Docs Home Pulumi IaC Pulumi ESC Pulumi Cloud Packages Tutorials
  1. Packages
  2. Keycloak Provider
  3. API Docs
  4. ldap
  5. UserFederation
Keycloak v6.2.1 published on Monday, Feb 3, 2025 by Pulumi
pulumi/pulumi-keycloak

keycloak.ldap.UserFederation

Explore with Pulumi AI

keycloak logo
Keycloak v6.2.1 published on Monday, Feb 3, 2025 by Pulumi
pulumi/pulumi-keycloak

    Allows for creating and managing LDAP user federation providers within Keycloak.

    Keycloak can use an LDAP user federation provider to federate users to Keycloak from a directory system such as LDAP or Active Directory. Federated users will exist within the realm and will be able to log in to clients. Federated users can have their attributes defined using mappers.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const ldapUserFederation = new keycloak.ldap.UserFederation("ldap_user_federation", {
    name: "openldap",
    realmId: realm.id,
    enabled: true,
    usernameLdapAttribute: "cn",
    rdnLdapAttribute: "cn",
    uuidLdapAttribute: "entryDN",
    userObjectClasses: [
        "simpleSecurityObject",
        "organizationalRole",
    ],
    connectionUrl: "ldap://openldap",
    usersDn: "dc=example,dc=org",
    bindDn: "cn=admin,dc=example,dc=org",
    bindCredential: "admin",
    connectionTimeout: "5s",
    readTimeout: "10s",
    kerberos: {
        kerberosRealm: "FOO.LOCAL",
        serverPrincipal: "HTTP/host.foo.com@FOO.LOCAL",
        keyTab: "/etc/host.keytab",
    },
});

    import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
ldap_user_federation = keycloak.ldap.UserFederation("ldap_user_federation",
    name="openldap",
    realm_id=realm.id,
    enabled=True,
    username_ldap_attribute="cn",
    rdn_ldap_attribute="cn",
    uuid_ldap_attribute="entryDN",
    user_object_classes=[
        "simpleSecurityObject",
        "organizationalRole",
    ],
    connection_url="ldap://openldap",
    users_dn="dc=example,dc=org",
    bind_dn="cn=admin,dc=example,dc=org",
    bind_credential="admin",
    connection_timeout="5s",
    read_timeout="10s",
    kerberos={
        "kerberos_realm": "FOO.LOCAL",
        "server_principal": "HTTP/host.foo.com@FOO.LOCAL",
        "key_tab": "/etc/host.keytab",
    })

    package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/ldap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = ldap.NewUserFederation(ctx, "ldap_user_federation", &ldap.UserFederationArgs{
			Name:                  pulumi.String("openldap"),
			RealmId:               realm.ID(),
			Enabled:               pulumi.Bool(true),
			UsernameLdapAttribute: pulumi.String("cn"),
			RdnLdapAttribute:      pulumi.String("cn"),
			UuidLdapAttribute:     pulumi.String("entryDN"),
			UserObjectClasses: pulumi.StringArray{
				pulumi.String("simpleSecurityObject"),
				pulumi.String("organizationalRole"),
			},
			ConnectionUrl:     pulumi.String("ldap://openldap"),
			UsersDn:           pulumi.String("dc=example,dc=org"),
			BindDn:            pulumi.String("cn=admin,dc=example,dc=org"),
			BindCredential:    pulumi.String("admin"),
			ConnectionTimeout: pulumi.String("5s"),
			ReadTimeout:       pulumi.String("10s"),
			Kerberos: &ldap.UserFederationKerberosArgs{
				KerberosRealm:   pulumi.String("FOO.LOCAL"),
				ServerPrincipal: pulumi.String("HTTP/host.foo.com@FOO.LOCAL"),
				KeyTab:          pulumi.String("/etc/host.keytab"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldap_user_federation", new()
    {
        Name = "openldap",
        RealmId = realm.Id,
        Enabled = true,
        UsernameLdapAttribute = "cn",
        RdnLdapAttribute = "cn",
        UuidLdapAttribute = "entryDN",
        UserObjectClasses = new[]
        {
            "simpleSecurityObject",
            "organizationalRole",
        },
        ConnectionUrl = "ldap://openldap",
        UsersDn = "dc=example,dc=org",
        BindDn = "cn=admin,dc=example,dc=org",
        BindCredential = "admin",
        ConnectionTimeout = "5s",
        ReadTimeout = "10s",
        Kerberos = new Keycloak.Ldap.Inputs.UserFederationKerberosArgs
        {
            KerberosRealm = "FOO.LOCAL",
            ServerPrincipal = "HTTP/host.foo.com@FOO.LOCAL",
            KeyTab = "/etc/host.keytab",
        },
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.ldap.UserFederation;
import com.pulumi.keycloak.ldap.UserFederationArgs;
import com.pulumi.keycloak.ldap.inputs.UserFederationKerberosArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());

        var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder()
            .name("openldap")
            .realmId(realm.id())
            .enabled(true)
            .usernameLdapAttribute("cn")
            .rdnLdapAttribute("cn")
            .uuidLdapAttribute("entryDN")
            .userObjectClasses(            
                "simpleSecurityObject",
                "organizationalRole")
            .connectionUrl("ldap://openldap")
            .usersDn("dc=example,dc=org")
            .bindDn("cn=admin,dc=example,dc=org")
            .bindCredential("admin")
            .connectionTimeout("5s")
            .readTimeout("10s")
            .kerberos(UserFederationKerberosArgs.builder()
                .kerberosRealm("FOO.LOCAL")
                .serverPrincipal("HTTP/host.foo.com@FOO.LOCAL")
                .keyTab("/etc/host.keytab")
                .build())
            .build());

