From f36711fa2f08e43eb1c4e34d88b9ce2ec0542116 Mon Sep 17 00:00:00 2001 From: Sarah Rambacher Date: Wed, 13 Jan 2021 14:28:53 -0500 Subject: [PATCH] adds user fed mappers text --- src/user-federation/help.json | 64 ++++++++++++++++++++++++++++++- src/user-federation/messages.json | 62 +++++++++++++++++++++++++++++- 2 files changed, 124 insertions(+), 2 deletions(-) diff --git a/src/user-federation/help.json b/src/user-federation/help.json index d375c7226e..a56edfb7c1 100644 --- a/src/user-federation/help.json +++ b/src/user-federation/help.json @@ -64,6 +64,68 @@ "editModeKerberosHelp": "READ_ONLY means that password updates are not allowed and user always authenticates with Kerberos password. UNSYNCED means that the user can change the password in the Keycloak database and this one will be used instead of the Kerberos password", "updateFirstLoginHelp": "Update profile on first login", - "kerberosCacheSettingsDescription": "This section contains a few basic options common to all user storage providers" + "kerberosCacheSettingsDescription": "This section contains a few basic options common to all user storage providers", + + "nameHelp": "Name of the mapper", + "mapperTypeHelp": "", + + "mapperTypeMsadUserAccountControlManagerHelp": "Mapper specific to MSAD. It's able to integrate the MSAD user account state into Keycloak account state (account enabled, password is expired etc). It's using userAccountControl and pwdLastSet MSAD attributes for that. For example if pwdLastSet is 0, the Keycloak user is required to update password; if userAccountControl is 514 (disabled account) the Keycloak user is disabled as well etc. Mapper is also able to handle the exception code from LDAP user authentication", + "mapperTypeMsadLdsUserAccountControlMapperHelp": "Mapper specific to MSAD LDS. It's able to integrate the MSAD LDS user account state into Keycloak account state (account enabled, password is expired etc). It's using msDS-UserAccountDisabled and pwdLastSet is 0, the Keycloak user is required to update password, if msDS-UserAccountDisabled is 'TRUE' the Keycloak user is disabled as well etc. Mapper is also able to handle exception code from LDAP user authentication.", + "mapperTypeGroupLdapMapperHelp": "Used to map group mappings of groups from some LDAP DN to Keycloak group mappings", + "mapperTypeUserAttributeLdapMapperHelp": "Used to map single attribute from LDAP user to attribute of UserModel in Keycloak DB", + "mapperTypeRoleLdapMapperHelp": "Used to map role mappings of roles from some LDAP DN to Keycloak role mappings of either realm roles or client roles of particular client", + "mapperTypeHardcodedAttributeMapperHelp": "This mapper will hardcode any model user attribute and some property (like emailVerified or enabled) when importing user from LDAP.", + "mapperTypeHardcodedLdapRoleMapperHelp": "When user is imported from LDAP, they will be automatically added into this configured role.", + "mapperTypeCertificateLdapMapperHelp": "Used to map single attribute which contains a certificate from LDAP user to attribute of UserModel in Keycloak DB", + "mapperTypeFullNameLdapMapperHelp": "Used to map full-name of user from single attribute in LDAP (usually 'cn' attribute) to firstName and lastName attributes of UserModel in Keycloak DB", + "mapperTypeHardcodedLdapGroupMapperHelp": "When user is imported from LDAP, they will be automatically added into this configured group.", + "mapperTypeLdapAttributeMapperHelp": "This mapper is supported just if syncRegistrations is enabled. When new user is registered in Keycloak, he will be written to the LDAP with the hardcoded value of some specified attribute.", + + "passwordPolicyHintsEnabledHelp": "Applicable just for writable MSAD. If on, then updating password of MSAD user will use LDAP_SERVER_POLICY_HINTS_OID extension, which means that advanced MSAD password policies like 'password history' or 'minimal password age' will be applied. This extension works just for MSAD 2008 R2 or newer.", + + "ldapGroupsDnHelp": "LDAP DN where groups of this tree are saved. For example 'ou=groups,dc=example,dc=org'", + "groupNameLDAPAttributeHelp": "Name of LDAP attribute, which is used in group objects for name and RDN of group. Usually it will be 'cn'. In this case typical group/role object may have DN like 'cn=Group1,ouu=groups,dc=example,dc=org'", + "groupObjectClassesHelp": "Object