserAccountControlMapper", {
    ldapUserFederationId: ldapUserFederation.id,
    realmId: realm.id,
});
Argument Reference

The following arguments are supported:

  • realmId - (Required) The realm that this LDAP mapper will exist in.
  • ldapUserFederationId - (Required) The ID of the LDAP user federation provider to attach this mapper to.
  • name - (Required) Display name of this mapper when displayed in the console.
  • ldapPasswordPolicyHintsEnabled - (Optional) When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

This content is derived from https://github.com/mrparkers/terraform-provider-keycloak/blob/master/website/docs/r/keycloak_ldap_msad_user_account_control_mapper.html.markdown.

constructor

new MsadUserAccountControlMapper(name: string, args: MsadUserAccountControlMapperArgs, opts?: pulumi.CustomResourceOptions)

Create a MsadUserAccountControlMapper resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: MsadUserAccountControlMapperState, opts?: pulumi.CustomResourceOptions): MsadUserAccountControlMapper

Get an existing MsadUserAccountControlMapper resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is MsadUserAccountControlMapper

Returns true if the given object is an instance of MsadUserAccountControlMapper. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property ldapPasswordPolicyHintsEnabled

public ldapPasswordPolicyHintsEnabled: pulumi.Output<boolean | undefined>;

property ldapUserFederationId

public ldapUserFederationId: pulumi.Output<string>;

The ldap user federation provider to attach this mapper to.

property name

public name: pulumi.Output<string>;

Display name of the mapper when displayed in the console.

property realmId

public realmId: pulumi.Output<string>;

The realm in which the ldap user federation provider exists.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource UserAttributeMapper

class UserAttributeMapper extends CustomResource

# keycloak.ldap.UserAttributeMapper

Allows for creating and managing user attribute mappers for Keycloak users federated via LDAP.

The LDAP user attribute mapper can be used to map a single LDAP attribute to an attribute on the Keycloak user model.

Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    enabled: true,
    realm: "test",
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldapUserFederation", {
    bindCredential: "admin",
    bindDn: "cn=admin,dc=example,dc=org",
    connectionUrl: "ldap://openldap",
    rdnLdapAttribute: "cn",
    realmId: realm.id,
    userObjectClasses: [
        "simpleSecurityObject",
        "organizationalRole",
    ],
    usernameLdapAttribute: "cn",
    usersDn: "dc=example,dc=org",
    uuidLdapAttribute: "entryDN",
});
const ldapUserAttributeMapper = new keycloak.ldap.UserAttributeMapper("ldapUserAttributeMapper", {
    ldapAttribute: "bar",
    ldapUserFederationId: ldapUserFederation.id,
    realmId: realm.id,
    userModelAttribute: "foo",
});
Argument Reference

The following arguments are supported:

  • realmId - (Required) The realm that this LDAP mapper will exist in.
  • ldapUserFederationId - (Required) The ID of the LDAP user federation provider to attach this mapper to.
  • name - (Required) Display name of this mapper when displayed in the console.
  • userModelAttribute - (Required) Name of the user property or attribute you want to map the LDAP attribute into.
  • ldapAttribute - (Required) Name of the mapped attribute on the LDAP object.
  • readOnly - (Optional) When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to false.
  • alwaysReadValueFromLdap - (Optional) When true, the value fetched from LDAP will override the value stored in Keycloak. Defaults to false.
  • isMandatoryInLdap - (Optional) When true, this attribute must exist in LDAP. Defaults to false.

This content is derived from https://github.com/mrparkers/terraform-provider-keycloak/blob/master/website/docs/r/keycloak_ldap_user_attribute_mapper.html.markdown.

constructor

new UserAttributeMapper(name: string, args: UserAttributeMapperArgs, opts?: pulumi.CustomResourceOptions)

Create a UserAttributeMapper resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: UserAttributeMapperState, opts?: pulumi.CustomResourceOptions): UserAttributeMapper

Get an existing UserAttributeMapper resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is UserAttributeMapper

Returns true if the given object is an instance of UserAttributeMapper. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property alwaysReadValueFromLdap

public alwaysReadValueFromLdap: pulumi.Output<boolean | undefined>;

When true, the value fetched from LDAP will override the value stored in Keycloak.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property isMandatoryInLdap

public isMandatoryInLdap: pulumi.Output<boolean | undefined>;