    }
}

    resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  ldapUserFederation:
    type: keycloak:ldap:UserFederation
    name: ldap_user_federation
    properties:
      name: openldap
      realmId: ${realm.id}
      enabled: true
      usernameLdapAttribute: cn
      rdnLdapAttribute: cn
      uuidLdapAttribute: entryDN
      userObjectClasses:
        - simpleSecurityObject
        - organizationalRole
      connectionUrl: ldap://openldap
      usersDn: dc=example,dc=org
      bindDn: cn=admin,dc=example,dc=org
      bindCredential: admin
      connectionTimeout: 5s
      readTimeout: 10s
      kerberos:
        kerberosRealm: FOO.LOCAL
        serverPrincipal: HTTP/host.foo.com@FOO.LOCAL
        keyTab: /etc/host.keytab

    Create UserFederation Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new UserFederation(name: string, args: UserFederationArgs, opts?: CustomResourceOptions);
    @overload
def UserFederation(resource_name: str,
                   args: UserFederationArgs,
                   opts: Optional[ResourceOptions] = None)

@overload
def UserFederation(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   rdn_ldap_attribute: Optional[str] = None,
                   uuid_ldap_attribute: Optional[str] = None,
                   users_dn: Optional[str] = None,
                   username_ldap_attribute: Optional[str] = None,
                   user_object_classes: Optional[Sequence[str]] = None,
                   realm_id: Optional[str] = None,
                   connection_url: Optional[str] = None,
                   priority: Optional[int] = None,
                   search_scope: Optional[str] = None,
                   edit_mode: Optional[str] = None,
                   enabled: Optional[bool] = None,
                   full_sync_period: Optional[int] = None,
                   import_enabled: Optional[bool] = None,
                   kerberos: Optional[UserFederationKerberosArgs] = None,
                   name: Optional[str] = None,
                   pagination: Optional[bool] = None,
                   batch_size_for_sync: Optional[int] = None,
                   custom_user_search_filter: Optional[str] = None,
                   read_timeout: Optional[str] = None,
                   connection_timeout: Optional[str] = None,
                   delete_default_mappers: Optional[bool] = None,
                   start_tls: Optional[bool] = None,
                   sync_registrations: Optional[bool] = None,
                   trust_email: Optional[bool] = None,
                   use_password_modify_extended_op: Optional[bool] = None,
                   use_truststore_spi: Optional[str] = None,
                   changed_sync_period: Optional[int] = None,
                   cache: Optional[UserFederationCacheArgs] = None,
                   bind_dn: Optional[str] = None,
                   bind_credential: Optional[str] = None,
                   validate_password_policy: Optional[bool] = None,
                   vendor: Optional[str] = None)
    func NewUserFederation(ctx *Context, name string, args UserFederationArgs, opts ...ResourceOption) (*UserFederation, error)
    public UserFederation(string name, UserFederationArgs args, CustomResourceOptions? opts = null)
    public UserFederation(String name, UserFederationArgs args)
public UserFederation(String name, UserFederationArgs args, CustomResourceOptions options)

    type: keycloak:ldap:UserFederation
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args UserFederationArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args UserFederationArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args UserFederationArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args UserFederationArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args UserFederationArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var userFederationResource = new Keycloak.Ldap.UserFederation("userFederationResource", new()
{
    RdnLdapAttribute = "string",
    UuidLdapAttribute = "string",
    UsersDn = "string",
    UsernameLdapAttribute = "string",
    UserObjectClasses = new[]
    {
        "string",
    },
    RealmId = "string",
    ConnectionUrl = "string",
    Priority = 0,
    SearchScope = "string",
    EditMode = "string",
    Enabled = false,
    FullSyncPeriod = 0,
    ImportEnabled = false,
    Kerberos = new Keycloak.Ldap.Inputs.UserFederationKerberosArgs
    {
        KerberosRealm = "string",
        KeyTab = "string",
        ServerPrincipal = "string",
        UseKerberosForPasswordAuthentication = false,
    },
    Name = "string",
    Pagination = false,
    BatchSizeForSync = 0,
    CustomUserSearchFilter = "string",
    ReadTimeout = "string",
    ConnectionTimeout = "string",
    DeleteDefaultMappers = false,
    StartTls = false,
    SyncRegistrations = false,
    TrustEmail = false,
    UsePasswordModifyExtendedOp = false,
    UseTruststoreSpi = "string",
    ChangedSyncPeriod = 0,
    Cache = new Keycloak.Ldap.Inputs.UserFederationCacheArgs
    {
        EvictionDay = 0,
        EvictionHour = 0,
        EvictionMinute = 0,
        MaxLifespan = "string",
        Policy = "string",
    },
    BindDn = "string",
    BindCredential = "string",
    ValidatePasswordPolicy = false,
    Vendor = "string",
});

