commit for referral addition

docs/resources/ldap_msad_lds_user_account_control_mapper.md

@@ -36,6 +36,7 @@ resource "keycloak_ldap_user_federation" "ldap_user_federation" {
   users_dn                = "dc=example,dc=org"
   bind_dn                 = "cn=admin,dc=example,dc=org"
   bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_msad_lds_user_account_control_mapper" "msad_lds_user_account_control_mapper" {

docs/resources/ldap_msad_user_account_control_mapper.md

@@ -36,6 +36,7 @@ resource "keycloak_ldap_user_federation" "ldap_user_federation" {
   users_dn                = "dc=example,dc=org"
   bind_dn                 = "cn=admin,dc=example,dc=org"
   bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_msad_user_account_control_mapper" "msad_user_account_control_mapper" {

docs/resources/ldap_user_federation.md

@@ -35,6 +35,7 @@ resource "keycloak_ldap_user_federation" "ldap_user_federation" {
   users_dn                = "dc=example,dc=org"
   bind_dn                 = "cn=admin,dc=example,dc=org"
   bind_credential         = "admin"
+    referral                     = "ignore"
 
   connection_timeout = "5s"
   read_timeout       = "10s"
@@ -67,8 +68,11 @@ resource "keycloak_ldap_user_federation" "ldap_user_federation" {
 - `bind_credential` - (Optional) Password of LDAP admin. This attribute must be set if `bind_dn` is set.
 - `custom_user_search_filter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`.
 - `search_scope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`:
-    - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`.
-    - `SUBTREE`: Search entire LDAP subtree.
+	- `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`.
+	- `SUBTREE`: Search entire LDAP subtree.
+- `referral` - (Optional) Specifies if LDAP referrals should be followed or ignored. Can be one of `ignore` or `follow`:
+	- `ignore`: default mode.
+	- `follow`: follow ldaps, even untrusted ones.
 - `start_tls` - (Optional) When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
 - `use_password_modify_extended_op` - (Optional) When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
 - `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it.

keycloak/ldap_user_federation.go

@@ -30,6 +30,7 @@ type LdapUserFederation struct {
 	BindCredential         string
 	CustomUserSearchFilter string // must start with '(' and end with ')'
 	SearchScope            string // api expects "1" or "2", but that means "One Level" or "Subtree"
+	Referral               string
 
 	StartTls                    bool
 	UsePasswordModifyExtendedOp bool
@@ -101,6 +102,9 @@ func convertFromLdapUserFederationToComponent(ldap *LdapUserFederation) (*compon
 		"searchScope": {
 			ldap.SearchScope,
 		},
+		"referral": {
+			ldap.Referral,
+		},
 		"startTls": {
 			strconv.FormatBool(ldap.StartTls),
 		},
@@ -157,6 +161,7 @@ func convertFromLdapUserFederationToComponent(ldap *LdapUserFederation) (*compon
 	} else {
 		componentConfig["searchScope"] = []string{"2"}
 	}
+	componentConfig["referral"] = []string{ldap.Referral}
 
 	if ldap.CustomUserSearchFilter != "" {
 		componentConfig["customUserSearchFilter"] = []string{ldap.CustomUserSearchFilter}
@@ -321,6 +326,7 @@ func convertFromComponentToLdapUserFederation(component *component) (*LdapUserFe
 		BindCredential:         component.getConfig("bindCredential"),
 		CustomUserSearchFilter: component.getConfig("customUserSearchFilter"),
 		SearchScope:            component.getConfig("searchScope"),
+		Referral:               component.getConfig("referral"),
 
 		StartTls:                    startTls,
 		UsePasswordModifyExtendedOp: usePasswordModifyExtendedOp,
@@ -346,6 +352,12 @@ func convertFromComponentToLdapUserFederation(component *component) (*LdapUserFe
 		ldap.BindDn = bindDn
 	}
 
+	if referral := component.getConfig("referral"); referral != "" {
+		ldap.Referral = referral
+	} else {
+		ldap.Referral = "ignore"
+	}
+
 	if bindCredential := component.getConfig("bindCredential"); bindCredential != "" {
 		ldap.BindCredential = bindCredential
 	}

provider/resource_keycloak_hardcoded_attribute_mapper_test.go

@@ -152,6 +152,8 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_hardcoded_attribute_mapper" "hardcoded_attribute_mapper" {

provider/resource_keycloak_ldap_custom_mapper_test.go

@@ -202,6 +202,7 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_custom_mapper" "sample_mapper" {
@@ -242,6 +243,8 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_custom_mapper" "sample_mapper" {
@@ -283,6 +286,8 @@ resource "keycloak_ldap_user_federation" "openldap_one" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_user_federation" "openldap_two" {
@@ -302,6 +307,8 @@ resource "keycloak_ldap_user_federation" "openldap_two" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_custom_mapper" "sample_mapper" {
@@ -342,6 +349,9 @@ resource "keycloak_ldap_user_federation" "openldap_one" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
+
 }
 
 resource "keycloak_ldap_user_federation" "openldap_two" {
@@ -361,6 +371,8 @@ resource "keycloak_ldap_user_federation" "openldap_two" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_custom_mapper" "sample_mapper" {

provider/resource_keycloak_ldap_full_name_mapper_test.go

@@ -2,12 +2,13 @@ package provider
 
 import (
 	"fmt"
+	"regexp"
+	"testing"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 	"github.com/keycloak/terraform-provider-keycloak/keycloak"
-	"regexp"
-	"testing"
 )
 
 func TestAccKeycloakLdapFullNameMapper_basic(t *testing.T) {
@@ -110,6 +111,7 @@ func TestAccKeycloakLdapFullNameMapper_writableValidation(t *testing.T) {
 }
 
 func TestAccKeycloakLdapFullNameMapper_updateLdapUserFederation(t *testing.T) {
+	skipIfVersionIsLessThan(testCtx, t, keycloakClient, keycloak.Version_24)
 	t.Parallel()
 
 	mapperName := acctest.RandomWithPrefix("tf-acc")
@@ -231,6 +233,8 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_full_name_mapper" "full_name_mapper" {
@@ -266,6 +270,8 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_full_name_mapper" "full_name_mapper" {
@@ -307,6 +313,8 @@ resource "keycloak_ldap_user_federation" "openldap_one" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_user_federation" "openldap_two" {
@@ -326,6 +334,8 @@ resource "keycloak_ldap_user_federation" "openldap_two" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_full_name_mapper" "full_name_mapper" {
@@ -365,6 +375,8 @@ resource "keycloak_ldap_user_federation" "openldap_one" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_user_federation" "openldap_two" {
@@ -384,6 +396,8 @@ resource "keycloak_ldap_user_federation" "openldap_two" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_full_name_mapper" "full_name_mapper" {
@@ -420,6 +434,8 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_full_name_mapper" "full_name_mapper" {
@@ -457,6 +473,8 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
+
 }
 
 resource "keycloak_ldap_full_name_mapper" "full_name_mapper" {

provider/resource_keycloak_ldap_group_mapper_test.go

@@ -2,15 +2,17 @@ package provider
 
 import (
 	"fmt"
+	"regexp"
+	"testing"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 	"github.com/keycloak/terraform-provider-keycloak/keycloak"
-	"regexp"
-	"testing"
 )
 
 func TestAccKeycloakLdapGroupMapper_basic(t *testing.T) {
+	skipIfVersionIsLessThan(testCtx, t, keycloakClient, keycloak.Version_24)
 	t.Parallel()
 
 	groupMapperName := acctest.RandomWithPrefix("tf-acc")
@@ -35,6 +37,7 @@ func TestAccKeycloakLdapGroupMapper_basic(t *testing.T) {
 }
 
 func TestAccKeycloakLdapGroupMapper_createAfterManualDestroy(t *testing.T) {
+	skipIfVersionIsLessThan(testCtx, t, keycloakClient, keycloak.Version_24)
 	t.Parallel()
 
 	var mapper = &keycloak.LdapGroupMapper{}
@@ -367,6 +370,7 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_group_mapper" "group_mapper" {
@@ -410,6 +414,7 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_group_mapper" "group_mapper" {
@@ -455,6 +460,7 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_group_mapper" "group_mapper" {
@@ -501,6 +507,7 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_group_mapper" "group_mapper" {
@@ -553,6 +560,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_user_federation" "openldap_two" {
@@ -572,6 +580,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_group_mapper" "group_mapper" {
@@ -620,6 +629,7 @@ resource "keycloak_ldap_user_federation" "openldap_one" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_user_federation" "openldap_two" {
@@ -639,6 +649,7 @@ resource "keycloak_ldap_user_federation" "openldap_two" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_group_mapper" "group_mapper" {
@@ -687,6 +698,7 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_group_mapper" "group_mapper" {

provider/resource_keycloak_ldap_hardcoded_attribute_mapper_test.go

@@ -152,6 +152,7 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_ldap_hardcoded_attribute_mapper" "hardcoded_attribute_mapper" {

provider/resource_keycloak_ldap_hardcoded_group_mapper_test.go

@@ -149,6 +149,7 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_group" "hardcoded_group_mapper_test" {

provider/resource_keycloak_ldap_hardcoded_role_mapper_test.go

@@ -149,6 +149,7 @@ resource "keycloak_ldap_user_federation" "openldap" {
 	users_dn                = "dc=example,dc=org"
 	bind_dn                 = "cn=admin,dc=example,dc=org"
 	bind_credential         = "admin"
+    referral                     = "ignore"
 }
 
 resource "keycloak_role" "hardcoded_role_mapper_test" {