When true, this attribute must exist in LDAP.

property ldapAttribute

public ldapAttribute: pulumi.Output<string>;

Name of the mapped attribute on LDAP object.

property ldapUserFederationId

public ldapUserFederationId: pulumi.Output<string>;

The ldap user federation provider to attach this mapper to.

property name

public name: pulumi.Output<string>;

Display name of the mapper when displayed in the console.

property readOnly

public readOnly: pulumi.Output<boolean | undefined>;

When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak.

property realmId

public realmId: pulumi.Output<string>;

The realm in which the ldap user federation provider exists.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property userModelAttribute

public userModelAttribute: pulumi.Output<string>;

Name of the UserModel property or attribute you want to map the LDAP attribute into.

Resource UserFederation

class UserFederation extends CustomResource

# keycloak.ldap.UserFederation

Allows for creating and managing LDAP user federation providers within Keycloak.

Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.

Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    enabled: true,
    realm: "test",
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldapUserFederation", {
    bindCredential: "admin",
    bindDn: "cn=admin,dc=example,dc=org",
    connectionTimeout: "5s",
    connectionUrl: "ldap://openldap",
    enabled: true,
    rdnLdapAttribute: "cn",
    readTimeout: "10s",
    realmId: realm.id,
    userObjectClasses: [
        "simpleSecurityObject",
        "organizationalRole",
    ],
    usernameLdapAttribute: "cn",
    usersDn: "dc=example,dc=org",
    uuidLdapAttribute: "entryDN",
});
Argument Reference

The following arguments are supported:

  • realmId - (Required) The realm that this provider will provide user federation for.
  • name - (Required) Display name of the provider when displayed in the console.
  • enabled - (Optional) When false, this provider will not be used when performing queries for users. Defaults to true.
  • priority - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to 0.
  • importEnabled - (Optional) When true, LDAP users will be imported into the Keycloak database. Defaults to true.
  • editMode - (Optional) Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
  • syncRegistrations - (Optional) When true, newly created users will be synced back to LDAP. Defaults to false.
  • vendor - (Optional) Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OPTIONAL.
  • usernameLdapAttribute - (Required) Name of the LDAP attribute to use as the Keycloak username.
  • rdnLdapAttribute - (Required) Name of the LDAP attribute to use as the relative distinguished name.
  • uuidLdapAttribute - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
  • userObjectClasses - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
  • connectionUrl - (Required) Connection URL to the LDAP server.
  • usersDn - (Required) Full DN of LDAP tree where your users are.
  • bindDn - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bindCredential is set.
  • bindCredential - (Optional) Password of LDAP admin. This attribute must be set if bindDn is set.
  • customUserSearchFilter - (Optional) Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
  • searchScope - (Optional) Can be one of ONE_LEVEL or SUBTREE:
    • ONE_LEVEL: Only search for users in the DN specified by userDn.
    • SUBTREE: Search entire LDAP subtree.
  • validatePasswordPolicy - (Optional) When true, Keycloak will validate passwords using the realm policy before updating it.
  • useTruststoreSpi - (Optional) Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:
    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
  • connectionTimeout - (Optional) LDAP connection timeout in the format of a Go duration string.
  • readTimeout - (Optional) LDAP read timeout in the format of a Go duration string.
  • pagination - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
  • batchSizeForSync - (Optional) The number of users to sync within a single transaction. Defaults to 1000.
  • fullSyncPeriod - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
  • changedSyncPeriod - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
  • cachePolicy - (Optional) Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

This content is derived from https://github.com/mrparkers/terraform-provider-keycloak/blob/master/website/docs/r/keycloak_ldap_user_federation.html.markdown.

constructor

new UserFederation(name: string, args: UserFederationArgs, opts?: pulumi.CustomResourceOptions)

Create a UserFederation resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: UserFederationState, opts?: pulumi.CustomResourceOptions): UserFederation

Get an existing UserFederation resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is UserFederation

Returns true if the given object is an instance of UserFederation. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property batchSizeForSync

public batchSizeForSync: pulumi.Output<number | undefined>;

The number of users to sync within a single transaction.

property bindCredential

public bindCredential: pulumi.Output<string | undefined>;

Password of LDAP admin.