    example, err := ldap.NewUserFederation(ctx, "userFederationResource", &ldap.UserFederationArgs{
	RdnLdapAttribute:      pulumi.String("string"),
	UuidLdapAttribute:     pulumi.String("string"),
	UsersDn:               pulumi.String("string"),
	UsernameLdapAttribute: pulumi.String("string"),
	UserObjectClasses: pulumi.StringArray{
		pulumi.String("string"),
	},
	RealmId:        pulumi.String("string"),
	ConnectionUrl:  pulumi.String("string"),
	Priority:       pulumi.Int(0),
	SearchScope:    pulumi.String("string"),
	EditMode:       pulumi.String("string"),
	Enabled:        pulumi.Bool(false),
	FullSyncPeriod: pulumi.Int(0),
	ImportEnabled:  pulumi.Bool(false),
	Kerberos: &ldap.UserFederationKerberosArgs{
		KerberosRealm:                        pulumi.String("string"),
		KeyTab:                               pulumi.String("string"),
		ServerPrincipal:                      pulumi.String("string"),
		UseKerberosForPasswordAuthentication: pulumi.Bool(false),
	},
	Name:                        pulumi.String("string"),
	Pagination:                  pulumi.Bool(false),
	BatchSizeForSync:            pulumi.Int(0),
	CustomUserSearchFilter:      pulumi.String("string"),
	ReadTimeout:                 pulumi.String("string"),
	ConnectionTimeout:           pulumi.String("string"),
	DeleteDefaultMappers:        pulumi.Bool(false),
	StartTls:                    pulumi.Bool(false),
	SyncRegistrations:           pulumi.Bool(false),
	TrustEmail:                  pulumi.Bool(false),
	UsePasswordModifyExtendedOp: pulumi.Bool(false),
	UseTruststoreSpi:            pulumi.String("string"),
	ChangedSyncPeriod:           pulumi.Int(0),
	Cache: &ldap.UserFederationCacheArgs{
		EvictionDay:    pulumi.Int(0),
		EvictionHour:   pulumi.Int(0),
		EvictionMinute: pulumi.Int(0),
		MaxLifespan:    pulumi.String("string"),
		Policy:         pulumi.String("string"),
	},
	BindDn:                 pulumi.String("string"),
	BindCredential:         pulumi.String("string"),
	ValidatePasswordPolicy: pulumi.Bool(false),
	Vendor:                 pulumi.String("string"),
})

    var userFederationResource = new UserFederation("userFederationResource", UserFederationArgs.builder()
    .rdnLdapAttribute("string")
    .uuidLdapAttribute("string")
    .usersDn("string")
    .usernameLdapAttribute("string")
    .userObjectClasses("string")
    .realmId("string")
    .connectionUrl("string")
    .priority(0)
    .searchScope("string")
    .editMode("string")
    .enabled(false)
    .fullSyncPeriod(0)
    .importEnabled(false)
    .kerberos(UserFederationKerberosArgs.builder()
        .kerberosRealm("string")
        .keyTab("string")
        .serverPrincipal("string")
        .useKerberosForPasswordAuthentication(false)
        .build())
    .name("string")
    .pagination(false)
    .batchSizeForSync(0)
    .customUserSearchFilter("string")
    .readTimeout("string")
    .connectionTimeout("string")
    .deleteDefaultMappers(false)
    .startTls(false)
    .syncRegistrations(false)
    .trustEmail(false)
    .usePasswordModifyExtendedOp(false)
    .useTruststoreSpi("string")
    .changedSyncPeriod(0)
    .cache(UserFederationCacheArgs.builder()
        .evictionDay(0)
        .evictionHour(0)
        .evictionMinute(0)
        .maxLifespan("string")
        .policy("string")
        .build())
    .bindDn("string")
    .bindCredential("string")
    .validatePasswordPolicy(false)
    .vendor("string")
    .build());

    user_federation_resource = keycloak.ldap.UserFederation("userFederationResource",
    rdn_ldap_attribute="string",
    uuid_ldap_attribute="string",
    users_dn="string",
    username_ldap_attribute="string",
    user_object_classes=["string"],
    realm_id="string",
    connection_url="string",
    priority=0,
    search_scope="string",
    edit_mode="string",
    enabled=False,
    full_sync_period=0,
    import_enabled=False,
    kerberos={
        "kerberos_realm": "string",
        "key_tab": "string",
        "server_principal": "string",
        "use_kerberos_for_password_authentication": False,
    },
    name="string",
    pagination=False,
    batch_size_for_sync=0,
    custom_user_search_filter="string",
    read_timeout="string",
    connection_timeout="string",
    delete_default_mappers=False,
    start_tls=False,
    sync_registrations=False,
    trust_email=False,
    use_password_modify_extended_op=False,
    use_truststore_spi="string",
    changed_sync_period=0,
    cache={
        "eviction_day": 0,
        "eviction_hour": 0,
        "eviction_minute": 0,
        "max_lifespan": "string",
        "policy": "string",
    },
    bind_dn="string",
    bind_credential="string",
    validate_password_policy=False,
    vendor="string")

    const userFederationResource = new keycloak.ldap.UserFederation("userFederationResource", {
    rdnLdapAttribute: "string",
    uuidLdapAttribute: "string",
    usersDn: "string",
    usernameLdapAttribute: "string",
    userObjectClasses: ["string"],
    realmId: "string",
    connectionUrl: "string",
    priority: 0,
    searchScope: "string",
    editMode: "string",
    enabled: false,
    fullSyncPeriod: 0,
    importEnabled: false,
    kerberos: {
        kerberosRealm: "string",
        keyTab: "string",
        serverPrincipal: "string",
        useKerberosForPasswordAuthentication: false,
    },
    name: "string",
    pagination: false,
    batchSizeForSync: 0,
    customUserSearchFilter: "string",
    readTimeout: "string",
    connectionTimeout: "string",
    deleteDefaultMappers: false,
    startTls: false,
    syncRegistrations: false,
    trustEmail: false,
    usePasswordModifyExtendedOp: false,
    useTruststoreSpi: "string",
    changedSyncPeriod: 0,
    cache: {
        evictionDay: 0,
        evictionHour: 0,
        evictionMinute: 0,
        maxLifespan: "string",
        policy: "string",
    },
    bindDn: "string",
    bindCredential: "string",
    validatePasswordPolicy: false,
    vendor: "string",
});

