terraform-provider-keycloak icon indicating copy to clipboard operation
terraform-provider-keycloak copied to clipboard

Published 20 hours ago verified publisher icon mrparkers

Cannot change the default ldap attribute mappers defined when creating an ldap user federation

Open dabelenda opened this issue 4 years ago • 5 comments

When creating a resource "keycloak_ldap_user_federation" keycloak under the hood created a few attribute mappers to map ldap attributes to profile attirbutes. If the LDAP attribute set by default in keycloak is not the correct one, this module does not allow you to change it.

creating a new resource "keycloak_ldap_user_attribute_mapper" with the same name will add the new attribute mapper to the user federation in keycloak (I am unsure of the final effect of having twice the same attribute defined).

dabelenda avatar Apr 07 '20 13:04 dabelenda

Maybe add a "keep_default_user_attribute_mapper=true" attribute to the "keycloak_ldap_user_federation" resource. If explicitly set to "false", all automatically created "user_attribute_mapper" objects will be queried and deleted after the "keycloak_ldap_user_federation" resource has been created.

lathspell avatar Sep 04 '20 09:09 lathspell

I am unsure of the final effect of having twice the same attribute defined

It seems that value from last mapper setting the specified attribute preserves, but order is defined while adding and inconsistent.

I'm having the same issue as well, and will try to implement keep_default_user_attribute_mapper attribute for keycloak_ldap_user_federation

ilyaluk avatar Mar 05 '21 10:03 ilyaluk

Huh, it seems that we can't trivially add this attribute because it would not be saved within KeyCloak, hence we can't retrieve its value to local state (if there is none, e.g. running plan on another machine).

However, we could solve this problem by making resources keycloak_ldap_*_mapper attributes of keycloak_ldap_user_federation, like this:

resource "keycloak_ldap_user_federation" "ldap_user_federation" {
  name     = "openldap"
  realm_id = keycloak_realm.realm.id
  enabled  = true
  # <snip>

  hardcoded_role_mapper {
    name = "assign-admin-role-to-all-users"
    role = keycloak_role.realm_admin_role.name
  }

  user_attribute_mapper {
    name                 = "user-attribute-mapper"
    user_model_attribute = "foo"
    ldap_attribute       = "bar"
  }

  user_attribute_mapper {
    name                 = "user-attribute-mapper2"
    user_model_attribute = "foo2"
    ldap_attribute       = "baz"
    read_only            = true
  }
}

This way we would know the full list of mappers at user_federation creation time.

This could keep backwards compatibility: preserve resources keycloak_ldap_*_mapper as deprecated, and keep old behaviour if there is no *_mapper attributes in keycloak_ldap_user_federation.

@mrparkers, what do you think?

ilyaluk avatar Mar 06 '21 13:03 ilyaluk

Ah, that does not make much sense since keycloak_ldap_user_federation already has properties {username,rdn,uuid}_ldap_attribute, and KeyCloak tries to make some sensible mappers based on that. Probably better solution would be to patch KeyCloak so that empty values in that parameters would imply not creating any mappers.

However, as a hack solution from previous comment should work.

ilyaluk avatar Mar 07 '21 14:03 ilyaluk

I came across this and noticed there is now at least an option to remove the default mappers and completely roll your own: https://github.com/mrparkers/terraform-provider-keycloak/pull/744

FWest98 avatar Jan 05 '24 02:01 FWest98