[PR #7538/938aec49 backport][stable-8] [keycloak_user_federation]: Adding option krbPrincipalAttribute (#7605)

[keycloak_user_federation]: Adding option krbPrincipalAttribute (#7538) * keycloak_user_federation: Adding support for krbPrincipalAttribute Signed-off-by: boolman <boolman@gmail.com> * pr/7538 adding changelogs/fragment file Signed-off-by: boolman <boolman@gmail.com> * Update changelogs/fragments/7538-add-krbprincipalattribute-option.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/keycloak_user_federation.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/keycloak_user_federation.py Co-authored-by: Felix Fontein <felix@fontein.de> --------- Signed-off-by: boolman <boolman@gmail.com> Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit 938aec492e) Co-authored-by: Boolman <boolman@gmail.com>
2024-09-14 20:13:21 +02:00 · 2023-11-26 17:35:45 +01:00 · 2023-11-26 17:35:45 +01:00 · c82c375aef
commit c82c375aef
parent d5f6889f51
3 changed files with 17 additions and 0 deletions
--- a/changelogs/fragments/7538-add-krbprincipalattribute-option.yml
+++ b/changelogs/fragments/7538-add-krbprincipalattribute-option.yml
@ -0,0 +1,2 @@
+minor_changes:
+  - keycloak_user_federation - add option for ``krbPrincipalAttribute`` (https://github.com/ansible-collections/community.general/pull/7538).
--- a/plugins/modules/keycloak_user_federation.py
+++ b/plugins/modules/keycloak_user_federation.py
@ -342,6 +342,16 @@ options:
                    - Name of kerberos realm.
                type: str

+            krbPrincipalAttribute:
+                description:
+                    - Name of the LDAP attribute, which refers to Kerberos principal.
+                      This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak.
+                      When this is empty, the LDAP user will be looked based on LDAP username corresponding
+                      to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG),
+                      it will assume that LDAP username is V(john).
+                type: str
+                version_added: 8.1.0
+
            serverPrincipal:
                description:
                    - Full name of server principal for HTTP service including server and domain name. For
@ -764,6 +774,7 @@ def main():
        readTimeout=dict(type='int'),
        searchScope=dict(type='str', choices=['1', '2'], default='1'),
        serverPrincipal=dict(type='str'),
+        krbPrincipalAttribute=dict(type='str'),
        startTls=dict(type='bool', default=False),
        syncRegistrations=dict(type='bool', default=False),
        trustEmail=dict(type='bool', default=False),
--- a/tests/unit/plugins/modules/test_keycloak_user_federation.py
+++ b/tests/unit/plugins/modules/test_keycloak_user_federation.py
@ -326,6 +326,7 @@ class TestKeycloakUserFederation(ModuleTestCase):
                'connectionPooling': True,
                'pagination': True,
                'allowKerberosAuthentication': False,
+                'krbPrincipalAttribute': 'krbPrincipalName',
                'debug': False,
                'useKerberosForPasswordAuthentication': False,
            },
@ -374,6 +375,9 @@ class TestKeycloakUserFederation(ModuleTestCase):
                    "enabled": [
                        "true"
                    ],
+                    "krbPrincipalAttribute": [
+                        "krb5PrincipalName"
+                    ],
                    "usernameLDAPAttribute": [
                        "uid"
                    ],