From bc3c9b1cb99bb1c54ad525ed5eac3e10f63c3c90 Mon Sep 17 00:00:00 2001 From: Boolman Date: Sun, 26 Nov 2023 17:20:05 +0100 Subject: [PATCH] [keycloak_user_federation]: Adding option krbPrincipalAttribute (#7538) * keycloak_user_federation: Adding support for krbPrincipalAttribute Signed-off-by: boolman * pr/7538 adding changelogs/fragment file Signed-off-by: boolman * Update changelogs/fragments/7538-add-krbprincipalattribute-option.yml Co-authored-by: Felix Fontein * Update plugins/modules/keycloak_user_federation.py Co-authored-by: Felix Fontein * Update plugins/modules/keycloak_user_federation.py Co-authored-by: Felix Fontein --------- Signed-off-by: boolman Co-authored-by: Felix Fontein (cherry picked from commit 938aec492ecd406bd030366997125800531f47fe) --- .../7538-add-krbprincipalattribute-option.yml | 2 ++ plugins/modules/keycloak_user_federation.py | 11 +++++++++++ .../plugins/modules/test_keycloak_user_federation.py | 4 ++++ 3 files changed, 17 insertions(+) create mode 100644 changelogs/fragments/7538-add-krbprincipalattribute-option.yml diff --git a/changelogs/fragments/7538-add-krbprincipalattribute-option.yml b/changelogs/fragments/7538-add-krbprincipalattribute-option.yml new file mode 100644 index 00000000000..e2e2ce61c29 --- /dev/null +++ b/changelogs/fragments/7538-add-krbprincipalattribute-option.yml @@ -0,0 +1,2 @@ +minor_changes: + - keycloak_user_federation - add option for ``krbPrincipalAttribute`` (https://github.com/ansible-collections/community.general/pull/7538). diff --git a/plugins/modules/keycloak_user_federation.py b/plugins/modules/keycloak_user_federation.py index b29cf21859f..8c50cb7f3ec 100644 --- a/plugins/modules/keycloak_user_federation.py +++ b/plugins/modules/keycloak_user_federation.py @@ -342,6 +342,16 @@ - Name of kerberos realm. type: str + krbPrincipalAttribute: + description: + - Name of the LDAP attribute, which refers to Kerberos principal. + This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak. + When this is empty, the LDAP user will be looked based on LDAP username corresponding + to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG), + it will assume that LDAP username is V(john). + type: str + version_added: 8.1.0 + serverPrincipal: description: - Full name of server principal for HTTP service including server and domain name. For @@ -764,6 +774,7 @@ def main(): readTimeout=dict(type='int'), searchScope=dict(type='str', choices=['1', '2'], default='1'), serverPrincipal=dict(type='str'), + krbPrincipalAttribute=dict(type='str'), startTls=dict(type='bool', default=False), syncRegistrations=dict(type='bool', default=False), trustEmail=dict(type='bool', default=False), diff --git a/tests/unit/plugins/modules/test_keycloak_user_federation.py b/tests/unit/plugins/modules/test_keycloak_user_federation.py index 8d3dcaa2301..523ef9f2107 100644 --- a/tests/unit/plugins/modules/test_keycloak_user_federation.py +++ b/tests/unit/plugins/modules/test_keycloak_user_federation.py @@ -326,6 +326,7 @@ def test_create_with_mappers(self): 'connectionPooling': True, 'pagination': True, 'allowKerberosAuthentication': False, + 'krbPrincipalAttribute': 'krbPrincipalName', 'debug': False, 'useKerberosForPasswordAuthentication': False, }, @@ -374,6 +375,9 @@ def test_create_with_mappers(self): "enabled": [ "true" ], + "krbPrincipalAttribute": [ + "krb5PrincipalName" + ], "usernameLDAPAttribute": [ "uid" ],