Keycloak

v4.11.0 published on Thursday, Aug 4, 2022 by Pulumi

UserFederation

Allows for creating and managing LDAP user federation providers within Keycloak.

Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
    public MyStack()
    {
        var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
        {
            RealmName = "my-realm",
            Enabled = true,
        });
        var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldapUserFederation", new Keycloak.Ldap.UserFederationArgs
        {
            RealmId = realm.Id,
            Enabled = true,
            UsernameLdapAttribute = "cn",
            RdnLdapAttribute = "cn",
            UuidLdapAttribute = "entryDN",
            UserObjectClasses = 
            {
                "simpleSecurityObject",
                "organizationalRole",
            },
            ConnectionUrl = "ldap://openldap",
            UsersDn = "dc=example,dc=org",
            BindDn = "cn=admin,dc=example,dc=org",
            BindCredential = "admin",
            ConnectionTimeout = "5s",
            ReadTimeout = "10s",
            Kerberos = new Keycloak.Ldap.Inputs.UserFederationKerberosArgs
            {
                KerberosRealm = "FOO.LOCAL",
                ServerPrincipal = "HTTP/host.foo.com@FOO.LOCAL",
                KeyTab = "/etc/host.keytab",
            },
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak/ldap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = ldap.NewUserFederation(ctx, "ldapUserFederation", &ldap.UserFederationArgs{
			RealmId:               realm.ID(),
			Enabled:               pulumi.Bool(true),
			UsernameLdapAttribute: pulumi.String("cn"),
			RdnLdapAttribute:      pulumi.String("cn"),
			UuidLdapAttribute:     pulumi.String("entryDN"),
			UserObjectClasses: pulumi.StringArray{
				pulumi.String("simpleSecurityObject"),
				pulumi.String("organizationalRole"),
			},
			ConnectionUrl:     pulumi.String("ldap://openldap"),
			UsersDn:           pulumi.String("dc=example,dc=org"),
			BindDn:            pulumi.String("cn=admin,dc=example,dc=org"),
			BindCredential:    pulumi.String("admin"),
			ConnectionTimeout: pulumi.String("5s"),
			ReadTimeout:       pulumi.String("10s"),
			Kerberos: &ldap.UserFederationKerberosArgs{
				KerberosRealm:   pulumi.String("FOO.LOCAL"),
				ServerPrincipal: pulumi.String("HTTP/host.foo.com@FOO.LOCAL"),
				KeyTab:          pulumi.String("/etc/host.keytab"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import com.pulumi.keycloak.ldap.inputs.UserFederationKerberosArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()        
            .realm("my-realm")
            .enabled(true)
            .build());

        var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()        
            .realmId(realm.id())
            .enabled(true)
            .usernameLdapAttribute("cn")
            .rdnLdapAttribute("cn")
            .uuidLdapAttribute("entryDN")
            .userObjectClasses(            
                "simpleSecurityObject",
                "organizationalRole")
            .connectionUrl("ldap://openldap")
            .usersDn("dc=example,dc=org")
            .bindDn("cn=admin,dc=example,dc=org")
            .bindCredential("admin")
            .connectionTimeout("5s")
            .readTimeout("10s")
            .kerberos(UserFederationKerberosArgs.builder()
                .kerberosRealm("FOO.LOCAL")
                .serverPrincipal("HTTP/host.foo.com@FOO.LOCAL")
                .keyTab("/etc/host.keytab")
                .build())
            .build());

