# Keycloak configuration for vagrant environment keycloak_domain: keycloak.local.test keycloak_admin_password: admin # Enable provisioning via Keycloak Admin API keycloak_provisioning_enabled: true # Realm configuration keycloak_realm: "vagrant" keycloak_realm_display_name: "Vagrant Test Realm" # Groups to provision keycloak_groups: - name: admins - name: users - name: developers # Local users to provision keycloak_local_users: - username: admin first_name: "Test" last_name: "Admin" email: "admin@local.test" password: "admin" groups: - name: admins - username: user first_name: "Test" last_name: "User" email: "user@local.test" password: "user" groups: - name: users # OIDC clients to provision keycloak_oidc_clients: - client_id: nextcloud name: "Nextcloud" client_secret: "nextcloud-secret-change-in-production" redirect_uris: - "https://nextcloud.local.test/apps/user_oidc/code" default_client_scopes: - openid - email - profile - client_id: httpbin name: "HTTPBin Test App" client_secret: "httpbin-secret-change-in-production" redirect_uris: - "https://httpbin.local.test/callback" default_client_scopes: - openid - email - profile - client_id: opencloud name: "OpenCloud" client_secret: "opencloud-secret-change-in-production" redirect_uris: - "https://opencloud.local.test/" - "https://opencloud.local.test/oidc-callback.html" - "https://opencloud.local.test/oidc-silent-redirect.html" default_client_scopes: - openid - email - profile # Identity providers (external login sources) # Uncomment and configure for production use with real credentials # keycloak_identity_providers: # - alias: entra-id # display_name: "Login with Microsoft" # provider_id: oidc # config: # clientId: "your-entra-client-id" # clientSecret: "your-entra-client-secret" # authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize" # tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token" # defaultScope: "openid profile email" # Trust the 389ds self-signed CA cert (production would use ACME certs) keycloak_truststore_certificates: - /srv/data/389ds/data/ssca/ca.crt # Resolve 389ds hostname from inside the Keycloak container keycloak_extra_hosts: - "389ds:192.168.56.11" # LDAP user federation (write Keycloak users to 389ds) keycloak_user_federations: - name: ldap-389ds provider_id: ldap config: editMode: WRITABLE syncRegistrations: "true" importEnabled: "true" vendor: rhds connectionUrl: "ldaps://389ds:3636" usersDn: "ou=users,dc=local,dc=test" bindDn: "cn=Directory Manager" bindCredential: "admin" usernameLDAPAttribute: uid rdnLDAPAttribute: uid uuidLDAPAttribute: nsuniqueid userObjectClasses: "inetOrgPerson, organizationalPerson" authType: simple useTruststoreSpi: ldapsOnly mappers: - name: "username" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: ldap.attribute: "uid" user.model.attribute: "username" is.mandatory.in.ldap: "true" always.read.value.from.ldap: "false" read.only: "false" is.binary.attribute: "false" - name: "email" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: ldap.attribute: "mail" user.model.attribute: "email" is.mandatory.in.ldap: "false" always.read.value.from.ldap: "false" read.only: "false" is.binary.attribute: "false" - name: "first name" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: ldap.attribute: "givenName" user.model.attribute: "firstName" is.mandatory.in.ldap: "true" always.read.value.from.ldap: "false" read.only: "false" is.binary.attribute: "false" - name: "last name" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: ldap.attribute: "sn" user.model.attribute: "lastName" is.mandatory.in.ldap: "true" always.read.value.from.ldap: "false" read.only: "false" is.binary.attribute: "false" - name: "full name" providerId: "full-name-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: ldap.full.name.attribute: "cn" read.only: "false" write.only: "true" - name: "display name" providerId: "full-name-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: ldap.full.name.attribute: "displayName" read.only: "false" write.only: "true" - name: "creation date" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: ldap.attribute: "createTimestamp" user.model.attribute: "createTimestamp" is.mandatory.in.ldap: "false" always.read.value.from.ldap: "true" read.only: "true" is.binary.attribute: "false" - name: "modify date" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: ldap.attribute: "modifyTimestamp" user.model.attribute: "modifyTimestamp" is.mandatory.in.ldap: "false" always.read.value.from.ldap: "true" read.only: "true" is.binary.attribute: "false" # Resources to remove (for cleanup when removing items from above lists) keycloak_removed_users: [] keycloak_removed_groups: [] keycloak_removed_clients: [] keycloak_removed_identity_providers: [] keycloak_removed_user_federations: []