property bindDn

public bindDn: pulumi.Output<string | undefined>;

DN of LDAP admin, which will be used by Keycloak to access LDAP server.

property cachePolicy

public cachePolicy: pulumi.Output<string | undefined>;

property changedSyncPeriod

public changedSyncPeriod: pulumi.Output<number | undefined>;

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

property connectionTimeout

public connectionTimeout: pulumi.Output<string | undefined>;

LDAP connection timeout (duration string)

property connectionUrl

public connectionUrl: pulumi.Output<string>;

Connection URL to the LDAP server.

property customUserSearchFilter

public customUserSearchFilter: pulumi.Output<string | undefined>;

Additional LDAP filter for filtering searched users. Must begin with ‘(’ and end with ‘)’.

property editMode

public editMode: pulumi.Output<string | undefined>;

READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.

property enabled

public enabled: pulumi.Output<boolean | undefined>;

When false, this provider will not be used when performing queries for users.

property fullSyncPeriod

public fullSyncPeriod: pulumi.Output<number | undefined>;

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property importEnabled

public importEnabled: pulumi.Output<boolean | undefined>;

When true, LDAP users will be imported into the Keycloak database.

property name

public name: pulumi.Output<string>;

Display name of the provider when displayed in the console.

property pagination

public pagination: pulumi.Output<boolean | undefined>;

When true, Keycloak assumes the LDAP server supports pagination.

property priority

public priority: pulumi.Output<number | undefined>;

Priority of this provider when looking up users. Lower values are first.

property rdnLdapAttribute

public rdnLdapAttribute: pulumi.Output<string>;

Name of the LDAP attribute to use as the relative distinguished name.

property readTimeout

public readTimeout: pulumi.Output<string | undefined>;

LDAP read timeout (duration string)

property realmId

public realmId: pulumi.Output<string>;

The realm this provider will provide user federation for.

property searchScope

public searchScope: pulumi.Output<string | undefined>;

ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.

property syncRegistrations

public syncRegistrations: pulumi.Output<boolean | undefined>;

When true, newly created users will be synced back to LDAP.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property useTruststoreSpi

public useTruststoreSpi: pulumi.Output<string | undefined>;

property userObjectClasses

public userObjectClasses: pulumi.Output<string[]>;

All values of LDAP objectClass attribute for users in LDAP.

property usernameLdapAttribute

public usernameLdapAttribute: pulumi.Output<string>;

Name of the LDAP attribute to use as the Keycloak username.

property usersDn

public usersDn: pulumi.Output<string>;

Full DN of LDAP tree where your users are.

property uuidLdapAttribute

public uuidLdapAttribute: pulumi.Output<string>;

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

property validatePasswordPolicy

public validatePasswordPolicy: pulumi.Output<boolean | undefined>;

When true, Keycloak will validate passwords using the realm policy before updating it.

property vendor

public vendor: pulumi.Output<string | undefined>;

LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

Others

interface FullNameMapperArgs

interface FullNameMapperArgs

The set of arguments for constructing a FullNameMapper resource.

property ldapFullNameAttribute

ldapFullNameAttribute: pulumi.Input<string>;

property ldapUserFederationId

ldapUserFederationId: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property readOnly

readOnly?: pulumi.Input<boolean>;

property realmId

realmId: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

property writeOnly

writeOnly?: pulumi.Input<boolean>;

interface FullNameMapperState

interface FullNameMapperState

Input properties used for looking up and filtering FullNameMapper resources.

property ldapFullNameAttribute

ldapFullNameAttribute?: pulumi.Input<string>;

property ldapUserFederationId

ldapUserFederationId?: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property readOnly

readOnly?: pulumi.Input<boolean>;

property realmId

realmId?: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

property writeOnly

writeOnly?: pulumi.Input<boolean>;

interface GroupMapperArgs

interface GroupMapperArgs

The set of arguments for constructing a GroupMapper resource.