    }
}
import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldapUserFederation",
    realm_id=realm.id,
    enabled=True,
    username_ldap_attribute="cn",
    rdn_ldap_attribute="cn",
    uuid_ldap_attribute="entryDN",
    user_object_classes=[
        "simpleSecurityObject",
        "organizationalRole",
    ],
    connection_url="ldap://openldap",
    users_dn="dc=example,dc=org",
    bind_dn="cn=admin,dc=example,dc=org",
    bind_credential="admin",
    connection_timeout="5s",
    read_timeout="10s",
    kerberos=keycloak.ldap.UserFederationKerberosArgs(
        kerberos_realm="FOO.LOCAL",
        server_principal="HTTP/host.foo.com@FOO.LOCAL",
        key_tab="/etc/host.keytab",
    ))
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldapUserFederation", {
    realmId: realm.id,
    enabled: true,
    usernameLdapAttribute: "cn",
    rdnLdapAttribute: "cn",
    uuidLdapAttribute: "entryDN",
    userObjectClasses: [
        "simpleSecurityObject",
        "organizationalRole",
    ],
    connectionUrl: "ldap://openldap",
    usersDn: "dc=example,dc=org",
    bindDn: "cn=admin,dc=example,dc=org",
    bindCredential: "admin",
    connectionTimeout: "5s",
    readTimeout: "10s",
    kerberos: {
        kerberosRealm: "FOO.LOCAL",
        serverPrincipal: "HTTP/host.foo.com@FOO.LOCAL",
        keyTab: "/etc/host.keytab",
    },
});
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  ldapUserFederation:
    type: keycloak:ldap:UserFederation
    properties:
      realmId: ${realm.id}
      enabled: true
      usernameLdapAttribute: cn
      rdnLdapAttribute: cn
      uuidLdapAttribute: entryDN
      userObjectClasses:
        - simpleSecurityObject
        - organizationalRole
      connectionUrl: ldap://openldap
      usersDn: dc=example,dc=org
      bindDn: cn=admin,dc=example,dc=org
      bindCredential: admin
      connectionTimeout: 5s
      readTimeout: 10s
      kerberos:
        kerberosRealm: FOO.LOCAL
        serverPrincipal: HTTP/host.foo.com@FOO.LOCAL
        keyTab: /etc/host.keytab

Create UserFederation Resource

new UserFederation(name: string, args: UserFederationArgs, opts?: CustomResourceOptions);
@overload
def UserFederation(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   batch_size_for_sync: Optional[int] = None,
                   bind_credential: Optional[str] = None,
                   bind_dn: Optional[str] = None,
                   cache: Optional[UserFederationCacheArgs] = None,
                   changed_sync_period: Optional[int] = None,
                   connection_timeout: Optional[str] = None,
                   connection_url: Optional[str] = None,
                   custom_user_search_filter: Optional[str] = None,
                   edit_mode: Optional[str] = None,
                   enabled: Optional[bool] = None,
                   full_sync_period: Optional[int] = None,
                   import_enabled: Optional[bool] = None,
                   kerberos: Optional[UserFederationKerberosArgs] = None,
                   name: Optional[str] = None,
                   pagination: Optional[bool] = None,
                   priority: Optional[int] = None,
                   rdn_ldap_attribute: Optional[str] = None,
                   read_timeout: Optional[str] = None,
                   realm_id: Optional[str] = None,
                   search_scope: Optional[str] = None,
                   start_tls: Optional[bool] = None,
                   sync_registrations: Optional[bool] = None,
                   trust_email: Optional[bool] = None,
                   use_password_modify_extended_op: Optional[bool] = None,
                   use_truststore_spi: Optional[str] = None,
                   user_object_classes: Optional[Sequence[str]] = None,
                   username_ldap_attribute: Optional[str] = None,
                   users_dn: Optional[str] = None,
                   uuid_ldap_attribute: Optional[str] = None,
                   validate_password_policy: Optional[bool] = None,
                   vendor: Optional[str] = None)
@overload
def UserFederation(resource_name: str,
                   args: UserFederationArgs,
                   opts: Optional[ResourceOptions] = None)
func NewUserFederation(ctx *Context, name string, args UserFederationArgs, opts ...ResourceOption) (*UserFederation, error)
public UserFederation(string name, UserFederationArgs args, CustomResourceOptions? opts = null)
public UserFederation(String name, UserFederationArgs args)
public UserFederation(String name, UserFederationArgs args, CustomResourceOptions options)
type: keycloak:ldap:UserFederation
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args UserFederationArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args UserFederationArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args UserFederationArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args UserFederationArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args UserFederationArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

UserFederation Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The UserFederation resource accepts the following input properties:

ConnectionUrl string

Connection URL to the LDAP server.

RdnLdapAttribute string

Name of the LDAP attribute to use as the relative distinguished name.

RealmId string

The realm that this provider will provide user federation for.