    type: keycloak:ldap:UserFederation
properties:
    batchSizeForSync: 0
    bindCredential: string
    bindDn: string
    cache:
        evictionDay: 0
        evictionHour: 0
        evictionMinute: 0
        maxLifespan: string
        policy: string
    changedSyncPeriod: 0
    connectionTimeout: string
    connectionUrl: string
    customUserSearchFilter: string
    deleteDefaultMappers: false
    editMode: string
    enabled: false
    fullSyncPeriod: 0
    importEnabled: false
    kerberos:
        kerberosRealm: string
        keyTab: string
        serverPrincipal: string
        useKerberosForPasswordAuthentication: false
    name: string
    pagination: false
    priority: 0
    rdnLdapAttribute: string
    readTimeout: string
    realmId: string
    searchScope: string
    startTls: false
    syncRegistrations: false
    trustEmail: false
    usePasswordModifyExtendedOp: false
    useTruststoreSpi: string
    userObjectClasses:
        - string
    usernameLdapAttribute: string
    usersDn: string
    uuidLdapAttribute: string
    validatePasswordPolicy: false
    vendor: string

    UserFederation Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The UserFederation resource accepts the following input properties:

    ConnectionUrl string
    Connection URL to the LDAP server.
    RdnLdapAttribute string
    Name of the LDAP attribute to use as the relative distinguished name.
    RealmId string
    The realm that this provider will provide user federation for.
    UserObjectClasses List<string>
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    UsernameLdapAttribute string
    Name of the LDAP attribute to use as the Keycloak username.
    UsersDn string
    Full DN of LDAP tree where your users are.
    UuidLdapAttribute string
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    BatchSizeForSync int
    The number of users to sync within a single transaction. Defaults to 1000.
    BindCredential string
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    BindDn string
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    Cache UserFederationCache
    A block containing the cache settings.
    ChangedSyncPeriod int
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    ConnectionTimeout string
    LDAP connection timeout in the format of a Go duration string.
    CustomUserSearchFilter string
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    DeleteDefaultMappers bool
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    EditMode string
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    Enabled bool
    When false, this provider will not be used when performing queries for users. Defaults to true.
    FullSyncPeriod int
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    ImportEnabled bool
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    Kerberos UserFederationKerberos
    A block containing the kerberos settings.
    Name string
    Display name of the provider when displayed in the console.
    Pagination bool
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    Priority int
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    ReadTimeout string
    LDAP read timeout in the format of a Go duration string.
    SearchScope string
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    StartTls bool
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    SyncRegistrations bool
    When true, newly created users will be synced back to LDAP. Defaults to false.
    TrustEmail bool
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    UsePasswordModifyExtendedOp bool
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    UseTruststoreSpi string
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    ValidatePasswordPolicy bool
    When true, Keycloak will validate passwords using the realm policy before updating it.
    Vendor string
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.
    ConnectionUrl string
    Connection URL to the LDAP server.
    RdnLdapAttribute string
    Name of the LDAP attribute to use as the relative distinguished name.
    RealmId string
    The realm that this provider will provide user federation for.
    UserObjectClasses []string
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    UsernameLdapAttribute string
    Name of the LDAP attribute to use as the Keycloak username.
    UsersDn string
    Full DN of LDAP tree where your users are.
    UuidLdapAttribute string
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    BatchSizeForSync int
    The number of users to sync within a single transaction. Defaults to 1000.
    BindCredential string
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    BindDn string
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    Cache UserFederationCacheArgs
    A block containing the cache settings.
    ChangedSyncPeriod int
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    ConnectionTimeout string
    LDAP connection timeout in the format of a Go duration string.
    CustomUserSearchFilter string
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    DeleteDefaultMappers bool
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    EditMode string
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    Enabled bool
    When false, this provider will not be used when performing queries for users. Defaults to true.
    FullSyncPeriod int
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    ImportEnabled bool
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    Kerberos UserFederationKerberosArgs
    A block containing the kerberos settings.
    Name string
    Display name of the provider when displayed in the console.
    Pagination bool
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    Priority int
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    ReadTimeout string
    LDAP read timeout in the format of a Go duration string.
    SearchScope string
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    StartTls bool
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    SyncRegistrations bool
    When true, newly created users will be synced back to LDAP. Defaults to false.
    TrustEmail bool
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    UsePasswordModifyExtendedOp bool
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    UseTruststoreSpi string
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    ValidatePasswordPolicy bool
    When true, Keycloak will validate passwords using the realm policy before updating it.
    Vendor string
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.
    connectionUrl String
    Connection URL to the LDAP server.
    rdnLdapAttribute String
    Name of the LDAP attribute to use as the relative distinguished name.
    realmId String
    The realm that this provider will provide user federation for.
    userObjectClasses List<String>
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    usernameLdapAttribute String
    Name of the LDAP attribute to use as the Keycloak username.
    usersDn String
    Full DN of LDAP tree where your users are.
    uuidLdapAttribute String
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    batchSizeForSync Integer
    The number of users to sync within a single transaction. Defaults to 1000.
    bindCredential String
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    bindDn String
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    cache UserFederationCache
    A block containing the cache settings.
    changedSyncPeriod Integer
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    connectionTimeout String
    LDAP connection timeout in the format of a Go duration string.
    customUserSearchFilter String
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    deleteDefaultMappers Boolean
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    editMode String
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    enabled Boolean
    When false, this provider will not be used when performing queries for users. Defaults to true.
    fullSyncPeriod Integer
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    importEnabled Boolean
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    kerberos UserFederationKerberos
    A block containing the kerberos settings.
    name String
    Display name of the provider when displayed in the console.
    pagination Boolean
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    priority Integer
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    readTimeout String
    LDAP read timeout in the format of a Go duration string.
    searchScope String
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    startTls Boolean
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    syncRegistrations Boolean