class (or classes) of the group object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames'. In Active Directory it's usually 'group'", + "preserveGroupInheritanceHelp": "Flag whether group inheritance from LDAP should be propagated to Keycloak. If false, then all LDAP groups will be mapped as flat top-level groups in Keycloak. Otherwise group inheritance is preserved into Keycloak, but the group sync might fail if LDAP structure contains recursions or multiple parent groups per child groups", + "ignoreMissingGroupsHelp": "Ignore missing groups in the group hierarchy", + "membershipLdapAttributeHelp": "Name of LDAP attribute on group, which is used for membership mappings. Usually it will be 'member' .However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid' .", + "membershipAttributeTypeHelp": "DN means that LDAP group has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com'. UID means that LDAP group has it's members declared in form of pure user uids. For example 'memberUid: john'.", + "membershipUserLdapAttributeHelp": "Used just if Membership Attribute Type is UID. It is name of LDAP attribute on user, which is used for membership mappings. Usually it will be 'uid'. For example if value of 'Membership User LDAP Attribute' is 'uid' and LDAP group has 'memberUid: john', then it is expected that particular LDAP user will have attribute 'uid: john'.", + "ldapFilterHelp": "LDAP Filter adds an additional custom filter to the whole query for retrieve LDAP groups. Leave this empty if no additional filtering is needed and you want to retrieve all groups from LDAP. Otherwise make sure that filter starts with '(' and ends with ')'", + "modeHelp": "LDAP_ONLY means that all group mappings of users are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where group mappings are retrieved from both LDAP and DB and merged together. New group joins are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where group mappings are retrieved from LDAP just at the time when user is imported from LDAP and then they are saved to local keycloak DB.", + "userGroupsRetrieveStrategyHelp": "Specify how to retrieve groups of user. LOAD_GROUPS_BY_MEMBER_ATTRIBUTE means that roles of user will be retrieved by sending LDAP query to retrieve all groups where 'member' is our user. GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE means that groups of user will be retrieved from 'memberOf' attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute'.", + "memberofLdapAttributeHelp": "Used just when 'User Roles Retrieve Strategy' is GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE. It specifies the name of the LDAP attribute on the LDAP user, which contains the groups, which the user is member of. Usually it will be 'memberOf' and that's also the default value.", + "mappedGroupAttributesHelp": "List of names of attributes divided by comma. This points to the list of attributes on LDAP group, which will be mapped as attributes of Group in Keycloak. Leave this empty if no additional group attributes are required to be mapped in Keycloak.", + "dropNonexistingGroupsDuringSync": "If this flag is true, then during sync of groups from LDAP to Keycloak, we will keep just those Keycloak groups, which still exists in LDAP. Rest will be deleted", + "groupsPath": "Keycloak group path the LDAP groups are added to. For example if value '/Applications/App1' is used, then LDAP groups will be available in Keycloak under group 'App1', which is child of top level group 'Applications'. The default value is '/' so LDAP groups will be mapped to the Keycloak groups at the top level. The configured group path must already exists in the Keycloak when creating this mapper.", + + "userModelAttributeHelp": "Name of the UserModel property or attribute you want to map the LDAP attribute into. For example 'firstName', 'lastName, 'email', 'street' etc.", + "ldapAttribute": "Name of mapped attribute on LDAP object. For example 'cn', 'sn, 'mail', 'street' etc.", + "readOnlyHelp": "Read-only attribute is imported from LDAP to UserModel, but it's not saved back to LDAP when user is updated in Keycloak.", + "alwaysReadValueFromLdapHelp": "If on, then during reading of the LDAP attribute value will always used instead of the value from Keycloak DB", + "isMandatoryInLdapHelp": "If true, attribute is mandatory in LDAP. Hence if there is no value in