[keycloak_user_federation]: Adding option krbPrincipalAttribute (#7538)

* keycloak_user_federation: Adding support for krbPrincipalAttribute Signed-off-by: boolman <boolman@gmail.com> * pr/7538 adding changelogs/fragment file Signed-off-by: boolman <boolman@gmail.com> * Update changelogs/fragments/7538-add-krbprincipalattribute-option.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/keycloak_user_federation.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/keycloak_user_federation.py Co-authored-by: Felix Fontein <felix@fontein.de> --------- Signed-off-by: boolman <boolman@gmail.com> Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit 938aec4)
ansible-collections · Nov 26, 2023 · bc3c9b1 · bc3c9b1
1 parent ff8e678
commit bc3c9b1
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/changelogs/fragments/7538-add-krbprincipalattribute-option.yml b/changelogs/fragments/7538-add-krbprincipalattribute-option.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - keycloak_user_federation - add option for ``krbPrincipalAttribute`` (https://github.com/ansible-collections/community.general/pull/7538).
diff --git a/plugins/modules/keycloak_user_federation.py b/plugins/modules/keycloak_user_federation.py
@@ -342,6 +342,16 @@
                     - Name of kerberos realm.
                 type: str
 
+            krbPrincipalAttribute:
+                description:
+                    - Name of the LDAP attribute, which refers to Kerberos principal.
+                      This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak.
+                      When this is empty, the LDAP user will be looked based on LDAP username corresponding
+                      to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG),
+                      it will assume that LDAP username is V(john).
+                type: str
+                version_added: 8.1.0
+
             serverPrincipal:
                 description:
                     - Full name of server principal for HTTP service including server and domain name. For
@@ -764,6 +774,7 @@ def main():
         readTimeout=dict(type='int'),
         searchScope=dict(type='str', choices=['1', '2'], default='1'),
         serverPrincipal=dict(type='str'),
+        krbPrincipalAttribute=dict(type='str'),
         startTls=dict(type='bool', default=False),
         syncRegistrations=dict(type='bool', default=False),
         trustEmail=dict(type='bool', default=False),

diff --git a/tests/unit/plugins/modules/test_keycloak_user_federation.py b/tests/unit/plugins/modules/test_keycloak_user_federation.py
@@ -326,6 +326,7 @@ def test_create_with_mappers(self):
                 'connectionPooling': True,
                 'pagination': True,
                 'allowKerberosAuthentication': False,
+                'krbPrincipalAttribute': 'krbPrincipalName',
                 'debug': False,
                 'useKerberosForPasswordAuthentication': False,
             },
@@ -374,6 +375,9 @@ def test_create_with_mappers(self):
                     "enabled": [
                         "true"
                     ],
+                    "krbPrincipalAttribute": [
+                        "krb5PrincipalName"
+                    ],
                     "usernameLDAPAttribute": [
                         "uid"
                     ],
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		minor_changes:
		- keycloak_user_federation - add option for ``krbPrincipalAttribute`` (https://github.com/ansible-collections/community.general/pull/7538).