UserObjectClasses List<string>

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

UsernameLdapAttribute string

Name of the LDAP attribute to use as the Keycloak username.

UsersDn string

Full DN of LDAP tree where your users are.

UuidLdapAttribute string

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

BatchSizeForSync int

The number of users to sync within a single transaction. Defaults to 1000.

BindCredential string

Password of LDAP admin. This attribute must be set if bind_dn is set.

BindDn string

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

Cache UserFederationCacheArgs

A block containing the cache settings.

ChangedSyncPeriod int

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

ConnectionTimeout string

LDAP connection timeout in the format of a Go duration string.

CustomUserSearchFilter string

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

EditMode string

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

Enabled bool

When false, this provider will not be used when performing queries for users. Defaults to true.

FullSyncPeriod int

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

ImportEnabled bool

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

Kerberos UserFederationKerberosArgs

A block containing the kerberos settings.

Name string

Display name of the provider when displayed in the console.

Pagination bool

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

Priority int

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

ReadTimeout string

LDAP read timeout in the format of a Go duration string.

SearchScope string

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
StartTls bool

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

SyncRegistrations bool

When true, newly created users will be synced back to LDAP. Defaults to false.

TrustEmail bool

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

UsePasswordModifyExtendedOp bool

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

UseTruststoreSpi string

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

ValidatePasswordPolicy bool

When true, Keycloak will validate passwords using the realm policy before updating it.

Vendor string

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

ConnectionUrl string

Connection URL to the LDAP server.

RdnLdapAttribute string

Name of the LDAP attribute to use as the relative distinguished name.

RealmId string

The realm that this provider will provide user federation for.

UserObjectClasses []string

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

UsernameLdapAttribute string

Name of the LDAP attribute to use as the Keycloak username.

UsersDn string

Full DN of LDAP tree where your users are.

UuidLdapAttribute string

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

BatchSizeForSync int

The number of users to sync within a single transaction. Defaults to 1000.

BindCredential string

Password of LDAP admin. This attribute must be set if bind_dn is set.

BindDn string

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

Cache UserFederationCacheArgs

A block containing the cache settings.

ChangedSyncPeriod int

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

ConnectionTimeout string

LDAP connection timeout in the format of a Go duration string.

CustomUserSearchFilter string

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

EditMode string

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

Enabled bool

When false, this provider will not be used when performing queries for users. Defaults to true.

FullSyncPeriod int

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

ImportEnabled bool

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

Kerberos UserFederationKerberosArgs

A block containing the kerberos settings.

Name string

Display name of the provider when displayed in the console.

Pagination bool

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

Priority int

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

ReadTimeout string

LDAP read timeout in the format of a Go duration string.

SearchScope string

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
StartTls bool

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

SyncRegistrations bool

When true, newly created users will be synced back to LDAP. Defaults to false.

TrustEmail bool

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

UsePasswordModifyExtendedOp bool

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

UseTruststoreSpi string

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

ValidatePasswordPolicy bool

When true, Keycloak will validate passwords using the realm policy before updating it.

Vendor string

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

connectionUrl String

Connection URL to the LDAP server.

rdnLdapAttribute String

Name of the LDAP attribute to use as the relative distinguished name.

realmId String

The realm that this provider will provide user federation for.

userObjectClasses List<String>

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

usernameLdapAttribute String

Name of the LDAP attribute to use as the Keycloak username.

usersDn String

Full DN of LDAP tree where your users are.

uuidLdapAttribute String

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

batchSizeForSync Integer

The number of users to sync within a single transaction. Defaults to 1000.

bindCredential String

Password of LDAP admin. This attribute must be set if bind_dn is set.

bindDn String

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

cache UserFederationCacheArgs

A block containing the cache settings.

changedSyncPeriod Integer

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

connectionTimeout String

LDAP connection timeout in the format of a Go duration string.

customUserSearchFilter String

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

editMode String

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

enabled Boolean

When false, this provider will not be used when performing queries for users. Defaults to true.

fullSyncPeriod Integer

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

importEnabled Boolean

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

kerberos UserFederationKerberosArgs

A block containing the kerberos settings.

name String

Display name of the provider when displayed in the console.

