diff --git a/docs/resources/ldap_msad_lds_user_account_control_mapper.md b/docs/resources/ldap_msad_lds_user_account_control_mapper.md index c480075b9..e3f96fc25 100644 --- a/docs/resources/ldap_msad_lds_user_account_control_mapper.md +++ b/docs/resources/ldap_msad_lds_user_account_control_mapper.md @@ -36,6 +36,7 @@ resource "keycloak_ldap_user_federation" "ldap_user_federation" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_msad_lds_user_account_control_mapper" "msad_lds_user_account_control_mapper" { diff --git a/docs/resources/ldap_msad_user_account_control_mapper.md b/docs/resources/ldap_msad_user_account_control_mapper.md index 1bfac1d28..43cefa1b4 100644 --- a/docs/resources/ldap_msad_user_account_control_mapper.md +++ b/docs/resources/ldap_msad_user_account_control_mapper.md @@ -36,6 +36,7 @@ resource "keycloak_ldap_user_federation" "ldap_user_federation" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_msad_user_account_control_mapper" "msad_user_account_control_mapper" { diff --git a/docs/resources/ldap_user_federation.md b/docs/resources/ldap_user_federation.md index a2b635b5d..37d56f267 100644 --- a/docs/resources/ldap_user_federation.md +++ b/docs/resources/ldap_user_federation.md @@ -35,6 +35,7 @@ resource "keycloak_ldap_user_federation" "ldap_user_federation" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" connection_timeout = "5s" read_timeout = "10s" @@ -67,8 +68,11 @@ resource "keycloak_ldap_user_federation" "ldap_user_federation" { - `bind_credential` - (Optional) Password of LDAP admin. This attribute must be set if `bind_dn` is set. - `custom_user_search_filter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. - `search_scope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`: - - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. - - `SUBTREE`: Search entire LDAP subtree. + - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + - `SUBTREE`: Search entire LDAP subtree. +- `referral` - (Optional) Specifies if LDAP referrals should be followed or ignored. Can be one of `ignore` or `follow`: + - `ignore`: default mode. + - `follow`: follow ldaps, even untrusted ones. - `start_tls` - (Optional) When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. - `use_password_modify_extended_op` - (Optional) When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). - `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it. diff --git a/keycloak/ldap_user_federation.go b/keycloak/ldap_user_federation.go index f05a64bed..7418f3053 100644 --- a/keycloak/ldap_user_federation.go +++ b/keycloak/ldap_user_federation.go @@ -30,6 +30,7 @@ type LdapUserFederation struct { BindCredential string CustomUserSearchFilter string // must start with '(' and end with ')' SearchScope string // api expects "1" or "2", but that means "One Level" or "Subtree" + Referral string StartTls bool UsePasswordModifyExtendedOp bool @@ -101,6 +102,9 @@ func convertFromLdapUserFederationToComponent(ldap *LdapUserFederation) (*compon "searchScope": { ldap.SearchScope, }, + "referral": { + ldap.Referral, + }, "startTls": { strconv.FormatBool(ldap.StartTls), }, @@ -157,6 +161,7 @@ func convertFromLdapUserFederationToComponent(ldap *LdapUserFederation) (*compon } else { componentConfig["searchScope"] = []string{"2"} } + componentConfig["referral"] = []string{ldap.Referral} if ldap.CustomUserSearchFilter != "" { componentConfig["customUserSearchFilter"] = []string{ldap.CustomUserSearchFilter} @@ -321,6 +326,7 @@ func convertFromComponentToLdapUserFederation(component *component) (*LdapUserFe BindCredential: component.getConfig("bindCredential"), CustomUserSearchFilter: component.getConfig("customUserSearchFilter"), SearchScope: component.getConfig("searchScope"), + Referral: component.getConfig("referral"), StartTls: startTls, UsePasswordModifyExtendedOp: usePasswordModifyExtendedOp, @@ -346,6 +352,12 @@ func convertFromComponentToLdapUserFederation(component *component) (*LdapUserFe ldap.BindDn = bindDn } + if referral := component.getConfig("referral"); referral != "" { + ldap.Referral = referral + } else { + ldap.Referral = "ignore" + } + if bindCredential := component.getConfig("bindCredential"); bindCredential != "" { ldap.BindCredential = bindCredential } diff --git a/provider/resource_keycloak_hardcoded_attribute_mapper_test.go b/provider/resource_keycloak_hardcoded_attribute_mapper_test.go index 4e9b54c30..febaef161 100644 --- a/provider/resource_keycloak_hardcoded_attribute_mapper_test.go +++ b/provider/resource_keycloak_hardcoded_attribute_mapper_test.go @@ -152,6 +152,8 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_hardcoded_attribute_mapper" "hardcoded_attribute_mapper" { diff --git a/provider/resource_keycloak_ldap_custom_mapper_test.go