Closed mjschmidt closed 1 year ago
mjschmidt
commented
2 years ago This is the closest thing I've been able to find thus far, but it only has a definition no options listed: https://www.keycloak.org/docs-api/10.0/rest-api/index.html#_definitions
tadamo
commented
2 years ago I don't have a complete example, but I'm currently trying to get this figured out myself. I think you're looking for what value to put in vendor, correct? Should be rhds.
---
apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
name: ldap
namespace: keycloak
labels:
app: ldap
spec:
instanceSelector:
matchLabels:
app: sso
realm:
id: ldap
realm: ldap
enabled: true
displayName: "ldap realm"
userFederationProviders:
- displayName: ldap
providerName: ldap
config:
priority: "0"
editMode: "READ_ONLY"
syncRegistrations: "false"
vendor: "rhds"
usernameLDAPAttribute: "uid"
rdnLDAPAttribute: "uid"
uuidLDAPAttribute: "uid"I had to manually set this up in the UI and then look at the API response to determine the values.
mjschmidt
commented
2 years ago @tadamo which link are you looking at for API docs?
Do you have an example call I can work off of? That would be super helpful? Using curl?
tadamo
commented
2 years ago @mjschmidt There's no link. I'm just using the Developer Tools in Chrome and watching the network activity. I added our ldap User Federation manually and then pulled up the page in the UI.
I found the response to this URL to have the values: https://keycloak.example.com/auth/admin/realms/tadamo-realm/components/f1c1280e-4c63-4329-9b2e-edc5fad27ff9
tadamo-realm being the name of my realm and f1c1280e-4c63-4329-9b2e-edc5fad27ff9 being the Provide ID that was auto created.
The response looks something like this...
{
"id": "f1c1280e-4c63-4329-9b2e-edc5fad27ff9",
"name": "ldap",
"providerId": "ldap",
"providerType": "org.keycloak.storage.UserStorageProvider",
"parentId": "tadamo-realm",
"config": {
"fullSyncPeriod": [
"604800"
],
"pagination": [
"true"
],
"connectionPooling": [
"true"
],
"usersDn": [
"ou=People,dc=example,dc=com"
],
"cachePolicy": [
"DEFAULT"
],
"useKerberosForPasswordAuthentication": [
"false"
],
"importEnabled": [
"true"
],
"enabled": [
"true"
],
"usernameLDAPAttribute": [
"uid"
],
"bindCredential": [
"**********"
],
"changedSyncPeriod": [
"86400"
],
"bindDn": [
"uid=user,ou=People,dc=example,dc=com"
],
"lastSync": [
"1656352519"
],
"vendor": [
"rhds"
],
"uuidLDAPAttribute": [
"uidNumber"
],
"allowKerberosAuthentication": [
"false"
],
"connectionUrl": [
"ldaps://ldap.example.com"
],
"syncRegistrations": [
"true"
],
"authType": [
"simple"
],
"customUserSearchFilter": [
"(&(|(ExampleMemberOf=groupa)(ExampleMemberOf=groupb)(ExampleMemberOf=group-*)))"
],
"debug": [
"false"
],
"searchScope": [
"2"
],
"useTruststoreSpi": [
"ldapsOnly"
],
"usePasswordModifyExtendedOp": [
"true"
],
"trustEmail": [
"false"
],
"priority": [
"0"
],
"userObjectClasses": [
"person, inetOrgPerson, organizationalPerson"
],
"rdnLDAPAttribute": [
"uid"
],
"editMode": [
"READ_ONLY"
],
"validatePasswordPolicy": [
"false"
],
"batchSizeForSync": [
"1000"
]
}
}I created a new realm with the KeycloakRealm CR and those field names seem to work in the config section of userFederationProviders.
mjschmidt
commented
2 years ago oh cool thank you! I will also take a look at using this method to troubleshoot and properly configure. Appreciated.
mjschmidt
commented
2 years ago @tadamo I had an idea of what I am going to look into next. I am going to export the keycloak configs using their export utility then inspect their json file. I'll let you know how that goes.
mjschmidt
commented
2 years ago @tadamo you can get the configuration for ldap out of the exported values. I haven't yet verified this works, but from the values I am looking at it looks like the vendor you want is in fact "other" if hooking to generic ldap.
tadamo
commented
2 years ago @mjschmidt Thanks for the info, the export is a bit easier to look through. I do have rhds working, but I'm working with the Red Hat SSO product and my drop down options are "Active Directory" or "Red Hat Directory Server"...so, I guess that's probably why.
mjschmidt
commented
2 years ago looks like I got it working as well now.
stianst
commented
1 year ago Thanks (again) for reporting this issue. Keycloak 19 was the last version that included this legacy Operator, and with the release of Keycloak 20 the Operator reached EOL and this repository will be archived, please see our blog post on this topic. If this issue is still valid for the Realm Operator, please re-open it there. Thanks for your understanding. And be sure to check out our new Operator!
Description
Just wondering in the userFederationProciders area for a real crd if there are docs to all the possible config elements?
I am trying to create a realm with ldap and I see ad is the option for active directory, but I am wondering how to create a realm that is backed by a generic ldap (so option other instead of ad). Is this option "o" or "other" tried several things but can't seem to guess the correct config.
The example I am looking at is here: https://github.com/keycloak/keycloak-operator/blob/main/deploy/examples/realm/realm_with_ldap.yaml
Discussion
n/a
Motivation
none if documentation exists
Details
no further details