pagination Boolean

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

priority Integer

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

readTimeout String

LDAP read timeout in the format of a Go duration string.

searchScope String

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
startTls Boolean

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

syncRegistrations Boolean

When true, newly created users will be synced back to LDAP. Defaults to false.

trustEmail Boolean

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

usePasswordModifyExtendedOp Boolean

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

useTruststoreSpi String

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

validatePasswordPolicy Boolean

When true, Keycloak will validate passwords using the realm policy before updating it.

vendor String

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

connectionUrl string

Connection URL to the LDAP server.

rdnLdapAttribute string

Name of the LDAP attribute to use as the relative distinguished name.

realmId string

The realm that this provider will provide user federation for.

userObjectClasses string[]

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

usernameLdapAttribute string

Name of the LDAP attribute to use as the Keycloak username.

usersDn string

Full DN of LDAP tree where your users are.

uuidLdapAttribute string

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

batchSizeForSync number

The number of users to sync within a single transaction. Defaults to 1000.

bindCredential string

Password of LDAP admin. This attribute must be set if bind_dn is set.

bindDn string

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

cache UserFederationCacheArgs

A block containing the cache settings.

changedSyncPeriod number

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

connectionTimeout string

LDAP connection timeout in the format of a Go duration string.

customUserSearchFilter string

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

editMode string

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

enabled boolean

When false, this provider will not be used when performing queries for users. Defaults to true.

fullSyncPeriod number

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

importEnabled boolean

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

kerberos UserFederationKerberosArgs

A block containing the kerberos settings.

name string

Display name of the provider when displayed in the console.

pagination boolean

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

priority number

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

readTimeout string

LDAP read timeout in the format of a Go duration string.

searchScope string

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
startTls boolean

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

syncRegistrations boolean

When true, newly created users will be synced back to LDAP. Defaults to false.

trustEmail boolean

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

usePasswordModifyExtendedOp boolean

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

useTruststoreSpi string

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

validatePasswordPolicy boolean

When true, Keycloak will validate passwords using the realm policy before updating it.

vendor string

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

connection_url str

Connection URL to the LDAP server.

rdn_ldap_attribute str

Name of the LDAP attribute to use as the relative distinguished name.

realm_id str

The realm that this provider will provide user federation for.

user_object_classes Sequence[str]

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

username_ldap_attribute str

Name of the LDAP attribute to use as the Keycloak username.

users_dn str

Full DN of LDAP tree where your users are.

uuid_ldap_attribute str

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

batch_size_for_sync int

The number of users to sync within a single transaction. Defaults to 1000.

bind_credential str

Password of LDAP admin. This attribute must be set if bind_dn is set.

bind_dn str

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

cache UserFederationCacheArgs

A block containing the cache settings.

changed_sync_period int

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

connection_timeout str

LDAP connection timeout in the format of a Go duration string.

custom_user_search_filter str

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

edit_mode str

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

enabled bool

When false, this provider will not be used when performing queries for users. Defaults to true.

full_sync_period int

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

import_enabled bool

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

kerberos UserFederationKerberosArgs

A block containing the kerberos settings.

name str

Display name of the provider when displayed in the console.

pagination bool

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

priority int

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

read_timeout str

LDAP read timeout in the format of a Go duration string.

search_scope str

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
start_tls bool

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

sync_registrations bool

When true, newly created users will be synced back to LDAP. Defaults to false.

trust_email bool

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

use_password_modify_extended_op bool

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

use_truststore_spi str

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

validate_password_policy bool

When true, Keycloak will validate passwords using the realm policy before updating it.

vendor str

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

connectionUrl String

Connection URL to the LDAP server.

rdnLdapAttribute String

Name of the LDAP attribute to use as the relative distinguished name.

realmId String

The realm that this provider will provide user federation for.

userObjectClasses List<String>

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

usernameLdapAttribute String

Name of the LDAP attribute to use as the Keycloak username.

usersDn String

Full DN of LDAP tree where your users are.

uuidLdapAttribute String

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

batchSizeForSync Number

The number of users to sync within a single transaction. Defaults to 1000.

bindCredential String

Password of LDAP admin. This attribute must be set if bind_dn is set.

