Keycloak

v4.11.0 published on Thursday, Aug 4, 2022 by Pulumi

MsadUserAccountControlMapper

Allows for creating and managing MSAD user account control mappers for Keycloak users federated via LDAP.

The MSAD (Microsoft Active Directory) user account control mapper is specific to LDAP user federation providers that are pulling from AD, and it can propagate AD user state to Keycloak in order to enforce settings like expired passwords or disabled accounts.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
    public MyStack()
    {
        var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
        {
            RealmName = "my-realm",
            Enabled = true,
        });
        var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldapUserFederation", new Keycloak.Ldap.UserFederationArgs
        {
            RealmId = realm.Id,
            UsernameLdapAttribute = "cn",
            RdnLdapAttribute = "cn",
            UuidLdapAttribute = "objectGUID",
            UserObjectClasses = 
            {
                "person",
                "organizationalPerson",
                "user",
            },
            ConnectionUrl = "ldap://my-ad-server",
            UsersDn = "dc=example,dc=org",
            BindDn = "cn=admin,dc=example,dc=org",
            BindCredential = "admin",
        });
        var msadUserAccountControlMapper = new Keycloak.Ldap.MsadUserAccountControlMapper("msadUserAccountControlMapper", new Keycloak.Ldap.MsadUserAccountControlMapperArgs
        {
            RealmId = realm.Id,
            LdapUserFederationId = ldapUserFederation.Id,
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak/ldap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		ldapUserFederation, err := ldap.NewUserFederation(ctx, "ldapUserFederation", &ldap.UserFederationArgs{
			RealmId:               realm.ID(),
			UsernameLdapAttribute: pulumi.String("cn"),
			RdnLdapAttribute:      pulumi.String("cn"),
			UuidLdapAttribute:     pulumi.String("objectGUID"),
			UserObjectClasses: pulumi.StringArray{
				pulumi.String("person"),
				pulumi.String("organizationalPerson"),
				pulumi.String("user"),
			},
			ConnectionUrl:  pulumi.String("ldap://my-ad-server"),
			UsersDn:        pulumi.String("dc=example,dc=org"),
			BindDn:         pulumi.String("cn=admin,dc=example,dc=org"),
			BindCredential: pulumi.String("admin"),
		})
		if err != nil {
			return err
		}
		_, err = ldap.NewMsadUserAccountControlMapper(ctx, "msadUserAccountControlMapper", &ldap.MsadUserAccountControlMapperArgs{
			RealmId:              realm.ID(),
			LdapUserFederationId: ldapUserFederation.ID(),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import com.pulumi.keycloak.ldap.MsadUserAccountControlMapper;
import com.pulumi.keycloak.ldap.MsadUserAccountControlMapperArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()        
            .realm("my-realm")
            .enabled(true)
            .build());

        var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()        
            .realmId(realm.id())
            .usernameLdapAttribute("cn")
            .rdnLdapAttribute("cn")
            .uuidLdapAttribute("objectGUID")
            .userObjectClasses(            
                "person",
                "organizationalPerson",
                "user")
            .connectionUrl("ldap://my-ad-server")
            .usersDn("dc=example,dc=org")
            .bindDn("cn=admin,dc=example,dc=org")
            .bindCredential("admin")
            .build());

        var msadUserAccountControlMapper = new MsadUserAccountControlMapper("msadUserAccountControlMapper", MsadUserAccountControlMapperArgs.builder()        
            .realmId(realm.id())
            .ldapUserFederationId(ldapUserFederation.id())
            .build());

    }
}
import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldapUserFederation",
    realm_id=realm.id,
    username_ldap_attribute="cn",
    rdn_ldap_attribute="cn",
    uuid_ldap_attribute="objectGUID",
    user_object_classes=[
        "person",
        "organizationalPerson",
        "user",
    ],
    connection_url="ldap://my-ad-server",
    users_dn="dc=example,dc=org",
    bind_dn="cn=admin,dc=example,dc=org",
    bind_credential="admin")
msad_user_account_control_mapper = keycloak.ldap.MsadUserAccountControlMapper("msadUserAccountControlMapper",
    realm_id=realm.id,
    ldap_user_federation_id=ldap_user_federation.id)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldapUserFederation", {
    realmId: realm.id,
    usernameLdapAttribute: "cn",
    rdnLdapAttribute: "cn",
    uuidLdapAttribute: "objectGUID",
    userObjectClasses: [
        "person",
        "organizationalPerson",
        "user",
    ],
    connectionUrl: "ldap://my-ad-server",
    usersDn: "dc=example,dc=org",
    bindDn: "cn=admin,dc=example,dc=org",
    bindCredential: "admin",
});
const msadUserAccountControlMapper = new keycloak.ldap.MsadUserAccountControlMapper("msadUserAccountControlMapper", {
    realmId: realm.id,
    ldapUserFederationId: ldapUserFederation.id,
});
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  ldapUserFederation:
    type: keycloak:ldap:UserFederation
    properties:
      realmId: ${realm.id}
      usernameLdapAttribute: cn
      rdnLdapAttribute: cn
      uuidLdapAttribute: objectGUID
      userObjectClasses:
        - person
        - organizationalPerson
        - user
      connectionUrl: ldap://my-ad-server
      usersDn: dc=example,dc=org
      bindDn: cn=admin,dc=example,dc=org
      bindCredential: admin
  msadUserAccountControlMapper:
    type: keycloak:ldap:MsadUserAccountControlMapper
    properties:
      realmId: ${realm.id}
      ldapUserFederationId: ${ldapUserFederation.id}

