fix: split keycloak config

2025-12-10 01:08:32 +01:00 · 2023-01-15 11:41:52 +01:00
parent 6c8718e948
commit 0d63e8855b
3 changed files with 91 additions and 71 deletions
--- a/roles/usermanagement/tasks/keycloak-ldap-provider.yaml
+++ b/roles/usermanagement/tasks/keycloak-ldap-provider.yaml
@@ -18,6 +18,7 @@
      editMode: WRITABLE
      importEnabled: true
      syncRegistrations: true
+      fullSyncPeriod: 600
      vendor: other
      usernameLDAPAttribute: uid
      rdnLDAPAttribute: uid
@@ -92,3 +93,20 @@
          read.only: true
          user.model.attribute: createTimestamp
          ldap.attribute: createTimestamp
+      - name: "group-mapper"
+        providerId: "group-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          membership.attribute.type: "DN"
+          group.name.ldap.attribute: "cn"
+          preserve.group.inheritance: true
+          membership.user.ldap.attribute: "uid"
+          groups.dn: "ou=groups,{{ ldap_suffix }}"
+          mode: "LDAP_ONLY"
+          user.roles.retrieve.strategy: "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE"
+          ignore.missing.groups: false
+          membership.ldap.attribute: "member"
+          group.object.classes: "groupOfNames"
+          memberof.ldap.attribute: "memberOf"
+          groups.path: "/"
+          drop.non.existing.groups.during.sync : true
--- a/roles/usermanagement/tasks/keycloak.yaml
+++ b/roles/usermanagement/tasks/keycloak.yaml
@@ -0,0 +1,71 @@
+- name: Create data-dir
+  file:
+    name: /data/
+    state: directory
+
+- name: Create keycloak psql mount
+  file:
+    name: /data/keycloak-postgres/
+    state: directory
+
+- name: Create compose directory keycloak
+  file:
+    name: "/opt/keycloak/"
+    state: directory
+
+- name: Copy compose templates keycloak
+  template:
+    src: "keycloak.yaml"
+    dest: "/opt/keycloak/"
+
+- name: Copy compose environment files keycloak
+  template:
+    src: "{{ item }}"
+    dest: "/opt/keycloak/"
+  with_items:
+    - postgres_password
+
+- name: Deploy compose templates
+  community.docker.docker_compose:
+    project_src: "/opt/keycloak/"
+    pull: true
+    files:
+      - "keycloak.yaml"
+
+- name: Check/Wait for Keycloak to be up
+  uri:
+    url: https://keycloak.atlantishq.de/health
+    method: GET
+    return_content: yes
+    status_code: 200
+    body_format: json
+  register: result
+  until: result.status and result.json.status == "UP"
+  retries: 10
+  delay: 20
+
+- name: Create Keycloak Clients
+  local_action:
+    module: keycloak_client
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://keycloak.atlantishq.de/
+    auth_realm: master
+    auth_username: admin
+    auth_password: "{{ keycloak_admin_password }}"
+    state: present
+    realm: master
+    client_id: '{{ keycloak_clients[item]["client_id"] }}'
+    id: '{{ keycloak_clients[item]["keycloak_id"] }}'
+    name: '{{ keycloak_clients[item]["client_id"] }}'
+    description: '{{ keycloak_clients[item]["description"] }}'
+    enabled: True
+    client_authenticator_type: client-secret
+    public_client: false
+    secret: '{{ keycloak_clients[item]["client_secret"] }}'
+    authorization_services_enabled: true
+    service_accounts_enabled: true
+    redirect_uris: '{{ keycloak_clients[item]["redirect_uris"] }}'
+    web_origins: '{{ keycloak_clients[item]["redirect_uris"] }}'
+    frontchannel_logout: False
+    protocol: openid-connect
+  with_items: "{{ keycloak_clients.keys() | list }}"
--- a/roles/usermanagement/tasks/main.yaml
+++ b/roles/usermanagement/tasks/main.yaml
@@ -1,77 +1,8 @@
 - name: cerbot letsencrypt standalone
  include: letsencrypt.yaml

- name: Create data-dir
-  file:
-    name: /data/
-    state: directory
-
- name: Create keycloak psql mount
-  file:
-    name: /data/keycloak-postgres/
-    state: directory
-
- name: Create compose directory keycloak
-  file:
-    name: "/opt/keycloak/"
-    state: directory
-
- name: Copy compose templates keycloak
-  template:
-    src: "keycloak.yaml"
-    dest: "/opt/keycloak/"
-
- name: Copy compose environment files keycloak
-  template:
-    src: "{{ item }}"
-    dest: "/opt/keycloak/"
-  with_items:
-    - postgres_password
-
- name: Deploy compose templates
-  community.docker.docker_compose:
-    project_src: "/opt/keycloak/"
-    pull: true
-    files:
-      - "keycloak.yaml"
-
- name: Check/Wait for Keycloak to be up
-  uri:
-    url: https://keycloak.atlantishq.de/health
-    method: GET
-    return_content: yes
-    status_code: 200
-    body_format: json
-  register: result
-  until: result.status and result.json.status == "UP"
-  retries: 10
-  delay: 20
-
- name: Create Keycloak Clients
-  local_action:
-    module: keycloak_client
-    auth_client_id: admin-cli
-    auth_keycloak_url: https://keycloak.atlantishq.de/
-    auth_realm: master
-    auth_username: admin
-    auth_password: "{{ keycloak_admin_password }}"
-    state: present
-    realm: master
-    client_id: '{{ keycloak_clients[item]["client_id"] }}'
-    id: '{{ keycloak_clients[item]["keycloak_id"] }}'
-    name: '{{ keycloak_clients[item]["client_id"] }}'
-    description: '{{ keycloak_clients[item]["description"] }}'
-    enabled: True
-    client_authenticator_type: client-secret
-    public_client: false
-    secret: '{{ keycloak_clients[item]["client_secret"] }}'
-    authorization_services_enabled: true
-    service_accounts_enabled: true
-    redirect_uris: '{{ keycloak_clients[item]["redirect_uris"] }}'
-    web_origins: '{{ keycloak_clients[item]["redirect_uris"] }}'
-    frontchannel_logout: False
-    protocol: openid-connect
-  with_items: "{{ keycloak_clients.keys() | list }}"
+- name: Keycloak User federation (ldap-provider)
+  include: keycloak.yaml

 - name: Keycloak User federation (ldap-provider)
  include: keycloak-ldap-provider.yaml