{ "name": "{{ KEYCLOAK_LDAP_CMP_NAME }}", "providerId": "ldap", "subComponents": { "org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [ {# ---------------------- First Name ---------------------- #} { "name": "first name", "providerId": "user-attribute-ldap-mapper", "subComponents": {}, "config": { "ldap.attribute": [ "{{ ldap.user.attributes.firstname }}" ], "attribute.force.default": [ "true" ], "is.mandatory.in.ldap": [ "true" ], "is.binary.attribute": [ "false" ], "always.read.value.from.ldap": [ "true" ], "read.only": [ "false" ], "user.model.attribute": [ "firstName" ] } }, {# ---------------------- Last Name ----------------------- #} { "name": "last name", "providerId": "user-attribute-ldap-mapper", "subComponents": {}, "config": { "ldap.attribute": [ "{{ ldap.user.attributes.surname }}" ], "is.mandatory.in.ldap": [ "true" ], "always.read.value.from.ldap": [ "true" ], "read.only": [ "false" ], "user.model.attribute": [ "lastName" ] } }, {# ---------------------- Full Name (cn) ------------------ #} { "name": "full name", "providerId": "full-name-ldap-mapper", "subComponents": {}, "config": { "read.only": [ "false" ], "write.only": [ "true" ], "ldap.full.name.attribute": [ "{{ ldap.user.attributes.fullname }}" ] } }, {# ---------------------- Username ------------------------ #} { "name": "username", "providerId": "user-attribute-ldap-mapper", "subComponents": {}, "config": { "ldap.attribute": [ "{{ ldap.user.attributes.id }}" ], "is.mandatory.in.ldap": [ "true" ], "attribute.force.default": [ "false" ], "is.binary.attribute": [ "false" ], "always.read.value.from.ldap": [ "false" ], "read.only": [ "false" ], "user.model.attribute": [ "username" ] } }, {# ---------------------- Email --------------------------- #} { "name": "email", "providerId": "user-attribute-ldap-mapper", "subComponents": {}, "config": { "ldap.attribute": [ "{{ ldap.user.attributes.mail }}" ], "is.mandatory.in.ldap": [ "false" ], "read.only": [ "false" ], "always.read.value.from.ldap": [ "false" ], "user.model.attribute": [ "email" ] } }, {# ---------------------- SSH Public Key ------------------ #} { "name": "SSH Public Key", "providerId": "user-attribute-ldap-mapper", "subComponents": {}, "config": { "ldap.attribute": [ "{{ ldap.user.attributes.ssh_public_key }}" ], "is.mandatory.in.ldap": [ "false" ], "attribute.force.default": [ "false" ], "is.binary.attribute": [ "false" ], "read.only": [ "false" ], "always.read.value.from.ldap": [ "true" ], "user.model.attribute": [ "{{ ldap.user.attributes.ssh_public_key }}" ] } }, {# ---------------------- Nextcloud Quota ----------------- #} { "name": "{{ ldap.user.attributes.nextcloud_quota }}", "providerId": "user-attribute-ldap-mapper", "subComponents": {}, "config": { "ldap.attribute": [ "{{ ldap.user.attributes.nextcloud_quota }}" ], "is.mandatory.in.ldap": [ "false" ], "attribute.force.default": [ "false" ], "is.binary.attribute": [ "false" ], "always.read.value.from.ldap": [ "false" ], "read.only": [ "false" ], "user.model.attribute": [ "{{ ldap.user.attributes.nextcloud_quota }}" ] } }, {# ---------------------- Creation Date ------------------- #} { "name": "creation date", "providerId": "user-attribute-ldap-mapper", "subComponents": {}, "config": { "ldap.attribute": [ "createTimestamp" ], "is.mandatory.in.ldap": [ "false" ], "always.read.value.from.ldap": [ "true" ], "read.only": [ "true" ], "user.model.attribute": [ "createTimestamp" ] } }, {# ---------------------- Modify Date --------------------- #} { "name": "modify