property dropNonExistingGroupsDuringSync

dropNonExistingGroupsDuringSync?: pulumi.Input<boolean>;

property groupNameLdapAttribute

groupNameLdapAttribute: pulumi.Input<string>;

property groupObjectClasses

groupObjectClasses: pulumi.Input<pulumi.Input<string>[]>;

property groupsLdapFilter

groupsLdapFilter?: pulumi.Input<string>;

property ignoreMissingGroups

ignoreMissingGroups?: pulumi.Input<boolean>;

property ldapGroupsDn

ldapGroupsDn: pulumi.Input<string>;

property ldapUserFederationId

ldapUserFederationId: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property mappedGroupAttributes

mappedGroupAttributes?: pulumi.Input<pulumi.Input<string>[]>;

property memberofLdapAttribute

memberofLdapAttribute?: pulumi.Input<string>;

property membershipAttributeType

membershipAttributeType?: pulumi.Input<string>;

property membershipLdapAttribute

membershipLdapAttribute: pulumi.Input<string>;

property membershipUserLdapAttribute

membershipUserLdapAttribute: pulumi.Input<string>;

property mode

mode?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property preserveGroupInheritance

preserveGroupInheritance?: pulumi.Input<boolean>;

property realmId

realmId: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

property userRolesRetrieveStrategy

userRolesRetrieveStrategy?: pulumi.Input<string>;

interface GroupMapperState

interface GroupMapperState

Input properties used for looking up and filtering GroupMapper resources.

property dropNonExistingGroupsDuringSync

dropNonExistingGroupsDuringSync?: pulumi.Input<boolean>;

property groupNameLdapAttribute

groupNameLdapAttribute?: pulumi.Input<string>;

property groupObjectClasses

groupObjectClasses?: pulumi.Input<pulumi.Input<string>[]>;

property groupsLdapFilter

groupsLdapFilter?: pulumi.Input<string>;

property ignoreMissingGroups

ignoreMissingGroups?: pulumi.Input<boolean>;

property ldapGroupsDn

ldapGroupsDn?: pulumi.Input<string>;

property ldapUserFederationId

ldapUserFederationId?: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property mappedGroupAttributes

mappedGroupAttributes?: pulumi.Input<pulumi.Input<string>[]>;

property memberofLdapAttribute

memberofLdapAttribute?: pulumi.Input<string>;

property membershipAttributeType

membershipAttributeType?: pulumi.Input<string>;

property membershipLdapAttribute

membershipLdapAttribute?: pulumi.Input<string>;

property membershipUserLdapAttribute

membershipUserLdapAttribute?: pulumi.Input<string>;

property mode

mode?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property preserveGroupInheritance

preserveGroupInheritance?: pulumi.Input<boolean>;

property realmId

realmId?: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

property userRolesRetrieveStrategy

userRolesRetrieveStrategy?: pulumi.Input<string>;

interface HardcodedRoleMapperArgs

interface HardcodedRoleMapperArgs

The set of arguments for constructing a HardcodedRoleMapper resource.

property ldapUserFederationId

ldapUserFederationId: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property realmId

realmId: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

property role

role: pulumi.Input<string>;

Role to grant to user.

interface HardcodedRoleMapperState

interface HardcodedRoleMapperState

Input properties used for looking up and filtering HardcodedRoleMapper resources.

property ldapUserFederationId

ldapUserFederationId?: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property realmId

realmId?: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

property role

role?: pulumi.Input<string>;

Role to grant to user.

interface MsadLdsUserAccountControlMapperArgs

interface MsadLdsUserAccountControlMapperArgs

The set of arguments for constructing a MsadLdsUserAccountControlMapper resource.

property ldapUserFederationId

ldapUserFederationId: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property realmId

realmId: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

interface MsadLdsUserAccountControlMapperState

interface MsadLdsUserAccountControlMapperState

Input properties used for looking up and filtering MsadLdsUserAccountControlMapper resources.

property ldapUserFederationId

ldapUserFederationId?: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property realmId

realmId?: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

interface MsadUserAccountControlMapperArgs

interface MsadUserAccountControlMapperArgs

The set of arguments for constructing a MsadUserAccountControlMapper resource.

property ldapPasswordPolicyHintsEnabled

ldapPasswordPolicyHintsEnabled?: pulumi.Input<boolean>;

property ldapUserFederationId

ldapUserFederationId: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property realmId

realmId: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

interface MsadUserAccountControlMapperState

interface MsadUserAccountControlMapperState

Input properties used for looking up and filtering MsadUserAccountControlMapper resources.

