Closed mjschmidt closed 1 year ago
This is the closest thing I've been able to find thus far, but it only has a definition no options listed: https://www.keycloak.org/docs-api/10.0/rest-api/index.html#_definitions
I don't have a complete example, but I'm currently trying to get this figured out myself. I think you're looking for what value to put in vendor
, correct? Should be rhds
.
---
apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
name: ldap
namespace: keycloak
labels:
app: ldap
spec:
instanceSelector:
matchLabels:
app: sso
realm:
id: ldap
realm: ldap
enabled: true
displayName: "ldap realm"
userFederationProviders:
- displayName: ldap
providerName: ldap
config:
priority: "0"
editMode: "READ_ONLY"
syncRegistrations: "false"
vendor: "rhds"
usernameLDAPAttribute: "uid"
rdnLDAPAttribute: "uid"
uuidLDAPAttribute: "uid"
I had to manually set this up in the UI and then look at the API response to determine the values.
@tadamo which link are you looking at for API docs?
Do you have an example call I can work off of? That would be super helpful? Using curl?
@mjschmidt There's no link. I'm just using the Developer Tools in Chrome and watching the network activity. I added our ldap User Federation manually and then pulled up the page in the UI.
I found the response to this URL to have the values: https://keycloak.example.com/auth/admin/realms/tadamo-realm/components/f1c1280e-4c63-4329-9b2e-edc5fad27ff9
tadamo-realm
being the name of my realm and f1c1280e-4c63-4329-9b2e-edc5fad27ff9
being the Provide ID that was auto created.
The response looks something like this...
{
"id": "f1c1280e-4c63-4329-9b2e-edc5fad27ff9",
"name": "ldap",
"providerId": "ldap",
"providerType": "org.keycloak.storage.UserStorageProvider",
"parentId": "tadamo-realm",
"config": {
"fullSyncPeriod": [
"604800"
],
"pagination": [
"true"
],
"connectionPooling": [
"true"
],
"usersDn": [
"ou=People,dc=example,dc=com"
],
"cachePolicy": [
"DEFAULT"
],
"useKerberosForPasswordAuthentication": [
"false"
],
"importEnabled": [
"true"
],
"enabled": [
"true"
],
"usernameLDAPAttribute": [
"uid"
],
"bindCredential": [
"**********"
],
"changedSyncPeriod": [
"86400"
],
"bindDn": [
"uid=user,ou=People,dc=example,dc=com"
],
"lastSync": [
"1656352519"
],
"vendor": [
"rhds"
],
"uuidLDAPAttribute": [
"uidNumber"
],
"allowKerberosAuthentication": [
"false"
],
"connectionUrl": [
"ldaps://ldap.example.com"
],
"syncRegistrations": [
"true"
],
"authType": [
"simple"
],
"customUserSearchFilter": [
"(&(|(ExampleMemberOf=groupa)(ExampleMemberOf=groupb)(ExampleMemberOf=group-*)))"
],
"debug": [
"false"
],
"searchScope": [
"2"
],
"useTruststoreSpi": [
"ldapsOnly"
],
"usePasswordModifyExtendedOp": [
"true"
],
"trustEmail": [
"false"
],
"priority": [
"0"
],
"userObjectClasses": [
"person, inetOrgPerson, organizationalPerson"
],
"rdnLDAPAttribute": [
"uid"
],
"editMode": [
"READ_ONLY"
],
"validatePasswordPolicy": [
"false"
],
"batchSizeForSync": [
"1000"
]
}
}
I created a new realm with the KeycloakRealm
CR and those field names seem to work in the config
section of userFederationProviders
.
oh cool thank you! I will also take a look at using this method to troubleshoot and properly configure. Appreciated.
@tadamo I had an idea of what I am going to look into next. I am going to export the keycloak configs using their export utility then inspect their json file. I'll let you know how that goes.
@tadamo you can get the configuration for ldap out of the exported values. I haven't yet verified this works, but from the values I am looking at it looks like the vendor you want is in fact "other" if hooking to generic ldap.
@mjschmidt Thanks for the info, the export is a bit easier to look through. I do have rhds
working, but I'm working with the Red Hat SSO product and my drop down options are "Active Directory" or "Red Hat Directory Server"...so, I guess that's probably why.
looks like I got it working as well now.
Thanks (again) for reporting this issue. Keycloak 19 was the last version that included this legacy Operator, and with the release of Keycloak 20 the Operator reached EOL and this repository will be archived, please see our blog post on this topic. If this issue is still valid for the Realm Operator, please re-open it there. Thanks for your understanding. And be sure to check out our new Operator!
Description
Just wondering in the userFederationProciders area for a real crd if there are docs to all the possible config elements?
I am trying to create a realm with ldap and I see ad is the option for active directory, but I am wondering how to create a realm that is backed by a generic ldap (so option other instead of ad). Is this option "o" or "other" tried several things but can't seem to guess the correct config.
The example I am looking at is here: https://github.com/keycloak/keycloak-operator/blob/main/deploy/examples/realm/realm_with_ldap.yaml
Discussion
n/a
Motivation
none if documentation exists
Details
no further details