feat: add 389ds ldap backend to keycloak

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
2026-03-13 10:58:40 +01:00 · 2026-03-13 10:58:40 +01:00 · f181106886
commit f181106886
parent f6dc1d8261
2 changed files with 111 additions and 7 deletions
--- a/inventories/vagrant/host_vars/backend/keycloak.yml
+++ b/inventories/vagrant/host_vars/backend/keycloak.yml
@ -77,8 +77,112 @@ keycloak_oidc_clients:
 #       tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
 #       defaultScope: "openid profile email"

+# Trust the 389ds self-signed CA cert (production would use ACME certs)
+keycloak_truststore_certificates:
+  - /srv/data/389ds/data/ssca/ca.crt
+
+# Resolve 389ds hostname from inside the Keycloak container
+keycloak_extra_hosts:
+  - "389ds:192.168.56.11"
+
+# LDAP user federation (write Keycloak users to 389ds)
+keycloak_user_federations:
+  - name: ldap-389ds
+    provider_id: ldap
+    config:
+      editMode: WRITABLE
+      syncRegistrations: "true"
+      importEnabled: "true"
+      vendor: rhds
+      connectionUrl: "ldaps://389ds:3636"
+      usersDn: "ou=users,dc=local,dc=test"
+      bindDn: "cn=Directory Manager"
+      bindCredential: "admin"
+      usernameLDAPAttribute: uid
+      rdnLDAPAttribute: uid
+      uuidLDAPAttribute: nsuniqueid
+      userObjectClasses: "inetOrgPerson, organizationalPerson"
+      authType: simple
+      useTruststoreSpi: ldapsOnly
+    mappers:
+      - name: "username"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "uid"
+          user.model.attribute: "username"
+          is.mandatory.in.ldap: "true"
+          always.read.value.from.ldap: "false"
+          read.only: "false"
+          is.binary.attribute: "false"
+      - name: "email"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "mail"
+          user.model.attribute: "email"
+          is.mandatory.in.ldap: "false"
+          always.read.value.from.ldap: "false"
+          read.only: "false"
+          is.binary.attribute: "false"
+      - name: "first name"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "givenName"
+          user.model.attribute: "firstName"
+          is.mandatory.in.ldap: "true"
+          always.read.value.from.ldap: "false"
+          read.only: "false"
+          is.binary.attribute: "false"
+      - name: "last name"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "sn"
+          user.model.attribute: "lastName"
+          is.mandatory.in.ldap: "true"
+          always.read.value.from.ldap: "false"
+          read.only: "false"
+          is.binary.attribute: "false"
+      - name: "full name"
+        providerId: "full-name-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.full.name.attribute: "cn"
+          read.only: "false"
+          write.only: "true"
+      - name: "display name"
+        providerId: "full-name-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.full.name.attribute: "displayName"
+          read.only: "false"
+          write.only: "true"
+      - name: "creation date"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "createTimestamp"
+          user.model.attribute: "createTimestamp"
+          is.mandatory.in.ldap: "false"
+          always.read.value.from.ldap: "true"
+          read.only: "true"
+          is.binary.attribute: "false"
+      - name: "modify date"
+        providerId: "user-attribute-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.attribute: "modifyTimestamp"
+          user.model.attribute: "modifyTimestamp"
+          is.mandatory.in.ldap: "false"
+          always.read.value.from.ldap: "true"
+          read.only: "true"
+          is.binary.attribute: "false"
+
 # Resources to remove (for cleanup when removing items from above lists)
 keycloak_removed_users: []
 keycloak_removed_groups: []
 keycloak_removed_clients: []
 keycloak_removed_identity_providers: []
+keycloak_removed_user_federations: []
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@ -17,18 +17,18 @@
  roles:
    - digitalboard.core.httpbin

- name: Deploy keycloak service
-  hosts: keycloak_servers
-  become: yes
-  roles:
-    - digitalboard.core.keycloak
-
 - name: Deploy 389ds LDAP service
  hosts: ds389_servers
  become: yes
  roles:
    - digitalboard.core.389ds

+- name: Deploy keycloak service
+  hosts: keycloak_servers
+  become: yes
+  roles:
+    - digitalboard.core.keycloak
+
 - name: Deploy garage service
  hosts: garage_servers
  become: yes