Skip to content

add connection_pooling params for userfederation #1374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 17, 2025
Merged

add connection_pooling params for userfederation #1374

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cbd4b1a
add connection_pooling params for userfederation
Nov 9, 2025
7af0d5d
fix tests
Nov 15, 2025
f712e2d
fix tests
Nov 15, 2025
124ca43
fix tests
Nov 15, 2025
71d7dc5
set default connectionPooling to false
Nov 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/resources/ldap_user_federation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ resource "keycloak_ldap_user_federation" "ldap_user_federation" {
- `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`.
- `SUBTREE`: Search entire LDAP subtree.
- `start_tls` - (Optional) When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.
- `connection_pooling` - (Optional) When `true`, LDAP connection pooling is enabled. Defaults to `false`.
- `use_password_modify_extended_op` - (Optional) When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062).
- `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it.
- `trust_email` - (Optional) If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
Expand Down
10 changes: 10 additions & 0 deletions keycloak/ldap_user_federation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ type LdapUserFederation struct {
ConnectionTimeout string // duration string (ex: 1h30m)
ReadTimeout string // duration string (ex: 1h30m)
Pagination bool
ConnectionPooling bool

ServerPrincipal string
UseKerberosForPasswordAuthentication bool
Expand Down Expand Up @@ -104,6 +105,9 @@ func convertFromLdapUserFederationToComponent(ldap *LdapUserFederation) (*compon
"startTls": {
strconv.FormatBool(ldap.StartTls),
},
"connectionPooling": {
strconv.FormatBool(ldap.ConnectionPooling),
},
"usePasswordModifyExtendedOp": {
strconv.FormatBool(ldap.UsePasswordModifyExtendedOp),
},
Expand Down Expand Up @@ -253,6 +257,11 @@ func convertFromComponentToLdapUserFederation(component *component) (*LdapUserFe
return nil, err
}

connectionPooling, err := parseBoolAndTreatEmptyStringAsFalse(component.getConfig("connectionPooling"))
if err != nil {
return nil, err
}

usePasswordModifyExtendedOp, err := parseBoolAndTreatEmptyStringAsFalse(component.getConfig("usePasswordModifyExtendedOp"))
if err != nil {
return nil, err
Expand Down Expand Up @@ -323,6 +332,7 @@ func convertFromComponentToLdapUserFederation(component *component) (*LdapUserFe
SearchScope: component.getConfig("searchScope"),

StartTls: startTls,
ConnectionPooling: connectionPooling,
UsePasswordModifyExtendedOp: usePasswordModifyExtendedOp,
ValidatePasswordPolicy: validatePasswordPolicy,
TrustEmail: trustEmail,
Expand Down
8 changes: 8 additions & 0 deletions provider/resource_keycloak_ldap_user_federation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,12 @@ func resourceKeycloakLdapUserFederation() *schema.Resource {
Default: false,
Description: "When true, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling.",
},
"connection_pooling": {
Type: schema.TypeBool,
Optional: true,
Default: false,
Description: "When true, Keycloak will use connection pooling when connecting to LDAP.",
},
"use_password_modify_extended_op": {
Type: schema.TypeBool,
Optional: true,
Expand Down Expand Up @@ -341,6 +347,7 @@ func getLdapUserFederationFromData(data *schema.ResourceData, realmInternalId st
SearchScope: data.Get("search_scope").(string),

StartTls: data.Get("start_tls").(bool),
ConnectionPooling: data.Get("connection_pooling").(bool),
UsePasswordModifyExtendedOp: data.Get("use_password_modify_extended_op").(bool),
ValidatePasswordPolicy: data.Get("validate_password_policy").(bool),
TrustEmail: data.Get("trust_email").(bool),
Expand Down Expand Up @@ -412,6 +419,7 @@ func setLdapUserFederationData(data *schema.ResourceData, ldap *keycloak.LdapUse
data.Set("search_scope", ldap.SearchScope)