Create MsadUserAccountControlMapper Resource

new MsadUserAccountControlMapper(name: string, args: MsadUserAccountControlMapperArgs, opts?: CustomResourceOptions);
@overload
def MsadUserAccountControlMapper(resource_name: str,
                                 opts: Optional[ResourceOptions] = None,
                                 ldap_password_policy_hints_enabled: Optional[bool] = None,
                                 ldap_user_federation_id: Optional[str] = None,
                                 name: Optional[str] = None,
                                 realm_id: Optional[str] = None)
@overload
def MsadUserAccountControlMapper(resource_name: str,
                                 args: MsadUserAccountControlMapperArgs,
                                 opts: Optional[ResourceOptions] = None)
func NewMsadUserAccountControlMapper(ctx *Context, name string, args MsadUserAccountControlMapperArgs, opts ...ResourceOption) (*MsadUserAccountControlMapper, error)
public MsadUserAccountControlMapper(string name, MsadUserAccountControlMapperArgs args, CustomResourceOptions? opts = null)
public MsadUserAccountControlMapper(String name, MsadUserAccountControlMapperArgs args)
public MsadUserAccountControlMapper(String name, MsadUserAccountControlMapperArgs args, CustomResourceOptions options)
type: keycloak:ldap:MsadUserAccountControlMapper
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args MsadUserAccountControlMapperArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args MsadUserAccountControlMapperArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args MsadUserAccountControlMapperArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args MsadUserAccountControlMapperArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args MsadUserAccountControlMapperArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

MsadUserAccountControlMapper Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The MsadUserAccountControlMapper resource accepts the following input properties:

LdapUserFederationId string

The ID of the LDAP user federation provider to attach this mapper to.

RealmId string

The realm that this LDAP mapper will exist in.

LdapPasswordPolicyHintsEnabled bool

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

Name string

Display name of this mapper when displayed in the console.

LdapUserFederationId string

The ID of the LDAP user federation provider to attach this mapper to.

RealmId string

The realm that this LDAP mapper will exist in.

LdapPasswordPolicyHintsEnabled bool

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

Name string

Display name of this mapper when displayed in the console.

ldapUserFederationId String

The ID of the LDAP user federation provider to attach this mapper to.

realmId String

The realm that this LDAP mapper will exist in.

ldapPasswordPolicyHintsEnabled Boolean

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

name String

Display name of this mapper when displayed in the console.

ldapUserFederationId string

The ID of the LDAP user federation provider to attach this mapper to.

realmId string

The realm that this LDAP mapper will exist in.

ldapPasswordPolicyHintsEnabled boolean

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

name string

Display name of this mapper when displayed in the console.

ldap_user_federation_id str

The ID of the LDAP user federation provider to attach this mapper to.

realm_id str

The realm that this LDAP mapper will exist in.

ldap_password_policy_hints_enabled bool

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

name str

Display name of this mapper when displayed in the console.

ldapUserFederationId String

The ID of the LDAP user federation provider to attach this mapper to.

realmId String

The realm that this LDAP mapper will exist in.

ldapPasswordPolicyHintsEnabled Boolean

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

name String

Display name of this mapper when displayed in the console.

Outputs

All input properties are implicitly available as output properties. Additionally, the MsadUserAccountControlMapper resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up Existing MsadUserAccountControlMapper Resource

Get an existing MsadUserAccountControlMapper resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: MsadUserAccountControlMapperState, opts?: CustomResourceOptions): MsadUserAccountControlMapper
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        ldap_password_policy_hints_enabled: Optional[bool] = None,
        ldap_user_federation_id: Optional[str] = None,
        name: Optional[str] = None,
        realm_id: Optional[str] = None) -> MsadUserAccountControlMapper
func GetMsadUserAccountControlMapper(ctx *Context, name string, id IDInput, state *MsadUserAccountControlMapperState, opts ...ResourceOption) (*MsadUserAccountControlMapper, error)
public static MsadUserAccountControlMapper Get(string name, Input<string> id, MsadUserAccountControlMapperState? state, CustomResourceOptions? opts = null)
public static MsadUserAccountControlMapper get(String name, Output<String> id, MsadUserAccountControlMapperState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
LdapPasswordPolicyHintsEnabled bool

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

LdapUserFederationId string

The ID of the LDAP user federation provider to attach this mapper to.

Name string

Display name of this mapper when displayed in the console.

RealmId string

The realm that this LDAP mapper will exist in.

LdapPasswordPolicyHintsEnabled bool

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

LdapUserFederationId string

The ID of the LDAP user federation provider to attach this mapper to.

Name string

Display name of this mapper when displayed in the console.

RealmId string

The realm that this LDAP mapper will exist in.

ldapPasswordPolicyHintsEnabled Boolean

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

ldapUserFederationId String

The ID of the LDAP user federation provider to attach this mapper to.

name String

Display name of this mapper when displayed in the console.

realmId String

The realm that this LDAP mapper will exist in.

ldapPasswordPolicyHintsEnabled boolean

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

ldapUserFederationId string

The ID of the LDAP user federation provider to attach this mapper to.

name string

Display name of this mapper when displayed in the console.

realmId string

The realm that this LDAP mapper will exist in.

ldap_password_policy_hints_enabled bool

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

ldap_user_federation_id str

The ID of the LDAP user federation provider to attach this mapper to.

name str

Display name of this mapper when displayed in the console.

realm_id str

The realm that this LDAP mapper will exist in.

ldapPasswordPolicyHintsEnabled Boolean

When true, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to false.

ldapUserFederationId String

The ID of the LDAP user federation provider to attach this mapper to.

name String

Display name of this mapper when displayed in the console.

realmId String

The realm that this LDAP mapper will exist in.

Import

LDAP mappers can be imported using the format {{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Examplebash

 $ pulumi import keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67

Package Details

Repository
https://github.com/pulumi/pulumi-keycloak
License
Apache-2.0
Notes

This Pulumi package is based on the keycloak Terraform Provider.