Defined Type: keycloak::freeipa_user_provider

Defined in:
manifests/freeipa_user_provider.pp

Summary

setup IPA as an LDAP user provider for Keycloak

Overview

Examples:

Add FreeIPA as a user provider

keycloak::freeipa_user_provider { 'ipa.example.org':
  ensure          => 'present',
  realm           => 'EXAMPLE.ORG',
  bind_dn         => 'uid=ldapproxy,cn=sysaccounts,cn=etc,dc=example,dc=org',
  bind_credential => 'secret',
  users_dn        => 'cn=users,cn=accounts,dc=example,dc=org',
  priority        => 10,
}

Parameters:

  • ensure (Enum['present', 'absent']) (defaults to: 'present')

    LDAP user provider status

  • id (Optional[String]) (defaults to: undef)

    ID to use for user provider

  • ipa_host (Stdlib::Host) (defaults to: $title)

    Hostname of the FreeIPA server (e.g. ipa.example.org)

  • realm (String)

    Keycloak realm

  • bind_dn (String)

    LDAP bind dn

  • bind_credential (String)

    LDAP bind password

  • users_dn (String)

    The DN for user search

  • priority (Integer) (defaults to: 10)

    Priority for this user provider

  • ldaps (Boolean) (defaults to: false)

    Use LDAPS protocol instead of LDAP

  • full_sync_period (Optional[Integer]) (defaults to: undef)

    Synchronize all users this often (fullSyncPeriod)

  • changed_sync_period (Optional[Integer]) (defaults to: undef)

    Synchronize changed users this often (changedSyncPeriod)



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
# File 'manifests/freeipa_user_provider.pp', line 37

define keycloak::freeipa_user_provider (
  String $realm,
  String $bind_dn,
  String $bind_credential,
  String $users_dn,
  Enum['present', 'absent'] $ensure = 'present',
  Optional[String] $id = undef,
  Stdlib::Host $ipa_host = $title,
  Integer $priority = 10,
  Boolean $ldaps = false,
  Optional[Integer] $full_sync_period = undef,
  Optional[Integer] $changed_sync_period = undef
) {
  if $ldaps {
    $connection_url = "ldaps://${ipa_host}:636"
  }
  else {
    $connection_url = "ldap://${ipa_host}:389"
  }

  keycloak_ldap_user_provider { "${ipa_host} on ${realm}":
    ensure                                   => 'present',
    id                                       => $id,
    auth_type                                => 'simple',
    bind_credential                          => $bind_credential,
    bind_dn                                  => $bind_dn,
    connection_url                           => $connection_url,
    edit_mode                                => 'READ_ONLY',
    import_enabled                           => 'true',
    priority                                 => $priority,
    rdn_ldap_attribute                       => 'uid',
    search_scope                             => '1',
    use_kerberos_for_password_authentication => 'false',
    use_truststore_spi                       => 'always',
    user_object_classes                      => ['inetOrgPerson', ' organizationalPerson'],
    username_ldap_attribute                  => 'uid',
    users_dn                                 => $users_dn,
    uuid_ldap_attribute                      => 'ipaUniqueID',
    vendor                                   => 'rhds',
    full_sync_period                         => $full_sync_period,
    changed_sync_period                      => $changed_sync_period,
  }
}