data.Set("start_tls", ldap.StartTls)
data.Set("connection_pooling", ldap.ConnectionPooling)
data.Set("use_password_modify_extended_op", ldap.UsePasswordModifyExtendedOp)
data.Set("validate_password_policy", ldap.ValidatePasswordPolicy)
data.Set("trust_email", ldap.TrustEmail)
Expand Down
6 changes: 5 additions & 1 deletion provider/resource_keycloak_ldap_user_federation_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ func generateRandomLdapKerberos(enabled bool) *keycloak.LdapUserFederation {
BindCredential: acctest.RandString(10),
SearchScope: randomStringInSlice([]string{"ONE_LEVEL", "SUBTREE"}),
StartTls: true,
ConnectionPooling: false,
UsePasswordModifyExtendedOp: true,
ValidatePasswordPolicy: true,
UseTruststoreSpi: randomStringInSlice([]string{"ALWAYS", "ONLY_FOR_LDAPS", "NEVER"}),
Expand Down Expand Up @@ -275,6 +276,7 @@ func TestAccKeycloakLdapUserFederation_basicUpdateAll(t *testing.T) {
BindCredential: acctest.RandString(10),
SearchScope: randomStringInSlice([]string{"ONE_LEVEL", "SUBTREE"}),
StartTls: firstStartTls,
ConnectionPooling: !firstStartTls,
UsePasswordModifyExtendedOp: firstUsePasswordModifyExtendedOp,
ValidatePasswordPolicy: firstValidatePasswordPolicy,
TrustEmail: firstTrustEmail,
Expand Down Expand Up @@ -314,6 +316,7 @@ func TestAccKeycloakLdapUserFederation_basicUpdateAll(t *testing.T) {
BindCredential: acctest.RandString(10),
SearchScope: randomStringInSlice([]string{"ONE_LEVEL", "SUBTREE"}),
StartTls: !firstStartTls,
ConnectionPooling: firstStartTls,
UsePasswordModifyExtendedOp: !firstUsePasswordModifyExtendedOp,
ValidatePasswordPolicy: !firstValidatePasswordPolicy,
TrustEmail: secondTrustEmail,
Expand Down Expand Up @@ -694,6 +697,7 @@ resource "keycloak_ldap_user_federation" "openldap" {
edit_mode = "%s"
start_tls = %t
connection_pooling = %t
use_password_modify_extended_op = %t
validate_password_policy = %t
trust_email = %t
Expand Down Expand Up @@ -721,7 +725,7 @@ resource "keycloak_ldap_user_federation" "openldap" {
eviction_minute = %d
}
}
`, testAccRealmUserFederation.Realm, ldap.Name, ldap.Enabled, ldap.UsernameLDAPAttribute, ldap.RdnLDAPAttribute, ldap.UuidLDAPAttribute, arrayOfStringsForTerraformResource(ldap.UserObjectClasses), ldap.ConnectionUrl, ldap.UsersDn, ldap.BindDn, ldap.BindCredential, ldap.SearchScope, ldap.EditMode, ldap.StartTls, ldap.UsePasswordModifyExtendedOp, ldap.ValidatePasswordPolicy, ldap.TrustEmail, ldap.UseTruststoreSpi, ldap.ConnectionTimeout, ldap.ReadTimeout, ldap.Pagination, ldap.BatchSizeForSync, ldap.FullSyncPeriod, ldap.ChangedSyncPeriod, ldap.ServerPrincipal, ldap.UseKerberosForPasswordAuthentication, ldap.KeyTab, ldap.KerberosRealm, ldap.CachePolicy, ldap.MaxLifespan, *ldap.EvictionDay, *ldap.EvictionHour, *ldap.EvictionMinute)
`, testAccRealmUserFederation.Realm, ldap.Name, ldap.Enabled, ldap.UsernameLDAPAttribute, ldap.RdnLDAPAttribute, ldap.UuidLDAPAttribute, arrayOfStringsForTerraformResource(ldap.UserObjectClasses), ldap.ConnectionUrl, ldap.UsersDn, ldap.BindDn, ldap.BindCredential, ldap.SearchScope, ldap.EditMode, ldap.StartTls, ldap.ConnectionPooling, ldap.UsePasswordModifyExtendedOp, ldap.ValidatePasswordPolicy, ldap.TrustEmail, ldap.UseTruststoreSpi, ldap.ConnectionTimeout, ldap.ReadTimeout, ldap.Pagination, ldap.BatchSizeForSync, ldap.FullSyncPeriod, ldap.ChangedSyncPeriod, ldap.ServerPrincipal, ldap.UseKerberosForPasswordAuthentication, ldap.KeyTab, ldap.KerberosRealm, ldap.CachePolicy, ldap.MaxLifespan, *ldap.EvictionDay, *ldap.EvictionHour, *ldap.EvictionMinute)
}

func testKeycloakLdapUserFederation_basicWithAttrValidation(attr, ldap, val string) string {
Expand Down