bindDn String

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

cache Property Map

A block containing the cache settings.

changedSyncPeriod Number

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

connectionTimeout String

LDAP connection timeout in the format of a Go duration string.

customUserSearchFilter String

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

editMode String

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

enabled Boolean

When false, this provider will not be used when performing queries for users. Defaults to true.

fullSyncPeriod Number

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

importEnabled Boolean

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

kerberos Property Map

A block containing the kerberos settings.

name String

Display name of the provider when displayed in the console.

pagination Boolean

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

priority Number

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

readTimeout String

LDAP read timeout in the format of a Go duration string.

searchScope String

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
startTls Boolean

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

syncRegistrations Boolean

When true, newly created users will be synced back to LDAP. Defaults to false.

trustEmail Boolean

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

usePasswordModifyExtendedOp Boolean

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

useTruststoreSpi String

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

validatePasswordPolicy Boolean

When true, Keycloak will validate passwords using the realm policy before updating it.

vendor String

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

Outputs

All input properties are implicitly available as output properties. Additionally, the UserFederation resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up Existing UserFederation Resource

Get an existing UserFederation resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: UserFederationState, opts?: CustomResourceOptions): UserFederation
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        batch_size_for_sync: Optional[int] = None,
        bind_credential: Optional[str] = None,
        bind_dn: Optional[str] = None,
        cache: Optional[UserFederationCacheArgs] = None,
        changed_sync_period: Optional[int] = None,
        connection_timeout: Optional[str] = None,
        connection_url: Optional[str] = None,
        custom_user_search_filter: Optional[str] = None,
        edit_mode: Optional[str] = None,
        enabled: Optional[bool] = None,
        full_sync_period: Optional[int] = None,
        import_enabled: Optional[bool] = None,
        kerberos: Optional[UserFederationKerberosArgs] = None,
        name: Optional[str] = None,
        pagination: Optional[bool] = None,
        priority: Optional[int] = None,
        rdn_ldap_attribute: Optional[str] = None,
        read_timeout: Optional[str] = None,
        realm_id: Optional[str] = None,
        search_scope: Optional[str] = None,
        start_tls: Optional[bool] = None,
        sync_registrations: Optional[bool] = None,
        trust_email: Optional[bool] = None,
        use_password_modify_extended_op: Optional[bool] = None,
        use_truststore_spi: Optional[str] = None,
        user_object_classes: Optional[Sequence[str]] = None,
        username_ldap_attribute: Optional[str] = None,
        users_dn: Optional[str] = None,
        uuid_ldap_attribute: Optional[str] = None,
        validate_password_policy: Optional[bool] = None,
        vendor: Optional[str] = None) -> UserFederation
func GetUserFederation(ctx *Context, name string, id IDInput, state *UserFederationState, opts ...ResourceOption) (*UserFederation, error)
public static UserFederation Get(string name, Input<string> id, UserFederationState? state, CustomResourceOptions? opts = null)
public static UserFederation get(String name, Output<String> id, UserFederationState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
BatchSizeForSync int

The number of users to sync within a single transaction. Defaults to 1000.

BindCredential string

Password of LDAP admin. This attribute must be set if bind_dn is set.

BindDn string

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

Cache UserFederationCacheArgs

A block containing the cache settings.

ChangedSyncPeriod int

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

ConnectionTimeout string

LDAP connection timeout in the format of a Go duration string.

ConnectionUrl string

Connection URL to the LDAP server.

CustomUserSearchFilter string

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

EditMode string

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

Enabled bool

When false, this provider will not be used when performing queries for users. Defaults to true.

FullSyncPeriod int

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

ImportEnabled bool

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

Kerberos UserFederationKerberosArgs

A block containing the kerberos settings.

Name string

Display name of the provider when displayed in the console.

Pagination bool

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

Priority int

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

RdnLdapAttribute string

Name of the LDAP attribute to use as the relative distinguished name.

ReadTimeout string

LDAP read timeout in the format of a Go duration string.

RealmId string

The realm that this provider will provide user federation for.

SearchScope string

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
StartTls bool

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

SyncRegistrations bool

When true, newly created users will be synced back to LDAP. Defaults to false.