b/provider/resource_keycloak_ldap_custom_mapper_test.go index f8cf8525b..6a5f3b1fa 100644 --- a/provider/resource_keycloak_ldap_custom_mapper_test.go +++ b/provider/resource_keycloak_ldap_custom_mapper_test.go @@ -202,6 +202,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_custom_mapper" "sample_mapper" { @@ -242,6 +243,8 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_custom_mapper" "sample_mapper" { @@ -283,6 +286,8 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -302,6 +307,8 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_custom_mapper" "sample_mapper" { @@ -342,6 +349,9 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + + } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -361,6 +371,8 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_custom_mapper" "sample_mapper" { diff --git a/provider/resource_keycloak_ldap_full_name_mapper_test.go b/provider/resource_keycloak_ldap_full_name_mapper_test.go index 506ae6e44..59e1c3e4f 100644 --- a/provider/resource_keycloak_ldap_full_name_mapper_test.go +++ b/provider/resource_keycloak_ldap_full_name_mapper_test.go @@ -2,12 +2,13 @@ package provider import ( "fmt" + "regexp" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/keycloak/terraform-provider-keycloak/keycloak" - "regexp" - "testing" ) func TestAccKeycloakLdapFullNameMapper_basic(t *testing.T) { @@ -110,6 +111,7 @@ func TestAccKeycloakLdapFullNameMapper_writableValidation(t *testing.T) { } func TestAccKeycloakLdapFullNameMapper_updateLdapUserFederation(t *testing.T) { + skipIfVersionIsLessThan(testCtx, t, keycloakClient, keycloak.Version_24) t.Parallel() mapperName := acctest.RandomWithPrefix("tf-acc") @@ -231,6 +233,8 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_full_name_mapper" "full_name_mapper" { @@ -266,6 +270,8 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_full_name_mapper" "full_name_mapper" { @@ -307,6 +313,8 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -326,6 +334,8 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_full_name_mapper" "full_name_mapper" { @@ -365,6 +375,8 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -384,6 +396,8 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_full_name_mapper" "full_name_mapper" { @@ -420,6 +434,8 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_full_name_mapper" "full_name_mapper" { @@ -457,6 +473,8 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" + } resource "keycloak_ldap_full_name_mapper" "full_name_mapper" { diff --git a/provider/resource_keycloak_ldap_group_mapper_test.go b/provider/resource_keycloak_ldap_group_mapper_test.go index 26e7822af..38918b9c6 100644 --- a/provider/resource_keycloak_ldap_group_mapper_test.go +++ b/provider/resource_keycloak_ldap_group_mapper_test.go @@ -2,15 +2,17 @@ package provider import ( "fmt" + "regexp" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/keycloak/terraform-provider-keycloak/keycloak" - "regexp" - "testing" ) func TestAccKeycloakLdapGroupMapper_basic(t *testing.T) { + skipIfVersionIsLessThan(testCtx, t, keycloakClient, keycloak.Version_24) t.Parallel() groupMapperName := acctest.RandomWithPrefix("tf-acc") @@ -35,6 +37,7 @@ func TestAccKeycloakLdapGroupMapper_basic(t *testing.T) { } func TestAccKeycloakLdapGroupMapper_createAfterManualDestroy(t *testing.T) { + skipIfVersionIsLessThan(testCtx, t, keycloakClient, keycloak.Version_24) t.Parallel() var mapper = &keycloak.LdapGroupMapper{} @@ -367,6 +370,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_group_mapper" "group_mapper" { @@ -410,6 +414,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_group_mapper" "group_mapper" { @@ -455,6 +460,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_group_mapper" "group_mapper" { @@ -501,6 +507,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_group_mapper" "group_mapper" { @@ -553,6 +560,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -572,6 +580,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_group_mapper" "group_mapper" { @@ -620,6 +629,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -639,6 +649,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_group_mapper" "group_mapper" { @@ -687,6 +698,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_group_mapper" "group_mapper" { diff --git a/provider/resource_keycloak_ldap_hardcoded_attribute_mapper_test.go b/provider/resource_keycloak_ldap_hardcoded_attribute_mapper_test.go index f42c026f8..f6d945beb 100644 --- a/provider/resource_keycloak_ldap_hardcoded_attribute_mapper_test.go +++ b/provider/resource_keycloak_ldap_hardcoded_attribute_mapper_test.go @@ -152,6 +152,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_hardcoded_attribute_mapper" "hardcoded_attribute_mapper" { diff --git a/provider/resource_keycloak_ldap_hardcoded_group_mapper_test.go b/provider/resource_keycloak_ldap_hardcoded_group_mapper_test.go index d226c8980..21adc6e55 100644 --- a/provider/resource_keycloak_ldap_hardcoded_group_mapper_test.go +++ b/provider/resource_keycloak_ldap_hardcoded_group_mapper_test.go @@ -149,6 +149,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_group" "hardcoded_group_mapper_test" { diff --git a/provider/resource_keycloak_ldap_hardcoded_role_mapper_test.go b/provider/resource_keycloak_ldap_hardcoded_role_mapper_test.go index 9805540a3..a8d229809 100644 --- a/provider/resource_keycloak_ldap_hardcoded_role_mapper_test.go +++ b/provider/resource_keycloak_ldap_hardcoded_role_mapper_test.go @@ -149,6 +149,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_role" "hardcoded_role_mapper_test" { diff --git a/provider/resource_keycloak_ldap_msad_lds_user_account_control_mapper_test.go b/provider/resource_keycloak_ldap_msad_lds_user_account_control_mapper_test.go index e04aca54a..6d589e873 100644 --- a/provider/resource_keycloak_ldap_msad_lds_user_account_control_mapper_test.go +++ b/provider/resource_keycloak_ldap_msad_lds_user_account_control_mapper_test.go @@ -168,6 +168,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_msad_lds_user_account_control_mapper" "uac_mapper" { @@ -203,6 +204,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -220,6 +222,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_msad_lds_user_account_control_mapper" "uac_mapper" { @@ -255,6 +258,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -272,6 +276,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_msad_lds_user_account_control_mapper" "uac_mapper" { diff --git a/provider/resource_keycloak_ldap_msad_user_account_control_mapper_test.go b/provider/resource_keycloak_ldap_msad_user_account_control_mapper_test.go index d01b8d15c..8034c160e 100644 --- a/provider/resource_keycloak_ldap_msad_user_account_control_mapper_test.go +++ b/provider/resource_keycloak_ldap_msad_user_account_control_mapper_test.go @@ -192,6 +192,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_msad_user_account_control_mapper" "uac_mapper" { @@ -231,6 +232,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -250,6 +252,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_msad_user_account_control_mapper" "uac_mapper" { @@ -287,6 +290,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -306,6 +310,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_msad_user_account_control_mapper" "uac_mapper" { diff --git a/provider/resource_keycloak_ldap_role_mapper_test.go b/provider/resource_keycloak_ldap_role_mapper_test.go index c907d0c13..76a3cba97 100644 --- a/provider/resource_keycloak_ldap_role_mapper_test.go +++ b/provider/resource_keycloak_ldap_role_mapper_test.go @@ -2,15 +2,17 @@ package provider import ( "fmt" + "regexp" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/keycloak/terraform-provider-keycloak/keycloak" - "regexp" - "testing" ) func TestAccKeycloakLdapRoleMapper_basic(t *testing.T) { + skipIfVersionIsLessThan(testCtx, t, keycloakClient, keycloak.Version_24) t.Parallel() roleMapperName := acctest.RandomWithPrefix("tf-acc") @@ -320,6 +322,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_role_mapper" "role_mapper" { @@ -362,6 +365,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_role_mapper" "role_mapper" { @@ -406,6 +410,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_role_mapper" "role_mapper" { @@ -456,6 +461,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -475,6 +481,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_role_mapper" "role_mapper" { @@ -522,6 +529,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -541,6 +549,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_role_mapper" "role_mapper" { diff --git a/provider/resource_keycloak_ldap_user_attribute_mapper_test.go b/provider/resource_keycloak_ldap_user_attribute_mapper_test.go index 05407f095..bd1a9788e 100644 --- a/provider/resource_keycloak_ldap_user_attribute_mapper_test.go +++ b/provider/resource_keycloak_ldap_user_attribute_mapper_test.go @@ -66,7 +66,7 @@ func TestAccKeycloakLdapUserAttributeMapper_createAfterManualDestroy(t *testing. func TestAccKeycloakLdapUserAttributeMapper_updateLdapUserFederation(t *testing.T) { t.Parallel() - + skipIfVersionIsLessThan(testCtx, t, keycloakClient, keycloak.Version_24) userAttributeMapperName := acctest.RandomWithPrefix("tf-acc") resource.Test(t, resource.TestCase{ @@ -87,6 +87,7 @@ func TestAccKeycloakLdapUserAttributeMapper_updateLdapUserFederation(t *testing. } func TestAccKeycloakLdapUserAttributeMapper_updateInPlace(t *testing.T) { + skipIfVersionIsLessThan(testCtx, t, keycloakClient, keycloak.Version_24) t.Parallel() userAttributeMapperBefore := &keycloak.LdapUserAttributeMapper{ @@ -214,6 +215,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_attribute_mapper" "username" { @@ -250,6 +252,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_attribute_mapper" "username" { @@ -298,6 +301,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -317,6 +321,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_attribute_mapper" "username" { @@ -357,6 +362,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_federation" "openldap_two" { @@ -376,6 +382,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } resource "keycloak_ldap_user_attribute_mapper" "username" { diff --git a/provider/resource_keycloak_ldap_user_federation.go b/provider/resource_keycloak_ldap_user_federation.go index 385b8dd3b..c877e43bb 100644 --- a/provider/resource_keycloak_ldap_user_federation.go +++ b/provider/resource_keycloak_ldap_user_federation.go @@ -4,9 +4,10 @@ import ( "context" "errors" "fmt" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "strings" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/keycloak/terraform-provider-keycloak/keycloak" @@ -16,6 +17,7 @@ var ( keycloakLdapUserFederationEditModes = []string{"READ_ONLY", "WRITABLE", "UNSYNCED"} keycloakLdapUserFederationVendors = []string{"OTHER", "EDIRECTORY", "AD", "RHDS", "TIVOLI"} keycloakLdapUserFederationSearchScopes = []string{"ONE_LEVEL", "SUBTREE"} + keycloakLdapUserFederationReferral = []string{"ignore", "follow"} keycloakLdapUserFederationTruststoreSpiSettings = []string{"ALWAYS", "ONLY_FOR_LDAPS", "NEVER"} keycloakUserFederationCachePolicies = []string{"DEFAULT", "EVICT_DAILY", "EVICT_WEEKLY", "MAX_LIFESPAN", "NO_CACHE"} ) @@ -140,6 +142,13 @@ func resourceKeycloakLdapUserFederation() *schema.Resource { ValidateFunc: validation.StringInSlice(keycloakLdapUserFederationSearchScopes, false), Description: "ONE_LEVEL: only search for users in the DN specified by user_dn. SUBTREE: search entire LDAP subtree.", }, + "referral": { + Type: schema.TypeString, + Optional: true, + Default: "ignore", + ValidateFunc: validation.StringInSlice(keycloakLdapUserFederationReferral, false), + Description: "Specifies if LDAP referrals should be followed or ignored. Please note that enabling referrals can slow down authentication as it allows the LDAP server to decide which other LDAP servers to use. This could potentially include untrusted servers.", + }, "start_tls": { Type: schema.TypeBool, @@ -339,6 +348,7 @@ func getLdapUserFederationFromData(data *schema.ResourceData, realmInternalId st BindCredential: data.Get("bind_credential").(string), CustomUserSearchFilter: data.Get("custom_user_search_filter").(string), SearchScope: data.Get("search_scope").(string), + Referral: data.Get("referral").(string), StartTls: data.Get("start_tls").(bool), UsePasswordModifyExtendedOp: data.Get("use_password_modify_extended_op").(bool), @@ -410,6 +420,7 @@ func setLdapUserFederationData(data *schema.ResourceData, ldap *keycloak.LdapUse data.Set("bind_credential", ldap.BindCredential) data.Set("custom_user_search_filter", ldap.CustomUserSearchFilter) data.Set("search_scope", ldap.SearchScope) + data.Set("referral", ldap.Referral) data.Set("start_tls", ldap.StartTls) data.Set("use_password_modify_extended_op", ldap.UsePasswordModifyExtendedOp) diff --git a/provider/resource_keycloak_ldap_user_federation_test.go b/provider/resource_keycloak_ldap_user_federation_test.go index 49877664e..ff87938b3 100644 --- a/provider/resource_keycloak_ldap_user_federation_test.go +++ b/provider/resource_keycloak_ldap_user_federation_test.go @@ -181,6 +181,7 @@ func generateRandomLdapKerberos(enabled bool) *keycloak.LdapUserFederation { EvictionHour: &evictionHour, EvictionMinute: &evictionMinute, EditMode: "WRITABLE", + //Referral: "ignore", } } @@ -666,6 +667,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } `, testAccRealmUserFederation.Realm, ldap) } @@ -749,6 +751,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" } `, testAccRealmUserFederation.Realm, ldap, attr, val) } @@ -766,6 +769,7 @@ resource "keycloak_ldap_user_federation" "openldap" { enabled = true bind_credential = "admin" + referral = "ignore" username_ldap_attribute = "cn" rdn_ldap_attribute = "cn" @@ -830,6 +834,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" full_sync_period = %d changed_sync_period = %d @@ -860,6 +865,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" connection_timeout = "10s" read_timeout = "5s" @@ -942,6 +948,7 @@ resource "keycloak_ldap_user_federation" "openldap" { users_dn = "dc=example,dc=org" bind_dn = "cn=admin,dc=example,dc=org" bind_credential = "admin" + referral = "ignore" delete_default_mappers = true }