    When true, newly created users will be synced back to LDAP. Defaults to false.
    trustEmail Boolean
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    usePasswordModifyExtendedOp Boolean
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    useTruststoreSpi String
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    validatePasswordPolicy Boolean
    When true, Keycloak will validate passwords using the realm policy before updating it.
    vendor String
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.
    connectionUrl string
    Connection URL to the LDAP server.
    rdnLdapAttribute string
    Name of the LDAP attribute to use as the relative distinguished name.
    realmId string
    The realm that this provider will provide user federation for.
    userObjectClasses string[]
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    usernameLdapAttribute string
    Name of the LDAP attribute to use as the Keycloak username.
    usersDn string
    Full DN of LDAP tree where your users are.
    uuidLdapAttribute string
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    batchSizeForSync number
    The number of users to sync within a single transaction. Defaults to 1000.
    bindCredential string
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    bindDn string
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    cache UserFederationCache
    A block containing the cache settings.
    changedSyncPeriod number
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    connectionTimeout string
    LDAP connection timeout in the format of a Go duration string.
    customUserSearchFilter string
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    deleteDefaultMappers boolean
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    editMode string
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    enabled boolean
    When false, this provider will not be used when performing queries for users. Defaults to true.
    fullSyncPeriod number
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    importEnabled boolean
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    kerberos UserFederationKerberos
    A block containing the kerberos settings.
    name string
    Display name of the provider when displayed in the console.
    pagination boolean
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    priority number
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    readTimeout string
    LDAP read timeout in the format of a Go duration string.
    searchScope string
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    startTls boolean
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    syncRegistrations boolean
    When true, newly created users will be synced back to LDAP. Defaults to false.
    trustEmail boolean
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    usePasswordModifyExtendedOp boolean
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    useTruststoreSpi string
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    validatePasswordPolicy boolean
    When true, Keycloak will validate passwords using the realm policy before updating it.
    vendor string
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.
    connection_url str
    Connection URL to the LDAP server.
    rdn_ldap_attribute str
    Name of the LDAP attribute to use as the relative distinguished name.
    realm_id str
    The realm that this provider will provide user federation for.
    user_object_classes Sequence[str]
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    username_ldap_attribute str
    Name of the LDAP attribute to use as the Keycloak username.
    users_dn str
    Full DN of LDAP tree where your users are.
    uuid_ldap_attribute str
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    batch_size_for_sync int
    The number of users to sync within a single transaction. Defaults to 1000.
    bind_credential str
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    bind_dn str
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    cache UserFederationCacheArgs
    A block containing the cache settings.
    changed_sync_period int
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    connection_timeout str
    LDAP connection timeout in the format of a Go duration string.
    custom_user_search_filter str
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    delete_default_mappers bool
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    edit_mode str
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    enabled bool
    When false, this provider will not be used when performing queries for users. Defaults to true.
    full_sync_period int
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    import_enabled bool
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    kerberos UserFederationKerberosArgs
    A block containing the kerberos settings.
    name str
    Display name of the provider when displayed in the console.
    pagination bool
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    priority int
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    read_timeout str
    LDAP read timeout in the format of a Go duration string.
    search_scope str
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    start_tls bool
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    sync_registrations bool
    When true, newly created users will be synced back to LDAP. Defaults to false.
    trust_email bool
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    use_password_modify_extended_op bool
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    use_truststore_spi str
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    validate_password_policy bool
    When true, Keycloak will validate passwords using the realm policy before updating it.
    vendor str
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.
    connectionUrl String
    Connection URL to the LDAP server.
    rdnLdapAttribute String
    Name of the LDAP attribute to use as the relative distinguished name.
    realmId String
    The realm that this provider will provide user federation for.
    userObjectClasses List<String>
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    usernameLdapAttribute String
    Name of the LDAP attribute to use as the Keycloak username.
    usersDn String
    Full DN of LDAP tree where your users are.
    uuidLdapAttribute String
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    batchSizeForSync Number
    The number of users to sync within a single transaction. Defaults to 1000.
    bindCredential String
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    bindDn String
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    cache Property Map
    A block containing the cache settings.
    changedSyncPeriod Number
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    connectionTimeout String
    LDAP connection timeout in the format of a Go duration string.
    customUserSearchFilter String
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    deleteDefaultMappers Boolean
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    editMode String
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    enabled Boolean
    When false, this provider will not be used when performing queries for users. Defaults to true.
    fullSyncPeriod Number
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    importEnabled Boolean
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    kerberos Property Map
    A block containing the kerberos settings.
    name String
    Display name of the provider when displayed in the console.
    pagination Boolean
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    priority Number
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    readTimeout String
    LDAP read timeout in the format of a Go duration string.
    searchScope String
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    startTls Boolean
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    syncRegistrations Boolean
    When true, newly created users will be synced back to LDAP. Defaults to false.
    trustEmail Boolean
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    usePasswordModifyExtendedOp Boolean
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    useTruststoreSpi String
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    validatePasswordPolicy Boolean
    When true, Keycloak will validate passwords using the realm policy before updating it.
    vendor String
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the UserFederation resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing UserFederation Resource