date", "providerId": "user-attribute-ldap-mapper", "subComponents": {}, "config": { "ldap.attribute": [ "modifyTimestamp" ], "is.mandatory.in.ldap": [ "false" ], "always.read.value.from.ldap": [ "true" ], "read.only": [ "true" ], "user.model.attribute": [ "modifyTimestamp" ] } }, {# ---------------------- LDAP Groups -> KC Groups -------- #} { "name": "ldap-roles", "providerId": "group-ldap-mapper", "subComponents": {}, "config": { "membership.attribute.type": [ "DN" ], "group.name.ldap.attribute": [ "cn" ], "membership.user.ldap.attribute": [ "{{ ldap.user.attributes.id }}" ], "preserve.group.inheritance": [ "true" ], "groups.dn": [ "{{ ldap.dn.ou.roles }}" ], "mode": [ "LDAP_ONLY" ], "user.roles.retrieve.strategy": [ "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE" ], "groups.ldap.filter": [ "{% set flavors = ldap.rbac.flavors | default([]) %}\ {% if 'groupOfNames' in flavors and 'organizationalUnit' in flavors %}(|(objectClass=groupOfNames)(objectClass=organizationalUnit))\ {% elif 'groupOfNames' in flavors %}(objectClass=groupOfNames)\ {% elif 'organizationalUnit' in flavors %}(objectClass=organizationalUnit)\ {% else %}(objectClass=groupOfNames){% endif %}" ], "membership.ldap.attribute": [ "member" ], "ignore.missing.groups": [ "true" ], "group.object.classes": [ "groupOfNames" ], "memberof.ldap.attribute": [ "memberOf" ], "drop.non.existing.groups.during.sync": [ "false" ], "groups.path": [ "{{ applications | get_app_conf(application_id, 'rbac_groups', True) }}" ] } }{% if keycloak_map_ldap_realm_roles | default(false) %}, {# ---------------------- LDAP -> Realm Roles (optional) -- #} { "name": "ldap-realm-roles", "providerId": "role-ldap-mapper", "subComponents": {}, "config": { "mode": [ "LDAP_ONLY" ], "membership.attribute.type": [ "DN" ], "user.roles.retrieve.strategy": [ "LOAD_ROLES_BY_MEMBER_ATTRIBUTE" ], "roles.dn": [ "{{ ldap.dn.ou.roles }}" ], "membership.ldap.attribute": [ "member" ], "membership.user.ldap.attribute": [ "{{ ldap.user.attributes.id }}" ], "memberof.ldap.attribute": [ "memberOf" ], "role.name.ldap.attribute": [ "cn" ], "use.realm.roles.mapping": [ "true" ], "role.object.classes": [ "groupOfNames" ] } }{% endif %} ] }, "config": { "fullSyncPeriod": [ "-1" ], "pagination": [ "true" ], "connectionTrace": [ "false" ], "startTls": [ "false" ], "usersDn": [ "{{ ldap.dn.ou.users }}" ], "connectionPooling": [ "true" ], "cachePolicy": [ "DEFAULT" ], "useKerberosForPasswordAuthentication": [ "false" ], "importEnabled": [ "true" ], "enabled": [ "true" ], "bindCredential": [ "{{ ldap.bind_credential }}" ], "changedSyncPeriod": [ "-1" ], "usernameLDAPAttribute": [ "{{ ldap.user.attributes.id }}" ], "bindDn": [ "{{ ldap.dn.administrator.data }}" ], "vendor": [ "other" ], "uuidLDAPAttribute": [ "{{ ldap.user.attributes.id }}" ], "allowKerberosAuthentication": [ "false" ], "connectionUrl": [ "{{ ldap.server.uri }}" ], "syncRegistrations": [ "true" ], "authType": [ "simple" ], "krbPrincipalAttribute": [ "krb5PrincipalName" ], "searchScope": [ "1" ], "useTruststoreSpi": [ "always" ], "usePasswordModifyExtendedOp": [ "true" ], "trustEmail": [ "false" ], {# Build objectClasses from structural + auxiliary definitions #} "userObjectClasses": [ "{{ (ldap.user.objects.structural + (ldap.user.objects.auxiliary | dict2items | map(attribute='value') | list)) | join(', ') }}" ], "rdnLDAPAttribute": [ "{{ ldap.user.attributes.id }}" ], "editMode": [ "WRITABLE" ], "validatePasswordPolicy": [ "false" ], {# Recommended: prune Keycloak shadow users not in LDAP anymore #} "removeInvalidUsersEnabled": [ "true" ] } }