feat: add 389ds ldap backend to keycloak

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
2026-03-13 10:58:40 +01:00 · 2026-03-13 10:58:40 +01:00 · 12864a13b0
commit 12864a13b0
parent 59d0174905
8 changed files with 138 additions and 2 deletions
--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@ -34,6 +34,14 @@ keycloak_log_level: "INFO"
 keycloak_proxy_mode: "edge"
 keycloak_gzip_enabled: false  # Disable GZIP encoding to avoid MIME type issues

+# Extra CA certificates to trust (host paths to PEM files)
+keycloak_truststore_certificates: []
+# - /srv/data/389ds/data/ssca/ca.crt
+
+# Extra /etc/hosts entries for the Keycloak container
+keycloak_extra_hosts: []
+# - "ldap:192.168.56.11"
+
 # Provisioning configuration
 keycloak_provisioning_enabled: false

@ -96,3 +104,26 @@ keycloak_removed_clients: []

 keycloak_removed_identity_providers: []
 # - old-idp
+
+# LDAP user federations
+keycloak_user_federations: []
+# - name: ldap-389ds
+#   provider_id: ldap
+#   config:
+#     editMode: WRITABLE
+#     syncRegistrations: "true"
+#     importEnabled: "true"
+#     vendor: rhds
+#     connectionUrl: "ldaps://ldap.example.com:636"
+#     usersDn: "ou=users,dc=example,dc=com"
+#     bindDn: "cn=Directory Manager"
+#     bindCredential: "changeme"
+#     usernameLDAPAttribute: uid
+#     rdnLDAPAttribute: uid
+#     uuidLDAPAttribute: nsuniqueid
+#     userObjectClasses: "inetOrgPerson, organizationalPerson"
+#     authType: simple
+#     useTruststoreSpi: never
+
+keycloak_removed_user_federations: []
+# - old-federation
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@ -13,6 +13,8 @@
    path: "{{ keycloak_docker_volume_dir }}/data"
    state: directory
    mode: '0755'
+    owner: "1000"
+    group: "1000"

 - name: Create postgres data directory
  file:
--- a/roles/keycloak/tasks/provisioning.yml
+++ b/roles/keycloak/tasks/provisioning.yml
@ -30,6 +30,20 @@
  loop: "{{ keycloak_removed_identity_providers }}"
  no_log: true

+# Cleanup: Remove deleted user federations
+- name: Remove deleted user federations
+  community.general.keycloak_user_federation:
+    auth_keycloak_url: "{{ keycloak_auth_url }}"
+    auth_realm: master
+    auth_username: "{{ keycloak_admin_user }}"
+    auth_password: "{{ keycloak_admin_password }}"
+    realm: "{{ keycloak_realm }}"
+    name: "{{ item }}"
+    state: absent
+    validate_certs: false
+  loop: "{{ keycloak_removed_user_federations }}"
+  no_log: true
+
 # Cleanup: Remove deleted clients
 - name: Remove deleted clients
  community.general.keycloak_client:
@ -86,6 +100,25 @@
  loop: "{{ keycloak_groups }}"
  no_log: true

+# Create user federations (LDAP)
+- name: Create user federations
+  community.general.keycloak_user_federation:
+    auth_keycloak_url: "{{ keycloak_auth_url }}"
+    auth_realm: master
+    auth_username: "{{ keycloak_admin_user }}"
+    auth_password: "{{ keycloak_admin_password }}"
+    realm: "{{ keycloak_realm }}"
+    name: "{{ item.name }}"
+    provider_id: "{{ item.provider_id }}"
+    provider_type: org.keycloak.storage.UserStorageProvider
+    config: "{{ item.config }}"
+    mappers: "{{ item.mappers | default(omit) }}"
+    bind_credential_update_mode: only_indirect
+    state: present
+    validate_certs: false
+  loop: "{{ keycloak_user_federations }}"
+  no_log: true
+
 # Create local users
 - name: Create local users
  community.general.keycloak_user:
--- a/roles/keycloak/templates/docker-compose.yml.j2
+++ b/roles/keycloak/templates/docker-compose.yml.j2
@ -33,13 +33,25 @@ services:
      KC_PROXY: {{ keycloak_proxy_mode }}
      KC_HOSTNAME: {{ keycloak_domain }}
      KC_HEALTH_ENABLED: "true"
+{% if keycloak_truststore_certificates | length > 0 %}
+      KC_TRUSTSTORE_PATHS: "{{ keycloak_truststore_certificates | map('regex_replace', '^.*/(.*)$', '/opt/keycloak/certs/\\1') | join(',') }}"
+{% endif %}
    depends_on:
      - postgres
    volumes:
      - {{ keycloak_docker_volume_dir }}/data:/opt/keycloak/data
+{% for cert in keycloak_truststore_certificates %}
+      - {{ cert }}:/opt/keycloak/certs/{{ cert | basename }}:ro
+{% endfor %}
    networks:
      - {{ keycloak_backend_network }}
      - {{ keycloak_traefik_network }}
+{% if keycloak_extra_hosts | length > 0 %}
+    extra_hosts:
+{% for host in keycloak_extra_hosts %}
+      - "{{ host }}"
+{% endfor %}
+{% endif %}
    tmpfs:
      - /opt/keycloak/data/tmp:size=1024m
    labels: