- name: Create LDAP user federation community.general.keycloak_user_federation: auth_keycloak_url: https://{{ keycloak_address }} auth_realm: master auth_username: admin auth_password: "{{ keycloak_admin_password }}" realm: master name: ldap-ansible state: present provider_id: ldap provider_type: org.keycloak.storage.UserStorageProvider id: 11111111-0000-0000-0000-000000000001 config: priority: 0 enabled: true cachePolicy: DEFAULT batchSizeForSync: 1000 editMode: WRITABLE importEnabled: true syncRegistrations: true fullSyncPeriod: 600 vendor: other usernameLDAPAttribute: uid rdnLDAPAttribute: uid uuidLDAPAttribute: uid userObjectClasses: person, inetOrgPerson, organizationalPerson, verification connectionUrl: "{{ ldap_connection_url }}" usersDn: "{{ ldap_user_dn }}" authType: simple bindDn: "{{ ldap_bind_dn }}" bindCredential: "{{ ldap_password }}" searchScope: "1" validatePasswordPolicy: false trustEmail: false useTruststoreSpi: ldapsOnly connectionPooling: true pagination: true allowKerberosAuthentication: false debug: false useKerberosForPasswordAuthentication: false mappers: - name: "username" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: always.read.value.from.ldap: false is.mandatory.in.ldap: true read.only: false user.model.attribute: username ldap.attribute: uid - name: "email" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: always.read.value.from.ldap: false is.mandatory.in.ldap: true read.only: false user.model.attribute: email ldap.attribute: mail - name: "first name" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: always.read.value.from.ldap: true is.mandatory.in.ldap: true read.only: false user.model.attribute: firstName ldap.attribute: cn - name: "last name" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: always.read.value.from.ldap: true is.mandatory.in.ldap: true read.only: false user.model.attribute: lastName ldap.attribute: sn - name: "telephoneNumber" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: always.read.value.from.ldap: true is.mandatory.in.ldap: false read.only: false user.model.attribute: telephoneNumber ldap.attribute: telephoneNumber - name: "modify date" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: always.read.value.from.ldap: true is.mandatory.in.ldap: false read.only: true user.model.attribute: modifyTimestamp ldap.attribute: modifyTimestamp - name: "creation date" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: always.read.value.from.ldap: true is.mandatory.in.ldap: false read.only: true user.model.attribute: createTimestamp ldap.attribute: createTimestamp #- name: "email_verified" # providerId: "user-attribute-ldap-mapper" # providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" # config: # always.read.value.from.ldap: false # is.mandatory.in.ldap: false # read.only: false # user.model.attribute: emailVerified # ldap.attribute: emailVerified - name: "group-mapper" providerId: "group-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" config: membership.attribute.type: "DN" group.name.ldap.attribute: "cn" preserve.group.inheritance: true membership.user.ldap.attribute: "uid" groups.dn: "ou=groups,{{ ldap_suffix }}" mode: "LDAP_ONLY" user.roles.retrieve.strategy: "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE" ignore.missing.groups: false membership.ldap.attribute: "member" group.object.classes: "groupOfNames" memberof.ldap.attribute: "memberOf" groups.path: "/" drop.non.existing.groups.during.sync : true