188 lines
No EOL
6.1 KiB
YAML
188 lines
No EOL
6.1 KiB
YAML
# Keycloak configuration for vagrant environment
|
|
keycloak_domain: keycloak.local.test
|
|
keycloak_admin_password: admin
|
|
|
|
# Enable provisioning via Keycloak Admin API
|
|
keycloak_provisioning_enabled: true
|
|
|
|
# Realm configuration
|
|
keycloak_realm: "vagrant"
|
|
keycloak_realm_display_name: "Vagrant Test Realm"
|
|
|
|
# Groups to provision
|
|
keycloak_groups:
|
|
- name: admins
|
|
- name: users
|
|
- name: developers
|
|
|
|
# Local users to provision
|
|
keycloak_local_users:
|
|
- username: admin
|
|
first_name: "Test"
|
|
last_name: "Admin"
|
|
email: "admin@local.test"
|
|
password: "admin"
|
|
groups:
|
|
- name: admins
|
|
- username: user
|
|
first_name: "Test"
|
|
last_name: "User"
|
|
email: "user@local.test"
|
|
password: "user"
|
|
groups:
|
|
- name: users
|
|
|
|
# OIDC clients to provision
|
|
keycloak_oidc_clients:
|
|
- client_id: nextcloud
|
|
name: "Nextcloud"
|
|
client_secret: "nextcloud-secret-change-in-production"
|
|
redirect_uris:
|
|
- "https://nextcloud.local.test/apps/user_oidc/code"
|
|
default_client_scopes:
|
|
- openid
|
|
- email
|
|
- profile
|
|
- client_id: httpbin
|
|
name: "HTTPBin Test App"
|
|
client_secret: "httpbin-secret-change-in-production"
|
|
redirect_uris:
|
|
- "https://httpbin.local.test/callback"
|
|
default_client_scopes:
|
|
- openid
|
|
- email
|
|
- profile
|
|
- client_id: opencloud
|
|
name: "OpenCloud"
|
|
client_secret: "opencloud-secret-change-in-production"
|
|
redirect_uris:
|
|
- "https://opencloud.local.test/"
|
|
- "https://opencloud.local.test/oidc-callback.html"
|
|
- "https://opencloud.local.test/oidc-silent-redirect.html"
|
|
default_client_scopes:
|
|
- openid
|
|
- email
|
|
- profile
|
|
|
|
# Identity providers (external login sources)
|
|
# Uncomment and configure for production use with real credentials
|
|
# keycloak_identity_providers:
|
|
# - alias: entra-id
|
|
# display_name: "Login with Microsoft"
|
|
# provider_id: oidc
|
|
# config:
|
|
# clientId: "your-entra-client-id"
|
|
# clientSecret: "your-entra-client-secret"
|
|
# authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
|
|
# tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
|
|
# defaultScope: "openid profile email"
|
|
|
|
# Trust the 389ds self-signed CA cert (production would use ACME certs)
|
|
keycloak_truststore_certificates:
|
|
- /srv/data/389ds/data/ssca/ca.crt
|
|
|
|
# Resolve 389ds hostname from inside the Keycloak container
|
|
keycloak_extra_hosts:
|
|
- "389ds:192.168.56.11"
|
|
|
|
# LDAP user federation (write Keycloak users to 389ds)
|
|
keycloak_user_federations:
|
|
- name: ldap-389ds
|
|
provider_id: ldap
|
|
config:
|
|
editMode: WRITABLE
|
|
syncRegistrations: "true"
|
|
importEnabled: "true"
|
|
vendor: rhds
|
|
connectionUrl: "ldaps://389ds:3636"
|
|
usersDn: "ou=users,dc=local,dc=test"
|
|
bindDn: "cn=Directory Manager"
|
|
bindCredential: "admin"
|
|
usernameLDAPAttribute: uid
|
|
rdnLDAPAttribute: uid
|
|
uuidLDAPAttribute: nsuniqueid
|
|
userObjectClasses: "inetOrgPerson, organizationalPerson"
|
|
authType: simple
|
|
useTruststoreSpi: ldapsOnly
|
|
mappers:
|
|
- name: "username"
|
|
providerId: "user-attribute-ldap-mapper"
|
|
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
|
|
config:
|
|
ldap.attribute: "uid"
|
|
user.model.attribute: "username"
|
|
is.mandatory.in.ldap: "true"
|
|
always.read.value.from.ldap: "false"
|
|
read.only: "false"
|
|
is.binary.attribute: "false"
|
|
- name: "email"
|
|
providerId: "user-attribute-ldap-mapper"
|
|
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
|
|
config:
|
|
ldap.attribute: "mail"
|
|
user.model.attribute: "email"
|
|
is.mandatory.in.ldap: "false"
|
|
always.read.value.from.ldap: "false"
|
|
read.only: "false"
|
|
is.binary.attribute: "false"
|
|
- name: "first name"
|
|
providerId: "user-attribute-ldap-mapper"
|
|
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
|
|
config:
|
|
ldap.attribute: "givenName"
|
|
user.model.attribute: "firstName"
|
|
is.mandatory.in.ldap: "true"
|
|
always.read.value.from.ldap: "false"
|
|
read.only: "false"
|
|
is.binary.attribute: "false"
|
|
- name: "last name"
|
|
providerId: "user-attribute-ldap-mapper"
|
|
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
|
|
config:
|
|
ldap.attribute: "sn"
|
|
user.model.attribute: "lastName"
|
|
is.mandatory.in.ldap: "true"
|
|
always.read.value.from.ldap: "false"
|
|
read.only: "false"
|
|
is.binary.attribute: "false"
|
|
- name: "full name"
|
|
providerId: "full-name-ldap-mapper"
|
|
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
|
|
config:
|
|
ldap.full.name.attribute: "cn"
|
|
read.only: "false"
|
|
write.only: "true"
|
|
- name: "display name"
|
|
providerId: "full-name-ldap-mapper"
|
|
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
|
|
config:
|
|
ldap.full.name.attribute: "displayName"
|
|
read.only: "false"
|
|
write.only: "true"
|
|
- name: "creation date"
|
|
providerId: "user-attribute-ldap-mapper"
|
|
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
|
|
config:
|
|
ldap.attribute: "createTimestamp"
|
|
user.model.attribute: "createTimestamp"
|
|
is.mandatory.in.ldap: "false"
|
|
always.read.value.from.ldap: "true"
|
|
read.only: "true"
|
|
is.binary.attribute: "false"
|
|
- name: "modify date"
|
|
providerId: "user-attribute-ldap-mapper"
|
|
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
|
|
config:
|
|
ldap.attribute: "modifyTimestamp"
|
|
user.model.attribute: "modifyTimestamp"
|
|
is.mandatory.in.ldap: "false"
|
|
always.read.value.from.ldap: "true"
|
|
read.only: "true"
|
|
is.binary.attribute: "false"
|
|
|
|
# Resources to remove (for cleanup when removing items from above lists)
|
|
keycloak_removed_users: []
|
|
keycloak_removed_groups: []
|
|
keycloak_removed_clients: []
|
|
keycloak_removed_identity_providers: []
|
|
keycloak_removed_user_federations: [] |