TrustEmail bool

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

UsePasswordModifyExtendedOp bool

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

UseTruststoreSpi string

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

UserObjectClasses List<string>

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

UsernameLdapAttribute string

Name of the LDAP attribute to use as the Keycloak username.

UsersDn string

Full DN of LDAP tree where your users are.

UuidLdapAttribute string

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

ValidatePasswordPolicy bool

When true, Keycloak will validate passwords using the realm policy before updating it.

Vendor string

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

BatchSizeForSync int

The number of users to sync within a single transaction. Defaults to 1000.

BindCredential string

Password of LDAP admin. This attribute must be set if bind_dn is set.

BindDn string

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

Cache UserFederationCacheArgs

A block containing the cache settings.

ChangedSyncPeriod int

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

ConnectionTimeout string

LDAP connection timeout in the format of a Go duration string.

ConnectionUrl string

Connection URL to the LDAP server.

CustomUserSearchFilter string

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

EditMode string

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

Enabled bool

When false, this provider will not be used when performing queries for users. Defaults to true.

FullSyncPeriod int

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

ImportEnabled bool

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

Kerberos UserFederationKerberosArgs

A block containing the kerberos settings.

Name string

Display name of the provider when displayed in the console.

Pagination bool

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

Priority int

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

RdnLdapAttribute string

Name of the LDAP attribute to use as the relative distinguished name.

ReadTimeout string

LDAP read timeout in the format of a Go duration string.

RealmId string

The realm that this provider will provide user federation for.

SearchScope string

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
StartTls bool

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

SyncRegistrations bool

When true, newly created users will be synced back to LDAP. Defaults to false.

TrustEmail bool

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

UsePasswordModifyExtendedOp bool

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

UseTruststoreSpi string

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

UserObjectClasses []string

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

UsernameLdapAttribute string

Name of the LDAP attribute to use as the Keycloak username.

UsersDn string

Full DN of LDAP tree where your users are.

UuidLdapAttribute string

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

ValidatePasswordPolicy bool

When true, Keycloak will validate passwords using the realm policy before updating it.

Vendor string

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

batchSizeForSync Integer

The number of users to sync within a single transaction. Defaults to 1000.

bindCredential String

Password of LDAP admin. This attribute must be set if bind_dn is set.

bindDn String

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

cache UserFederationCacheArgs

A block containing the cache settings.

changedSyncPeriod Integer

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

connectionTimeout String

LDAP connection timeout in the format of a Go duration string.

connectionUrl String

Connection URL to the LDAP server.

customUserSearchFilter String

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

editMode String

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

enabled Boolean

When false, this provider will not be used when performing queries for users. Defaults to true.

fullSyncPeriod Integer

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

importEnabled Boolean

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

kerberos UserFederationKerberosArgs

A block containing the kerberos settings.

name String

Display name of the provider when displayed in the console.

pagination Boolean

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

priority Integer

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

rdnLdapAttribute String

Name of the LDAP attribute to use as the relative distinguished name.

readTimeout String

LDAP read timeout in the format of a Go duration string.

realmId String

The realm that this provider will provide user federation for.

searchScope String

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
startTls Boolean

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

syncRegistrations Boolean

When true, newly created users will be synced back to LDAP. Defaults to false.

trustEmail Boolean

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

usePasswordModifyExtendedOp Boolean

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

useTruststoreSpi String

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

userObjectClasses List<String>

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

usernameLdapAttribute String

Name of the LDAP attribute to use as the Keycloak username.

usersDn String

Full DN of LDAP tree where your users are.

uuidLdapAttribute String

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

validatePasswordPolicy Boolean

When true, Keycloak will validate passwords using the realm policy before updating it.

vendor String

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

batchSizeForSync number

The number of users to sync within a single transaction. Defaults to 1000.

bindCredential string

Password of LDAP admin. This attribute must be set if bind_dn is set.

bindDn string

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

cache UserFederationCacheArgs

A block containing the cache settings.

changedSyncPeriod number

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

connectionTimeout string

LDAP connection timeout in the format of a Go duration string.

connectionUrl string

Connection URL to the LDAP server.

customUserSearchFilter string

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

editMode string

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

enabled boolean

When false, this provider will not be used when performing queries for users. Defaults to true.

