Skip to main content

LDAP configuration

Using this API, user records will be added/update to the authorization server.

Resource Informations

NameValue
Requires authentication?Yes
Rate limited?No

Request

Request headers

KeyValue
AuthorizationBearer token
Content-Typeapplication/json

HTTP request URL for SSMS

POST https://{tenantId}.{hostname}/digitanium/v4/ldap

HTTP request URL for SHIFT

POST https://{hostname}/auth/realms/{tenantId}/v3_ldap/components
note

At this moment, this API is applicable for SSMS based installations.

note

API requests must be made over https. Calls made over plain http will fail.

Parameters

No parameter fields are required.

Request body (* Required)

Field NameTypeDescription
*idStringUnique id for LDAP config. ("id": "configid5")
*nameStringDisplay name of LDAP config. ("name": "ldap_xxx")
*providerTypeStringProvider type for config.("providerType": "org.keycloak.storage.UserStorageProvider")
*configObjectLDAP basic cofigurations.
enabledList of booleanIf provider is disabled it will not be considered for queries and imported users will be disabled and read-only until the provider is enabled again.
priorityList of String (Integer parsed)Priority of provider when doing a user lookup. Lowest first.
importEnabledList of booleanIf true, LDAP users will be imported into Digitanium Identitiy DB and synced via the configured sync policies.
editModeList of StringREAD_ONLY is a read-only LDAP store. WRITABLE means data will be synced back to LDAP on demand. UNSYNCED means user data will be imported, but not synced back to LDAP.
syncRegistrationsList of booleanShould newly created users be created within LDAP store? Priority effects which provider is chose to sync the new user.
*vendorList of StringLDAP Vendor (Provider). Based on vendor name usernameLDAPAttribute, uuidLDAPAttribute, userObjectClasses, rdnLDAPAttribute are getting update. Use the following values for specific vendors, Active Directory=ad, Red Hat Directory Server=rhds, Tivoli=tivoli, Novell eDirectory=edirectory, Other=other
*connectionUrlList of StringConnection URL to your LDAP server.
*usersDnList of StringFull DN of LDAP tree where your users are. This DN is parent of LDAP users. It could be for example 'ou=users,dc=example,dc=com' assuming that your typical user will have DN like 'uid=john,ou=users,dc=example,dc=com'
*authTypeList of StringLDAP Authentication type. Right now just 'none' (anonymous LDAP authentication) or 'simple' (Bind credential + Bind password authentication) mechanisms are available
*bindDnList of StringDN of LDAP admin, which will be used by mIDentity to access LDAP server
*bindCredentialList of StringPassword for LDAP Admin
customUserSearchFilterList of StringAdditional LDAP Filter for filtering searched users. Leave this empty if you don't need additional filter. Make sure that it starts with '(' and ends with ')'
searchScopeList of String (Integer parsed)For one level, we search for users just in DNs specified by User DNs. For subtree, we search in whole of their subtree. See LDAP documentation for more details
validatePasswordPolicyList of booleanDoes mIDentity should validate the password with the realm password policy before updating it
useTruststoreSpiList of StringSpecifies whether LDAP connection will use the truststore SPI with the truststore configured in standalone.xml/domain.xml. 'Always' means that it will always use it. 'Never' means that it won't use it. 'Only for ldaps' means that it will use if your connection URL use ldaps. Note even if standalone.xml/domain.xml is not configured, the default Java cacerts or certificate specified by 'javax.net.ssl.trustStore' property will be used.
connectionPoolingList of booleanUse connection pooling for accessing LDAP server.
connectionTimeoutList of String (Integer parsed)LDAP Connection Timeout in milliseconds
readTimeoutList of String (Integer parsed)LDAP Read Timeout in milliseconds. This timeout applies for LDAP read operations
paginationList of booleanIf LDAP suppoer pagination we can enable or disable it.
allowKerberosAuthenticationList of booleanEnable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from this LDAP server
*kerberosRealmList of String(consider if allowKerberosAuthentication = true) Name of kerberos realm. For example FOO.ORG
*serverPrincipalList of String(consider if allowKerberosAuthentication = true) Full name of server principal for HTTP service including server and domain name. For example HTTP/host.foo.org@FOO.ORG
*keyTabList of String(consider if allowKerberosAuthentication = true) Location of Kerberos KeyTab file containing the credentials of server principal. For example /etc/krb5.keytab
debugList of boolean(consider if allowKerberosAuthentication = true) Enable/disable debug logging to standard output for Krb5LoginModule.
useKerberosForPasswordAuthenticationList of booleanUse Kerberos login module for authenticate username/password against Kerberos server instead of authenticating against LDAP server with Directory Service API.
batchSizeForSyncList of String (Integer parsed)Count of LDAP users to be imported from LDAP to Digitanium Identitiy within single transaction. ("batchSizeForSync": ["1000"])
fullSyncEnabledList of booleanDoes periodic full synchronization of LDAP users to Keycloak should be enabled or not
fullSyncPeriodList of String (Integer parsed)Period for full synchronization in seconds
changedSyncEnabledList of booleanDoes periodic synchronization of changed or newly created LDAP users to Keycloak should be enabled or not
changedSyncPeriodList of String (Integer parsed)Period for synchronization of changed or newly created LDAP users in seconds
cachePolicyList of StringCache Policy for this storage provider. 'DEFAULT' is whatever the default settings are for the global cache. 'EVICT_DAILY' is a time of day every day that the cache will be invalidated. 'EVICT_WEEKLY' is a day of the week and time the cache will be invalidated. 'MAX-LIFESPAN' is the time in milliseconds that will be the lifespan of a cache entry.
evictionMinuteList of String (Integer parsed)Minute of day the entry will become invalid on. (value belween 0 and 59)
evictionHourList of String (Integer parsed)Hour of day the entry will become invalid on. (value belween 0 and 23)
evictionDayList of String (Integer parsed)Day of the week the entry will become invalid on (value belween 1 and 7 i.e. 1 - Sunday, 2 - Monday...., 7 - Saturday)
maxLifespanList of String (Integer parsed)Max lifespan of cache entry in milliseconds.