    Get an existing UserFederation resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: UserFederationState, opts?: CustomResourceOptions): UserFederation
    @staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        batch_size_for_sync: Optional[int] = None,
        bind_credential: Optional[str] = None,
        bind_dn: Optional[str] = None,
        cache: Optional[UserFederationCacheArgs] = None,
        changed_sync_period: Optional[int] = None,
        connection_timeout: Optional[str] = None,
        connection_url: Optional[str] = None,
        custom_user_search_filter: Optional[str] = None,
        delete_default_mappers: Optional[bool] = None,
        edit_mode: Optional[str] = None,
        enabled: Optional[bool] = None,
        full_sync_period: Optional[int] = None,
        import_enabled: Optional[bool] = None,
        kerberos: Optional[UserFederationKerberosArgs] = None,
        name: Optional[str] = None,
        pagination: Optional[bool] = None,
        priority: Optional[int] = None,
        rdn_ldap_attribute: Optional[str] = None,
        read_timeout: Optional[str] = None,
        realm_id: Optional[str] = None,
        search_scope: Optional[str] = None,
        start_tls: Optional[bool] = None,
        sync_registrations: Optional[bool] = None,
        trust_email: Optional[bool] = None,
        use_password_modify_extended_op: Optional[bool] = None,
        use_truststore_spi: Optional[str] = None,
        user_object_classes: Optional[Sequence[str]] = None,
        username_ldap_attribute: Optional[str] = None,
        users_dn: Optional[str] = None,
        uuid_ldap_attribute: Optional[str] = None,
        validate_password_policy: Optional[bool] = None,
        vendor: Optional[str] = None) -> UserFederation
    func GetUserFederation(ctx *Context, name string, id IDInput, state *UserFederationState, opts ...ResourceOption) (*UserFederation, error)
    public static UserFederation Get(string name, Input<string> id, UserFederationState? state, CustomResourceOptions? opts = null)
    public static UserFederation get(String name, Output<String> id, UserFederationState state, CustomResourceOptions options)
    resources:  _:    type: keycloak:ldap:UserFederation    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    BatchSizeForSync int
    The number of users to sync within a single transaction. Defaults to 1000.
    BindCredential string
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    BindDn string
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    Cache UserFederationCache
    A block containing the cache settings.
    ChangedSyncPeriod int
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    ConnectionTimeout string
    LDAP connection timeout in the format of a Go duration string.
    ConnectionUrl string
    Connection URL to the LDAP server.
    CustomUserSearchFilter string
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    DeleteDefaultMappers bool
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    EditMode string
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    Enabled bool
    When false, this provider will not be used when performing queries for users. Defaults to true.
    FullSyncPeriod int
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    ImportEnabled bool
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    Kerberos UserFederationKerberos
    A block containing the kerberos settings.
    Name string
    Display name of the provider when displayed in the console.
    Pagination bool
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    Priority int
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    RdnLdapAttribute string
    Name of the LDAP attribute to use as the relative distinguished name.
    ReadTimeout string
    LDAP read timeout in the format of a Go duration string.
    RealmId string
    The realm that this provider will provide user federation for.
    SearchScope string
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    StartTls bool
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    SyncRegistrations bool
    When true, newly created users will be synced back to LDAP. Defaults to false.
    TrustEmail bool
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    UsePasswordModifyExtendedOp bool
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    UseTruststoreSpi string
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    UserObjectClasses List<string>
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    UsernameLdapAttribute string
    Name of the LDAP attribute to use as the Keycloak username.
    UsersDn string
    Full DN of LDAP tree where your users are.
    UuidLdapAttribute string
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    ValidatePasswordPolicy bool
    When true, Keycloak will validate passwords using the realm policy before updating it.
    Vendor string
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.
    BatchSizeForSync int
    The number of users to sync within a single transaction. Defaults to 1000.
    BindCredential string
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    BindDn string
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    Cache UserFederationCacheArgs
    A block containing the cache settings.
    ChangedSyncPeriod int
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    ConnectionTimeout string
    LDAP connection timeout in the format of a Go duration string.
    ConnectionUrl string
    Connection URL to the LDAP server.
    CustomUserSearchFilter string
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    DeleteDefaultMappers bool
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    EditMode string
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    Enabled bool
    When false, this provider will not be used when performing queries for users. Defaults to true.
    FullSyncPeriod int
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    ImportEnabled bool
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    Kerberos UserFederationKerberosArgs
    A block containing the kerberos settings.
    Name string
    Display name of the provider when displayed in the console.
    Pagination bool
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    Priority int
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    RdnLdapAttribute string
    Name of the LDAP attribute to use as the relative distinguished name.
    ReadTimeout string
    LDAP read timeout in the format of a Go duration string.
    RealmId string
    The realm that this provider will provide user federation for.
    SearchScope string
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    StartTls bool
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    SyncRegistrations bool
    When true, newly created users will be synced back to LDAP. Defaults to false.
    TrustEmail bool
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    UsePasswordModifyExtendedOp bool
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    UseTruststoreSpi string
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    UserObjectClasses []string
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    UsernameLdapAttribute string
    Name of the LDAP attribute to use as the Keycloak username.
    UsersDn string
    Full DN of LDAP tree where your users are.
    UuidLdapAttribute string
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    ValidatePasswordPolicy bool
    When true, Keycloak will validate passwords using the realm policy before updating it.
    Vendor string
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.
    batchSizeForSync Integer
    The number of users to sync within a single transaction. Defaults to 1000.
    bindCredential String
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    bindDn String
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    cache UserFederationCache
    A block containing the cache settings.
    changedSyncPeriod Integer
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    connectionTimeout String
    LDAP connection timeout in the format of a Go duration string.
    connectionUrl String
    Connection URL to the LDAP server.
    customUserSearchFilter String
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    deleteDefaultMappers Boolean
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    editMode String
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    enabled Boolean
    When false, this provider will not be used when performing queries for users. Defaults to true.
    fullSyncPeriod Integer
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    importEnabled Boolean
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    kerberos UserFederationKerberos
    A block containing the kerberos settings.
    name String
    Display name of the provider when displayed in the console.
    pagination Boolean
