INF-162 - Enable the LDAP configuration from REST API
- Create LDAP configuration
- Create LDAP mappers
- Enable Audit logging
- Verify the LDAP Authentication in Molecule environment
- Verify the user operation, create from Keycloak and search from LDAP
Change-Id: Ie6ea7f40cfe403ee3747a30b0bfb3acc9c72057f
diff --git a/tasks/main.yml b/tasks/main.yml
index 5722125..aa31ddb 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -57,7 +57,7 @@
chdir: "{{ keycloak_working_dir }}/bin/"
cmd: >
./kcadm.sh get users
- --server http://localhost:8080/auth
+ --server {{ keycloak_server }}/auth
--realm master --user {{ keycloak_admin_username }}
--password {{ keycloak_admin_password }}
register: kcadm_result
@@ -94,7 +94,7 @@
- name: Configure Keycloak client
community.general.keycloak_client:
- auth_keycloak_url: http://localhost:8080/auth
+ auth_keycloak_url: "{{ keycloak_server }}/auth"
auth_realm: "{{ item.auth_realm }}"
auth_username: "{{ keycloak_admin_username }}"
auth_password: "{{ keycloak_admin_password }}"
@@ -107,3 +107,112 @@
protocol_mappers: "{{ item.protocol_mappers }}"
state: present
with_items: "{{ keycloak_client_settings }}"
+
+- name: "Create Token for Keycloak service"
+ uri:
+ url: "{{ keycloak_server }}/auth/realms/master/protocol/openid-connect/token"
+ method: POST
+ body_format: form-urlencoded
+ body:
+ username: "{{ keycloak_admin_username }}"
+ password: "{{ keycloak_admin_password }}"
+ grant_type: "password"
+ client_id: "admin-cli"
+ register: keycloak_token
+
+- name: "Get existing LDAP configuration"
+ uri:
+ url: "{{ keycloak_admin_api }}/components?type=org.keycloak.storage.UserStorageProvider"
+ method: GET
+ headers:
+ Accept: "application/json"
+ Authorization: "Bearer {{ keycloak_token.json.access_token }}"
+ register: keycloak_components_list
+
+- name: Check if the Keycloak already has the LDAP configuration
+ set_fact:
+ ldap_id: "{{ item.id }}"
+ with_items: "{{ keycloak_components_list.json }}"
+ when: item.name == "ldap"
+
+- name: Generate a local json file for LDAP configuration
+ become: false
+ delegate_to: localhost
+ template:
+ src: "ldap.config.j2"
+ dest: "/tmp/ldap.config"
+ mode: "0600"
+ changed_when: false
+
+- name: "Create LDAP Provider if not exist"
+ uri:
+ url: "{{ keycloak_admin_api }}/components"
+ method: POST
+ src: /tmp/ldap.config
+ status_code: [201]
+ headers:
+ Content-Type: application/json
+ Authorization: "Bearer {{ keycloak_token.json.access_token }}"
+ register: keycloak_create_ldap_response
+ when: ldap_id is not defined
+
+- name: "Update LDAP Provider if exist"
+ uri:
+ url: "{{ keycloak_admin_api }}/components/{{ ldap_id }}"
+ method: PUT
+ src: /tmp/ldap.config
+ status_code: [204]
+ headers:
+ Content-Type: application/json
+ Authorization: "Bearer {{ keycloak_token.json.access_token }}"
+ when: ldap_id is defined
+
+- name: Update LDAP_ID with new created LDAP components
+ set_fact:
+ ldap_id: "{{ keycloak_create_ldap_response.location | basename }}"
+ when: ldap_id is not defined
+
+- name: Generate a local json file for LDAP mapper configuration
+ become: false
+ delegate_to: localhost
+ template:
+ src: "{{ item }}.j2"
+ dest: "/tmp/{{ item }}"
+ mode: "0600"
+ with_items:
+ - ldap.mapper.group
+ - keycloak.event.config
+ changed_when: false
+
+- name: Create LDAP mapper from local json configuraiton
+ uri:
+ url: "{{ keycloak_admin_api }}/components/"
+ method: POST
+ src: "/tmp/{{ item }}"
+ status_code: [201]
+ headers:
+ Content-Type: application/json
+ Authorization: "Bearer {{ keycloak_token.json.access_token }}"
+ with_items:
+ - ldap.mapper.group
+
+- name: Create LDAP mapper from local json configuraiton
+ uri:
+ url: "{{ keycloak_admin_api }}/events/config"
+ method: PUT
+ src: "/tmp/keycloak.event.config"
+ status_code: [204]
+ headers:
+ Content-Type: application/json
+ Authorization: "Bearer {{ keycloak_token.json.access_token }}"
+
+- name: Remove local LDAP json file
+ delegate_to: localhost
+ file:
+ path: "/tmp/{{ item }}"
+ state: absent
+ with_items:
+ - ldap.config
+ - ldap.mapper.group
+ - keycloak.event.config
+ changed_when: false