Sample Request

{
	"id": "configid5",
	"name": "ldap_xxx",
	"providerType": "org.keycloak.storage.UserStorageProvider",
	"config": {
		"fullSyncPeriod": ["-1"],
		"pagination": ["true"],
		"connectionPooling": ["true"],
		"usersDn": ["dc=xxxx,dc=com"],
		"cachePolicy": ["DEFAULT"],
		"useKerberosForPasswordAuthentication": ["false"],
		"importEnabled": ["true"],
		"enabled": ["true"],
		"bindCredential": ["**********"],
		"changedSyncPeriod": ["-1"],
		"bindDn": ["cn=xxxx,dc=xxxx,dc=com"],
		"lastSync": [“123123123”],
		"vendor": ["other"],
		"allowKerberosAuthentication": ["false"],
		"connectionUrl": ["ldap://52.210.11.165"],
		"syncRegistrations": ["false"],
		"authType": ["simple"],
		"customUserSearchFilter": ["(uid=*)"],
		"debug": ["false"],
		"searchScope": ["2"],
		"useTruststoreSpi": ["ldapsOnly"],
		"priority": ["0"],
		"editMode": ["WRITABLE"],
		"validatePasswordPolicy": ["false"],
		"batchSizeForSync": ["1000"]
	}
}

Response

Field NameTypeDescription
messageStringMessage explains result of the API call. Refer Response status Information for details.
statusStringThe status of the API call. Refer Response status Information for details.
subSystemIntegersubSystem categorizes the type of API that has been called. Refer Subsystem details for details.

Sample Response

{
    "message": "Successfully created LDAP service provider",
    "status": "OK",
    "subSystem": 9
}

Response Status Information

Status CodeStatusMessage
200OKSuccessfully created LDAP service provider
400BAD_REQUESTLDAP Configuration is mandatory
401UnauthorizedHTTP 401 Unauthorized
409CONFLICTLDAP Component Id already exists!