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    priority Integer
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    rdnLdapAttribute String
    Name of the LDAP attribute to use as the relative distinguished name.
    readTimeout String
    LDAP read timeout in the format of a Go duration string.
    realmId String
    The realm that this provider will provide user federation for.
    searchScope String
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    startTls Boolean
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    syncRegistrations Boolean
    When true, newly created users will be synced back to LDAP. Defaults to false.
    trustEmail Boolean
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    usePasswordModifyExtendedOp Boolean
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    useTruststoreSpi String
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    userObjectClasses List<String>
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    usernameLdapAttribute String
    Name of the LDAP attribute to use as the Keycloak username.
    usersDn String
    Full DN of LDAP tree where your users are.
    uuidLdapAttribute String
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    validatePasswordPolicy Boolean
    When true, Keycloak will validate passwords using the realm policy before updating it.
    vendor String
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.
    batchSizeForSync number
    The number of users to sync within a single transaction. Defaults to 1000.
    bindCredential string
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    bindDn string
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    cache UserFederationCache
    A block containing the cache settings.
    changedSyncPeriod number
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    connectionTimeout string
    LDAP connection timeout in the format of a Go duration string.
    connectionUrl string
    Connection URL to the LDAP server.
    customUserSearchFilter string
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    deleteDefaultMappers boolean
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    editMode string
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    enabled boolean
    When false, this provider will not be used when performing queries for users. Defaults to true.
    fullSyncPeriod number
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    importEnabled boolean
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    kerberos UserFederationKerberos
    A block containing the kerberos settings.
    name string
    Display name of the provider when displayed in the console.
    pagination boolean
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    priority number
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    rdnLdapAttribute string
    Name of the LDAP attribute to use as the relative distinguished name.
    readTimeout string
    LDAP read timeout in the format of a Go duration string.
    realmId string
    The realm that this provider will provide user federation for.
    searchScope string
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    startTls boolean
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    syncRegistrations boolean
    When true, newly created users will be synced back to LDAP. Defaults to false.
    trustEmail boolean
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    usePasswordModifyExtendedOp boolean
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    useTruststoreSpi string
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    userObjectClasses string[]
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    usernameLdapAttribute string
    Name of the LDAP attribute to use as the Keycloak username.
    usersDn string
    Full DN of LDAP tree where your users are.
    uuidLdapAttribute string
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    validatePasswordPolicy boolean
    When true, Keycloak will validate passwords using the realm policy before updating it.
    vendor string
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.
    batch_size_for_sync int
    The number of users to sync within a single transaction. Defaults to 1000.
    bind_credential str
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    bind_dn str
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    cache UserFederationCacheArgs
    A block containing the cache settings.
    changed_sync_period int
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    connection_timeout str
    LDAP connection timeout in the format of a Go duration string.
    connection_url str
    Connection URL to the LDAP server.
    custom_user_search_filter str
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    delete_default_mappers bool
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    edit_mode str
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    enabled bool
    When false, this provider will not be used when performing queries for users. Defaults to true.
    full_sync_period int
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    import_enabled bool
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    kerberos UserFederationKerberosArgs
    A block containing the kerberos settings.
    name str
    Display name of the provider when displayed in the console.
    pagination bool
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    priority int
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    rdn_ldap_attribute str
    Name of the LDAP attribute to use as the relative distinguished name.
    read_timeout str
    LDAP read timeout in the format of a Go duration string.
    realm_id str
    The realm that this provider will provide user federation for.
    search_scope str
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    start_tls bool
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    sync_registrations bool
    When true, newly created users will be synced back to LDAP. Defaults to false.
    trust_email bool
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    use_password_modify_extended_op bool
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    use_truststore_spi str
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    user_object_classes Sequence[str]
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    username_ldap_attribute str
    Name of the LDAP attribute to use as the Keycloak username.
    users_dn str
    Full DN of LDAP tree where your users are.
    uuid_ldap_attribute str
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    validate_password_policy bool
    When true, Keycloak will validate passwords using the realm policy before updating it.
    vendor str
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.
    batchSizeForSync Number
    The number of users to sync within a single transaction. Defaults to 1000.
    bindCredential String
    Password of LDAP admin. This attribute must be set if bind_dn is set.
    bindDn String
    DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if bind_credential is set.
    cache Property Map
    A block containing the cache settings.
    changedSyncPeriod Number
    How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync.
    connectionTimeout String
    LDAP connection timeout in the format of a Go duration string.
    connectionUrl String
    Connection URL to the LDAP server.
    customUserSearchFilter String
    Additional LDAP filter for filtering searched users. Must begin with ( and end with ).
    deleteDefaultMappers Boolean
    When true, the provider will delete the default mappers which are normally created by Keycloak when creating an LDAP user federation provider. Defaults to false.
    editMode String
    Can be one of READ_ONLY, WRITABLE, or UNSYNCED. UNSYNCED allows user data to be imported but not synced back to LDAP. Defaults to READ_ONLY.
    enabled Boolean
    When false, this provider will not be used when performing queries for users. Defaults to true.
    fullSyncPeriod Number
    How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync.
    importEnabled Boolean
    When true, LDAP users will be imported into the Keycloak database. Defaults to true.
    kerberos Property Map
    A block containing the kerberos settings.
    name String
    Display name of the provider when displayed in the console.
    pagination Boolean
    When true, Keycloak assumes the LDAP server supports pagination. Defaults to true.
    priority Number
    Priority of this provider when looking up users. Lower values are first. Defaults to 0.
    rdnLdapAttribute String
    Name of the LDAP attribute to use as the relative distinguished name.
    readTimeout String
    LDAP read timeout in the format of a Go duration string.
    realmId String
    The realm that this provider will provide user federation for.
    searchScope String
    Can be one of ONE_LEVEL or SUBTREE:

    • ONE_LEVEL: Only search for users in the DN specified by user_dn.
    • SUBTREE: Search entire LDAP subtree.
    startTls Boolean
    When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
    syncRegistrations Boolean
    When true, newly created users will be synced back to LDAP. Defaults to false.
    trustEmail Boolean
    If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
    usePasswordModifyExtendedOp Boolean
    When true, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
    useTruststoreSpi String
    Can be one of ALWAYS, ONLY_FOR_LDAPS, or NEVER:

    • ALWAYS - Always use the truststore SPI for LDAP connections.
    • NEVER - Never use the truststore SPI for LDAP connections.
    • ONLY_FOR_LDAPS - Only use the truststore SPI if your LDAP connection uses the ldaps protocol.
    userObjectClasses List<String>
    Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one.
    usernameLdapAttribute String
    Name of the LDAP attribute to use as the Keycloak username.
    usersDn String
    Full DN of LDAP tree where your users are.
    uuidLdapAttribute String
    Name of the LDAP attribute to use as a unique object identifier for objects in LDAP.
    validatePasswordPolicy Boolean
    When true, Keycloak will validate passwords using the realm policy before updating it.
    vendor String
    Can be one of OTHER, EDIRECTORY, AD, RHDS, or TIVOLI. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to OTHER.

    Supporting Types

    UserFederationCache, UserFederationCacheArgs

    EvictionDay int
    Day of the week the entry will become invalid on
    EvictionHour int
    Hour of day the entry will become invalid on.
    EvictionMinute int
    Minute of day the entry will become invalid on.
    MaxLifespan string
    Max lifespan of cache entry (duration string).
    Policy string
    Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.
    EvictionDay int
    Day of the week the entry will become invalid on
    EvictionHour int
    Hour of day the entry will become invalid on.
    EvictionMinute int
    Minute of day the entry will become invalid on.
    MaxLifespan string
    Max lifespan of cache entry (duration string).
    Policy string
    Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.
    evictionDay Integer
    Day of the week the entry will become invalid on
    evictionHour Integer
    Hour of day the entry will become invalid on.
    evictionMinute Integer
    Minute of day the entry will become invalid on.
    maxLifespan String
    Max lifespan of cache entry (duration string).
    policy String
    Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.
    evictionDay number
    Day of the week the entry will become invalid on
    evictionHour number
    Hour of day the entry will become invalid on.
    evictionMinute number
    Minute of day the entry will become invalid on.
    maxLifespan string
    Max lifespan of cache entry (duration string).
    policy string
    Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.
    eviction_day int
    Day of the week the entry will become invalid on
    eviction_hour int
    Hour of day the entry will become invalid on.
    eviction_minute int
    Minute of day the entry will become invalid on.
    max_lifespan str
    Max lifespan of cache entry (duration string).
    policy str
    Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.
    evictionDay Number
    Day of the week the entry will become invalid on
    evictionHour Number
    Hour of day the entry will become invalid on.
    evictionMinute Number
    Minute of day the entry will become invalid on.
    maxLifespan String
    Max lifespan of cache entry (duration string).
    policy String
    Can be one of DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, or NO_CACHE. Defaults to DEFAULT.

    UserFederationKerberos, UserFederationKerberosArgs

    KerberosRealm string
    The name of the kerberos realm, e.g. FOO.LOCAL.
    KeyTab string
    Path to the kerberos keytab file on the server with credentials of the service principal.
    ServerPrincipal string
    The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
    UseKerberosForPasswordAuthentication bool
    Use kerberos login module instead of ldap service api. Defaults to false.
    KerberosRealm string
    The name of the kerberos realm, e.g. FOO.LOCAL.
    KeyTab string
    Path to the kerberos keytab file on the server with credentials of the service principal.
    ServerPrincipal string
    The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
    UseKerberosForPasswordAuthentication bool
    Use kerberos login module instead of ldap service api. Defaults to false.
    kerberosRealm String
    The name of the kerberos realm, e.g. FOO.LOCAL.
    keyTab String
    Path to the kerberos keytab file on the server with credentials of the service principal.
    serverPrincipal String
    The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
    useKerberosForPasswordAuthentication Boolean
    Use kerberos login module instead of ldap service api. Defaults to false.
    kerberosRealm string
    The name of the kerberos realm, e.g. FOO.LOCAL.
    keyTab string
    Path to the kerberos keytab file on the server with credentials of the service principal.
    serverPrincipal string
    The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
    useKerberosForPasswordAuthentication boolean
    Use kerberos login module instead of ldap service api. Defaults to false.
    kerberos_realm str
    The name of the kerberos realm, e.g. FOO.LOCAL.
    key_tab str
    Path to the kerberos keytab file on the server with credentials of the service principal.
    server_principal str
    The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
    use_kerberos_for_password_authentication bool
    Use kerberos login module instead of ldap service api. Defaults to false.
    kerberosRealm String
    The name of the kerberos realm, e.g. FOO.LOCAL.
    keyTab String
    Path to the kerberos keytab file on the server with credentials of the service principal.
    serverPrincipal String
    The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'.
    useKerberosForPasswordAuthentication Boolean
    Use kerberos login module instead of ldap service api. Defaults to false.

    Import

    LDAP user federation providers can be imported using the format {{realm_id}}/{{ldap_user_federation_id}}.

    The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID:

    bash

    $ pulumi import keycloak:ldap/userFederation:UserFederation ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the keycloak Terraform Provider.
    keycloak logo
    Keycloak v6.2.1 published on Monday, Feb 3, 2025 by Pulumi
    pulumi/pulumi-keycloak