From 206c6af9cdf7905ff346981c6f79f2ebeaa83abf Mon Sep 17 00:00:00 2001 From: boolman Date: Fri, 17 Nov 2023 11:25:35 +0100 Subject: [PATCH 1/5] keycloak_user_federation: Adding support for krbPrincipalAttribute Signed-off-by: boolman --- plugins/modules/keycloak_user_federation.py | 9 +++++++++ .../plugins/modules/test_keycloak_user_federation.py | 4 ++++ 2 files changed, 13 insertions(+) diff --git a/plugins/modules/keycloak_user_federation.py b/plugins/modules/keycloak_user_federation.py index b29cf21859f..0509f847a10 100644 --- a/plugins/modules/keycloak_user_federation.py +++ b/plugins/modules/keycloak_user_federation.py @@ -342,6 +342,14 @@ - Name of kerberos realm. type: str + krbPrincipalAttribute: + description: + - Name of the LDAP attribute, which refers to Kerberos principal. + This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak. + When this is empty, the LDAP user will be looked based on LDAP username corresponding + to the first part of his Kerberos principal. For instance, for principal 'john@KEYCLOAK.ORG', + it will assume that LDAP username is 'john'. + type: str serverPrincipal: description: - Full name of server principal for HTTP service including server and domain name. For @@ -764,6 +772,7 @@ def main(): readTimeout=dict(type='int'), searchScope=dict(type='str', choices=['1', '2'], default='1'), serverPrincipal=dict(type='str'), + krbPrincipalAttribute=dict(type='str'), startTls=dict(type='bool', default=False), syncRegistrations=dict(type='bool', default=False), trustEmail=dict(type='bool', default=False), diff --git a/tests/unit/plugins/modules/test_keycloak_user_federation.py b/tests/unit/plugins/modules/test_keycloak_user_federation.py index 8d3dcaa2301..523ef9f2107 100644 --- a/tests/unit/plugins/modules/test_keycloak_user_federation.py +++ b/tests/unit/plugins/modules/test_keycloak_user_federation.py @@ -326,6 +326,7 @@ def test_create_with_mappers(self): 'connectionPooling': True, 'pagination': True, 'allowKerberosAuthentication': False, + 'krbPrincipalAttribute': 'krbPrincipalName', 'debug': False, 'useKerberosForPasswordAuthentication': False, }, @@ -374,6 +375,9 @@ def test_create_with_mappers(self): "enabled": [ "true" ], + "krbPrincipalAttribute": [ + "krb5PrincipalName" + ], "usernameLDAPAttribute": [ "uid" ], From 4edfb27eb01e6a2b2f90b8a50aa11a63ce393301 Mon Sep 17 00:00:00 2001 From: boolman Date: Fri, 17 Nov 2023 11:40:37 +0100 Subject: [PATCH 2/5] pr/7538 adding changelogs/fragment file Signed-off-by: boolman --- changelogs/fragments/7538-add-krbprincipalattribute-option.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelogs/fragments/7538-add-krbprincipalattribute-option.yml diff --git a/changelogs/fragments/7538-add-krbprincipalattribute-option.yml b/changelogs/fragments/7538-add-krbprincipalattribute-option.yml new file mode 100644 index 00000000000..2379929691f --- /dev/null +++ b/changelogs/fragments/7538-add-krbprincipalattribute-option.yml @@ -0,0 +1,2 @@ +minor_changes: + - keycloak_user_federation module - Add option for krbPrincipalAttribute (https://github.com/ansible-collections/community.general/pull/7538) From 4e03213b4d35a7b938183ec10155a27b9a3b9a58 Mon Sep 17 00:00:00 2001 From: Boolman Date: Sun, 19 Nov 2023 09:35:27 +0100 Subject: [PATCH 3/5] Update changelogs/fragments/7538-add-krbprincipalattribute-option.yml Co-authored-by: Felix Fontein --- changelogs/fragments/7538-add-krbprincipalattribute-option.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelogs/fragments/7538-add-krbprincipalattribute-option.yml b/changelogs/fragments/7538-add-krbprincipalattribute-option.yml index 2379929691f..e2e2ce61c29 100644 --- a/changelogs/fragments/7538-add-krbprincipalattribute-option.yml +++ b/changelogs/fragments/7538-add-krbprincipalattribute-option.yml @@ -1,2 +1,2 @@ minor_changes: - - keycloak_user_federation module - Add option for krbPrincipalAttribute (https://github.com/ansible-collections/community.general/pull/7538) + - keycloak_user_federation - add option for ``krbPrincipalAttribute`` (https://github.com/ansible-collections/community.general/pull/7538). From 997c75253be27873a45f9a8d8a80cf93a1c7334c Mon Sep 17 00:00:00 2001 From: Boolman Date: Sun, 19 Nov 2023 09:35:36 +0100 Subject: [PATCH 4/5] Update plugins/modules/keycloak_user_federation.py Co-authored-by: Felix Fontein --- plugins/modules/keycloak_user_federation.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/plugins/modules/keycloak_user_federation.py b/plugins/modules/keycloak_user_federation.py index 0509f847a10..884b88866c1 100644 --- a/plugins/modules/keycloak_user_federation.py +++ b/plugins/modules/keycloak_user_federation.py @@ -350,6 +350,8 @@ to the first part of his Kerberos principal. For instance, for principal 'john@KEYCLOAK.ORG', it will assume that LDAP username is 'john'. type: str + version_added: 8.1.0 + serverPrincipal: description: - Full name of server principal for HTTP service including server and domain name. For From e78433cd9f6a4fdc83c413d4a64d612b7bfa6369 Mon Sep 17 00:00:00 2001 From: Boolman Date: Sun, 19 Nov 2023 09:35:42 +0100 Subject: [PATCH 5/5] Update plugins/modules/keycloak_user_federation.py Co-authored-by: Felix Fontein --- plugins/modules/keycloak_user_federation.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/modules/keycloak_user_federation.py b/plugins/modules/keycloak_user_federation.py index 884b88866c1..8c50cb7f3ec 100644 --- a/plugins/modules/keycloak_user_federation.py +++ b/plugins/modules/keycloak_user_federation.py @@ -347,8 +347,8 @@ - Name of the LDAP attribute, which refers to Kerberos principal. This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak. When this is empty, the LDAP user will be looked based on LDAP username corresponding - to the first part of his Kerberos principal. For instance, for principal 'john@KEYCLOAK.ORG', - it will assume that LDAP username is 'john'. + to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG), + it will assume that LDAP username is V(john). type: str version_added: 8.1.0