Digitalboard/reference-ansible
5
1
Fork 0
Code Pull requests Activity Actions

feat: add 389ds ldap backend to keycloak

Browse source 
Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
This commit is contained in:
Bert-Jan Fikse 2026-03-13 10:58:40 +01:00
parent f6dc1d8261
commit f181106886
Signed by: bert-jan
GPG key ID: C1E0AB516AC16D1A
2 changed files with 111 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

106
inventories/vagrant/host_vars/backend/keycloak.yml
View file

@ -77,8 +77,112 @@ keycloak_oidc_clients:
# tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
# defaultScope: "openid profile email"
# Trust the 389ds self-signed CA cert (production would use ACME certs)
keycloak_truststore_certificates:
- /srv/data/389ds/data/ssca/ca.crt
# Resolve 389ds hostname from inside the Keycloak container
keycloak_extra_hosts:
- "389ds:192.168.56.11"
# LDAP user federation (write Keycloak users to 389ds)
keycloak_user_federations:
- name: ldap-389ds
provider_id: ldap
config:
editMode: WRITABLE
syncRegistrations: "true"
importEnabled: "true"
vendor: rhds
connectionUrl: "ldaps://389ds:3636"
usersDn: "ou=users,dc=local,dc=test"
bindDn: "cn=Directory Manager"
bindCredential: "admin"
usernameLDAPAttribute: uid
rdnLDAPAttribute: uid
uuidLDAPAttribute: nsuniqueid
userObjectClasses: "inetOrgPerson, organizationalPerson"
authType: simple
useTruststoreSpi: ldapsOnly
mappers:
- name: "username"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.attribute: "uid"
user.model.attribute: "username"
is.mandatory.in.ldap: "true"
always.read.value.from.ldap: "false"
read.only: "false"
is.binary.attribute: "false"
- name: "email"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.attribute: "mail"
user.model.attribute: "email"
is.mandatory.in.ldap: "false"
always.read.value.from.ldap: "false"
read.only: "false"
is.binary.attribute: "false"
- name: "first name"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.attribute: "givenName"
user.model.attribute: "firstName"
is.mandatory.in.ldap: "true"
always.read.value.from.ldap: "false"
read.only: "false"
is.binary.attribute: "false"
- name: "last name"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.attribute: "sn"
user.model.attribute: "lastName"
is.mandatory.in.ldap: "true"
always.read.value.from.ldap: "false"
read.only: "false"
is.binary.attribute: "false"
- name: "full name"
providerId: "full-name-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.full.name.attribute: "cn"
read.only: "false"
write.only: "true"
- name: "display name"
providerId: "full-name-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.full.name.attribute: "displayName"
read.only: "false"
write.only: "true"
- name: "creation date"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.attribute: "createTimestamp"
user.model.attribute: "createTimestamp"
is.mandatory.in.ldap: "false"
always.read.value.from.ldap: "true"
read.only: "true"
is.binary.attribute: "false"
- name: "modify date"
providerId: "user-attribute-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.attribute: "modifyTimestamp"
user.model.attribute: "modifyTimestamp"
is.mandatory.in.ldap: "false"
always.read.value.from.ldap: "true"
read.only: "true"
is.binary.attribute: "false"
# Resources to remove (for cleanup when removing items from above lists)
keycloak_removed_users: []
keycloak_removed_groups: []
keycloak_removed_clients: []
keycloak_removed_identity_providers: []
keycloak_removed_identity_providers: []
keycloak_removed_user_federations: []