property ldapPasswordPolicyHintsEnabled

ldapPasswordPolicyHintsEnabled?: pulumi.Input<boolean>;

property ldapUserFederationId

ldapUserFederationId?: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property realmId

realmId?: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

interface UserAttributeMapperArgs

interface UserAttributeMapperArgs

The set of arguments for constructing a UserAttributeMapper resource.

property alwaysReadValueFromLdap

alwaysReadValueFromLdap?: pulumi.Input<boolean>;

When true, the value fetched from LDAP will override the value stored in Keycloak.

property isMandatoryInLdap

isMandatoryInLdap?: pulumi.Input<boolean>;

When true, this attribute must exist in LDAP.

property ldapAttribute

ldapAttribute: pulumi.Input<string>;

Name of the mapped attribute on LDAP object.

property ldapUserFederationId

ldapUserFederationId: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property readOnly

readOnly?: pulumi.Input<boolean>;

When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak.

property realmId

realmId: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

property userModelAttribute

userModelAttribute: pulumi.Input<string>;

Name of the UserModel property or attribute you want to map the LDAP attribute into.

interface UserAttributeMapperState

interface UserAttributeMapperState

Input properties used for looking up and filtering UserAttributeMapper resources.

property alwaysReadValueFromLdap

alwaysReadValueFromLdap?: pulumi.Input<boolean>;

When true, the value fetched from LDAP will override the value stored in Keycloak.

property isMandatoryInLdap

isMandatoryInLdap?: pulumi.Input<boolean>;

When true, this attribute must exist in LDAP.

property ldapAttribute

ldapAttribute?: pulumi.Input<string>;

Name of the mapped attribute on LDAP object.

property ldapUserFederationId

ldapUserFederationId?: pulumi.Input<string>;

The ldap user federation provider to attach this mapper to.

property name

name?: pulumi.Input<string>;

Display name of the mapper when displayed in the console.

property readOnly

readOnly?: pulumi.Input<boolean>;

When true, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak.

property realmId

realmId?: pulumi.Input<string>;

The realm in which the ldap user federation provider exists.

property userModelAttribute

userModelAttribute?: pulumi.Input<string>;

Name of the UserModel property or attribute you want to map the LDAP attribute into.

interface UserFederationArgs

interface UserFederationArgs

The set of arguments for constructing a UserFederation resource.

property batchSizeForSync

batchSizeForSync?: pulumi.Input<number>;

The number of users to sync within a single transaction.

property bindCredential

bindCredential?: pulumi.Input<string>;

Password of LDAP admin.

property bindDn

bindDn?: pulumi.Input<string>;

DN of LDAP admin, which will be used by Keycloak to access LDAP server.

property cachePolicy

cachePolicy?: pulumi.Input<string>;

property changedSyncPeriod

changedSyncPeriod?: pulumi.Input<number>;

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

property connectionTimeout

connectionTimeout?: pulumi.Input<string>;

LDAP connection timeout (duration string)

property connectionUrl

connectionUrl: pulumi.Input<string>;

Connection URL to the LDAP server.

property customUserSearchFilter

customUserSearchFilter?: pulumi.Input<string>;

Additional LDAP filter for filtering searched users. Must begin with ‘(’ and end with ‘)’.

property editMode

editMode?: pulumi.Input<string>;

READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.

property enabled

enabled?: pulumi.Input<boolean>;

When false, this provider will not be used when performing queries for users.

property fullSyncPeriod

fullSyncPeriod?: pulumi.Input<number>;

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

property importEnabled

importEnabled?: pulumi.Input<boolean>;

When true, LDAP users will be imported into the Keycloak database.

property name

name?: pulumi.Input<string>;

Display name of the provider when displayed in the console.

property pagination

pagination?: pulumi.Input<boolean>;

When true, Keycloak assumes the LDAP server supports pagination.

property priority

priority?: pulumi.Input<number>;

Priority of this provider when looking up users. Lower values are first.

property rdnLdapAttribute

rdnLdapAttribute: pulumi.Input<string>;

Name of the LDAP attribute to use as the relative distinguished name.

property readTimeout

readTimeout?: pulumi.Input<string>;

LDAP read timeout (duration string)

property realmId

realmId: pulumi.Input<string>;

The realm this provider will provide user federation for.

property searchScope

searchScope?: pulumi.Input<string>;

ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.

property syncRegistrations

syncRegistrations?: pulumi.Input<boolean>;

When true, newly created users will be synced back to LDAP.

property useTruststoreSpi

useTruststoreSpi?: pulumi.Input<string>;

property userObjectClasses

userObjectClasses: pulumi.Input<pulumi.Input<string>[]>;

All values of LDAP objectClass attribute for users in LDAP.

property usernameLdapAttribute

usernameLdapAttribute: pulumi.Input<string>;

Name of the LDAP attribute to use as the Keycloak username.

property usersDn

usersDn: pulumi.Input<string>;

Full DN of LDAP tree where your users are.

property uuidLdapAttribute

uuidLdapAttribute: pulumi.Input<string>;

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

property validatePasswordPolicy

validatePasswordPolicy?: pulumi.Input<boolean>;

When true, Keycloak will validate passwords using the realm policy before updating it.

property vendor

vendor?: pulumi.Input<string>;

LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.

interface UserFederationState

interface UserFederationState

Input properties used for looking up and filtering UserFederation resources.

property batchSizeForSync

batchSizeForSync?: pulumi.Input<number>;

The number of users to sync within a single transaction.

property bindCredential

bindCredential?: pulumi.Input<string>;

Password of LDAP admin.

property bindDn

bindDn?: pulumi.Input<string>;

DN of LDAP admin, which will be used by Keycloak to access LDAP server.

property cachePolicy

cachePolicy?: pulumi.Input<string>;

property changedSyncPeriod

changedSyncPeriod?: pulumi.Input<number>;

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

property connectionTimeout

connectionTimeout?: pulumi.Input<string>;

LDAP connection timeout (duration string)

property connectionUrl

connectionUrl?: pulumi.Input<string>;

Connection URL to the LDAP server.

property customUserSearchFilter

customUserSearchFilter?: pulumi.Input<string>;

Additional LDAP filter for filtering searched users. Must begin with ‘(’ and end with ‘)’.

property editMode

editMode?: pulumi.Input<string>;

READ_ONLY and WRITABLE are self-explanatory. UNSYNCED allows user data to be imported but not synced back to LDAP.

property enabled

enabled?: pulumi.Input<boolean>;

When false, this provider will not be used when performing queries for users.

property fullSyncPeriod

fullSyncPeriod?: pulumi.Input<number>;

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

property importEnabled

importEnabled?: pulumi.Input<boolean>;

When true, LDAP users will be imported into the Keycloak database.

property name

name?: pulumi.Input<string>;

Display name of the provider when displayed in the console.

property pagination

pagination?: pulumi.Input<boolean>;

When true, Keycloak assumes the LDAP server supports pagination.

property priority

priority?: pulumi.Input<number>;

Priority of this provider when looking up users. Lower values are first.

property rdnLdapAttribute

rdnLdapAttribute?: pulumi.Input<string>;

Name of the LDAP attribute to use as the relative distinguished name.

property readTimeout

readTimeout?: pulumi.Input<string>;

LDAP read timeout (duration string)

property realmId

realmId?: pulumi.Input<string>;

The realm this provider will provide user federation for.

property searchScope

searchScope?: pulumi.Input<string>;

ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.

property syncRegistrations

syncRegistrations?: pulumi.Input<boolean>;

When true, newly created users will be synced back to LDAP.

property useTruststoreSpi

useTruststoreSpi?: pulumi.Input<string>;

property userObjectClasses

userObjectClasses?: pulumi.Input<pulumi.Input<string>[]>;

All values of LDAP objectClass attribute for users in LDAP.

property usernameLdapAttribute

usernameLdapAttribute?: pulumi.Input<string>;

Name of the LDAP attribute to use as the Keycloak username.

property usersDn

usersDn?: pulumi.Input<string>;

Full DN of LDAP tree where your users are.

property uuidLdapAttribute

uuidLdapAttribute?: pulumi.Input<string>;

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

property validatePasswordPolicy

validatePasswordPolicy?: pulumi.Input<boolean>;

When true, Keycloak will validate passwords using the realm policy before updating it.

property vendor

vendor?: pulumi.Input<string>;

LDAP vendor. I am almost certain this field does nothing, but the UI indicates that it is required.