From f1811068861a20d1902fdb2d956fdfb0d033561a Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Fri, 13 Mar 2026 10:58:40 +0100
Subject: [PATCH] feat: add 389ds ldap backend to keycloak

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
---
 .../vagrant/host_vars/backend/keycloak.yml    | 106 +++++++++++++++++-
 playbooks/site.yml                            |  12 +-
 2 files changed, 111 insertions(+), 7 deletions(-)

diff --git a/inventories/vagrant/host_vars/backend/keycloak.yml b/inventories/vagrant/host_vars/backend/keycloak.yml
index 5205cfe..6692a21 100644
--- a/inventories/vagrant/host_vars/backend/keycloak.yml
+++ b/inventories/vagrant/host_vars/backend/keycloak.yml
@@ -77,8 +77,112 @@ keycloak_oidc_clients:
 #       tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
 #       defaultScope: "openid profile email"
 
+# Trust the 389ds self-signed CA cert (production would use ACME certs)
+keycloak_truststore_certificates:
+  - /srv/data/389ds/data/ssca/ca.crt
+
+# Resolve 389ds hostname from inside the Keycloak container
+keycloak_extra_hosts:
+  - "389ds:192.168.56.11"
+
+# LDAP user federation (write Keycloak users to 389ds)
+keycloak_user_federations:
+  - name: ldap-389ds
+    provider_id: ldap
+    config:
+      editMode: WRITABLE
+      syncRegistrations: "true"
+      importEnabled: "true"
+      vendor: rhds
+      connectionUrl: "ldaps://389ds:3636"
+      usersDn: "ou=users,dc=local,dc=test"
+      bindDn: "cn=Directory Manager"
+      bindCredential: "admin"
+      usernameLDAPAttribute: uid
+      rdnLDAPAttribute: uid
+      uuidLDAPAttribute: nsuniqueid
+      userObjectClasses: "inetOrgPerson, organizationalPerson"
+      authType: simple
+      useTruststoreSpi: ldapsOnly
+    mappers:
+      - name: "username"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "uid"
+          user.model.attribute: "username"
+          is.mandatory.in.ldap: "true"
+          always.read.value.from.ldap: "false"
+          read.only: "false"
+          is.binary.attribute: "false"
+      - name: "email"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "mail"
+          user.model.attribute: "email"
+          is.mandatory.in.ldap: "false"
+          always.read.value.from.ldap: "false"
+          read.only: "false"
+          is.binary.attribute: "false"
+      - name: "first name"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "givenName"
+          user.model.attribute: "firstName"
+          is.mandatory.in.ldap: "true"
+          always.read.value.from.ldap: "false"
+          read.only: "false"
+          is.binary.attribute: "false"
+      - name: "last name"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "sn"
+          user.model.attribute: "lastName"
+          is.mandatory.in.ldap: "true"
+          always.read.value.from.ldap: "false"
+          read.only: "false"
+          is.binary.attribute: "false"
+      - name: "full name"
+        providerId: "full-name-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.full.name.attribute: "cn"
+          read.only: "false"
+          write.only: "true"
+      - name: "display name"
+        providerId: "full-name-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.full.name.attribute: "displayName"
+          read.only: "false"
+          write.only: "true"
+      - name: "creation date"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "createTimestamp"
+          user.model.attribute: "createTimestamp"
+          is.mandatory.in.ldap: "false"
+          always.read.value.from.ldap: "true"
+          read.only: "true"
+          is.binary.attribute: "false"
+      - name: "modify date"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "modifyTimestamp"
+          user.model.attribute: "modifyTimestamp"
+          is.mandatory.in.ldap: "false"
+          always.read.value.from.ldap: "true"
+          read.only: "true"
+          is.binary.attribute: "false"
+
 # Resources to remove (for cleanup when removing items from above lists)
 keycloak_removed_users: []
 keycloak_removed_groups: []
 keycloak_removed_clients: []
-keycloak_removed_identity_providers: []
\ No newline at end of file
+keycloak_removed_identity_providers: []
+keycloak_removed_user_federations: []
\ No newline at end of file
diff --git a/playbooks/site.yml b/playbooks/site.yml
index 51e1004..807dc31 100644
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@@ -17,18 +17,18 @@
   roles:
     - digitalboard.core.httpbin
 
-- name: Deploy keycloak service
-  hosts: keycloak_servers
-  become: yes
-  roles:
-    - digitalboard.core.keycloak
-
 - name: Deploy 389ds LDAP service
   hosts: ds389_servers
   become: yes
   roles:
     - digitalboard.core.389ds
 
+- name: Deploy keycloak service
+  hosts: keycloak_servers
+  become: yes
+  roles:
+    - digitalboard.core.keycloak
+
 - name: Deploy garage service
   hosts: garage_servers
   become: yes