fullSyncPeriod number

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

importEnabled boolean

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

kerberos UserFederationKerberosArgs

A block containing the kerberos settings.

name string

Display name of the provider when displayed in the console.

pagination boolean

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

priority number

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

rdnLdapAttribute string

Name of the LDAP attribute to use as the relative distinguished name.

readTimeout string

LDAP read timeout in the format of a Go duration string.

realmId string

The realm that this provider will provide user federation for.

searchScope string

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
startTls boolean

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

syncRegistrations boolean

When true, newly created users will be synced back to LDAP. Defaults to false.

trustEmail boolean

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

usePasswordModifyExtendedOp boolean

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

useTruststoreSpi string

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

userObjectClasses string[]

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

usernameLdapAttribute string

Name of the LDAP attribute to use as the Keycloak username.

usersDn string

Full DN of LDAP tree where your users are.

uuidLdapAttribute string

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

validatePasswordPolicy boolean

When true, Keycloak will validate passwords using the realm policy before updating it.

vendor string

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

batch_size_for_sync int

The number of users to sync within a single transaction. Defaults to 1000.

bind_credential str

Password of LDAP admin. This attribute must be set if bind_dn is set.

bind_dn str

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

cache UserFederationCacheArgs

A block containing the cache settings.

changed_sync_period int

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

connection_timeout str

LDAP connection timeout in the format of a Go duration string.

connection_url str

Connection URL to the LDAP server.

custom_user_search_filter str

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

edit_mode str

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

enabled bool

When false, this provider will not be used when performing queries for users. Defaults to true.

full_sync_period int

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

import_enabled bool

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

kerberos UserFederationKerberosArgs

A block containing the kerberos settings.

name str

Display name of the provider when displayed in the console.

pagination bool

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

priority int

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

rdn_ldap_attribute str

Name of the LDAP attribute to use as the relative distinguished name.

read_timeout str

LDAP read timeout in the format of a Go duration string.

realm_id str

The realm that this provider will provide user federation for.

search_scope str

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
start_tls bool

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

sync_registrations bool

When true, newly created users will be synced back to LDAP. Defaults to false.

trust_email bool

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

use_password_modify_extended_op bool

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

use_truststore_spi str

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

user_object_classes Sequence[str]

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

username_ldap_attribute str

Name of the LDAP attribute to use as the Keycloak username.

users_dn str

Full DN of LDAP tree where your users are.

uuid_ldap_attribute str

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

validate_password_policy bool

When true, Keycloak will validate passwords using the realm policy before updating it.

vendor str

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

batchSizeForSync Number

The number of users to sync within a single transaction. Defaults to 1000.

bindCredential String

Password of LDAP admin. This attribute must be set if bind_dn is set.

bindDn String

DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.

cache Property Map

A block containing the cache settings.

changedSyncPeriod Number

How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.

connectionTimeout String

LDAP connection timeout in the format of a Go duration string.

connectionUrl String

Connection URL to the LDAP server.

customUserSearchFilter String

Additional LDAP filter for filtering searched users. Must begin with ( and end with ).

editMode String

Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.

enabled Boolean

When false, this provider will not be used when performing queries for users. Defaults to true.

fullSyncPeriod Number

How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.

importEnabled Boolean

When true, LDAP users will be imported into the Keycloak database. Defaults to true.

kerberos Property Map

A block containing the kerberos settings.

name String

Display name of the provider when displayed in the console.

pagination Boolean

When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.

priority Number

Priority of this provider when looking up users. Lower values are first. Defaults to 0.

rdnLdapAttribute String

Name of the LDAP attribute to use as the relative distinguished name.

readTimeout String

LDAP read timeout in the format of a Go duration string.

realmId String

The realm that this provider will provide user federation for.

searchScope String

Can be one of ONE_LEVEL or SUBTREE:

  • ONE_LEVEL: Only search for users in the DN specified by user_dn.
  • SUBTREE: Search entire LDAP subtree.
startTls Boolean

When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.

syncRegistrations Boolean

When true, newly created users will be synced back to LDAP. Defaults to false.

trustEmail Boolean

If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

usePasswordModifyExtendedOp Boolean

When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).

useTruststoreSpi String

Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

userObjectClasses List<String>

Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.

usernameLdapAttribute String

Name of the LDAP attribute to use as the Keycloak username.

usersDn String

Full DN of LDAP tree where your users are.

uuidLdapAttribute String

Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.

validatePasswordPolicy Boolean

When true, Keycloak will validate passwords using the realm policy before updating it.

vendor String

Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

Supporting Types

UserFederationCache

EvictionDay int

Day of the week the entry will become invalid on

EvictionHour int

Hour of day the entry will become invalid on.

EvictionMinute int

Minute of day the entry will become invalid on.

MaxLifespan string

Max lifespan of cache entry (duration string).

Policy string

Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

EvictionDay int

Day of the week the entry will become invalid on

EvictionHour int

Hour of day the entry will become invalid on.

EvictionMinute int

Minute of day the entry will become invalid on.

MaxLifespan string

Max lifespan of cache entry (duration string).

Policy string

Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

evictionDay Integer

Day of the week the entry will become invalid on

evictionHour Integer

Hour of day the entry will become invalid on.

evictionMinute Integer

Minute of day the entry will become invalid on.

maxLifespan String

Max lifespan of cache entry (duration string).

policy String

Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

evictionDay number

Day of the week the entry will become invalid on

evictionHour number

Hour of day the entry will become invalid on.

evictionMinute number

Minute of day the entry will become invalid on.

maxLifespan string

Max lifespan of cache entry (duration string).

policy string

Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

eviction_day int

Day of the week the entry will become invalid on

eviction_hour int

Hour of day the entry will become invalid on.

eviction_minute int

Minute of day the entry will become invalid on.

max_lifespan str

Max lifespan of cache entry (duration string).

policy str

Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

evictionDay Number

Day of the week the entry will become invalid on

evictionHour Number

Hour of day the entry will become invalid on.

evictionMinute Number

Minute of day the entry will become invalid on.

maxLifespan String

Max lifespan of cache entry (duration string).

policy String

Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

UserFederationKerberos

KerberosRealm string

The name of the kerberos realm, e.g. FOO.LOCAL.

KeyTab string

Path to the kerberos keytab file on the server with credentials of the service principal.

ServerPrincipal string

The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.

UseKerberosForPasswordAuthentication bool

Use kerberos login module instead of ldap service api. Defaults to false.

KerberosRealm string

The name of the kerberos realm, e.g. FOO.LOCAL.

KeyTab string

Path to the kerberos keytab file on the server with credentials of the service principal.

ServerPrincipal string

The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.

UseKerberosForPasswordAuthentication bool

Use kerberos login module instead of ldap service api. Defaults to false.

kerberosRealm String

The name of the kerberos realm, e.g. FOO.LOCAL.

keyTab String

Path to the kerberos keytab file on the server with credentials of the service principal.

serverPrincipal String

The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.

useKerberosForPasswordAuthentication Boolean

Use kerberos login module instead of ldap service api. Defaults to false.

kerberosRealm string

The name of the kerberos realm, e.g. FOO.LOCAL.

keyTab string

Path to the kerberos keytab file on the server with credentials of the service principal.

serverPrincipal string

The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.

useKerberosForPasswordAuthentication boolean

Use kerberos login module instead of ldap service api. Defaults to false.

kerberos_realm str

The name of the kerberos realm, e.g. FOO.LOCAL.

key_tab str

Path to the kerberos keytab file on the server with credentials of the service principal.

server_principal str

The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.

use_kerberos_for_password_authentication bool

Use kerberos login module instead of ldap service api. Defaults to false.

kerberosRealm String

The name of the kerberos realm, e.g. FOO.LOCAL.

keyTab String

Path to the kerberos keytab file on the server with credentials of the service principal.

serverPrincipal String

The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.

useKerberosForPasswordAuthentication Boolean

Use kerberos login module instead of ldap service api. Defaults to false.

Import

LDAP user federation providers can be imported using the format {{realm_id}}/{{ldap_user_federation_id}}. The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUIDbash

 $ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860

Package Details

Repository
https://github.com/pulumi/pulumi-keycloak
License
Apache-2.0
Notes

This Pulumi package is based on the keycloak Terraform Provider.