Keycloak DB, the empty value will be set to be propagated to LDAP", + "isBinaryAttributeHelp": "Should be true for binary LDAP attributes", + + "ldapRolesDNHelp": "LDAP DN where are roles of this tree saved. For example 'ou=finance,dc=example,dc=org'", + "roleNameLdapAttributeHelp": "Name of LDAP attribute, which is used in role objects for name and RDN of role. Usually it will be 'cn'. In this case typical group/role object may have DN like 'cn=role1,ou=finance,dc=example,dc=org'", + "roleObjectClassesHelp": "Object class (or classes) of the role object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames'. In Active Directory it's usually 'group'", + "useRealmRolesMappingHelp": "If true, then LDAP role mappings will be mapped to realm role mappings in Keycloak. Otherwise it will be mapped to client role mappings", + "clientIdHelp": "Client ID of client to which LDAP role mappings will be mapped. Applicable just if 'Use Realm Roles Mapping' is false", + + "userModelAttributeNameHelp": "Name of the model attribute, which will be added when importing user from ldap", + "attributeValueHelp": "Value of the model attribute, which will be added when importing user from ldap.", + + "roleHelp": "Role to grant to user. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole", + + "derFormattedHelp": "Activate this if the certificate is DER formatted in LDAP and not PEM formatted.", + + "ldapFullNameAttributeHelp": "Name of LDAP attribute, which contains fullName of user. Usually it will be 'cn'", + "fullNameLdapMapperReadOnlyHelp": "For Read-only is data imported from LDAP to Keycloak DB, but it's not saved back to LDAP when user is updated in Keycloak.", + "fullNameLdapMapperWriteOnlyHelp": "For Write-only is data propagated to LDAP when user is created or updated in Keycloak. But this mapper is not used to propagate data from LDAP back into Keycloak. This setting is useful if you configured separate firstName and lastName attribute mappers and you want to use those to read attribute from LDAP into Keycloak", + + "groupHelp": "When user is imported from LDAP, he will be automatically added into this configured group.", + + "ldapAttributeNameHelp": "Name of the LDAP attribute, which will be added to the new user during registration", + "ldapAttributeValueHelp": "Value of the LDAP attribute, which will be added to the new user during registration. You can either hardcode any value like 'foo' but you can also use some special tokens. Only supported token right now is '${RANDOM}' , which will be replaced with some randomly generated String." } } diff --git a/src/user-federation/messages.json b/src/user-federation/messages.json index 630b4408e1..2f1b26f26b 100644 --- a/src/user-federation/messages.json +++ b/src/user-federation/messages.json @@ -83,6 +83,66 @@ "userFedDeletedSuccess": "The user federation provider has been deleted.", "userFedDeleteError": "Could not delete user federation provider: '{{error}}'", "userFedDeleteConfirmTitle": "Delete user federation provider?", - "userFedDeleteConfirm": "If you delete this user federation provider, all associated data will be removed." + "userFedDeleteConfirm": "If you delete this user federation provider, all associated data will be removed.", + + "*** mappers ***": "", + "id": "ID", + "name": "Name", + + "mapperType": "Mapper type", + "mapperTypeMsadUserAccountControlManager": "msad-user-account-control-mapper", + "mapperTypeMsadLdsUserAccountControlMapper": "msad-user-account-control-mapper", + "mapperTypeGroupLdapMapper": "group-ldap-mapper", + "mapperTypeUserAttributeLdapMapper": "user-attribute-ldap-mapper", + "mapperTypeRoleLdapMapper": "role-ldap-mapper", + "mapperTypeHardcodedAttributeMapper": "hardcoded-attribute-mapper", + "mapperTypeHardcodedLdapRoleMapper": "hardcoded-ldap-role-mapper", + "mapperTypeCertificateLdapMapper": "certificate-ldap-mapper", + "mapperTypeFullNameLdapMapper": "full-name-ldap-mapper", + "mapperTypeHardcodedLdapGroupMapper": "hardcoded-ldap-group-mapper", + "mapperTypeLdaoAttributeMapper": "hardcoded-ldap-attribute-mapper", + + "passwordPolicyHintsEnabled": "Password policy hints enabled", + + "ldapGroupsDn": "LDAP Groups DN", + "groupNameLDAPAttribute": "Group name LDAP attribute", + "groupObjectClasses": "Group object classes", + "preserveGroupInheritance": "Preserve group inheritance", + "ignoreMissingGroups": "Ignore missing groups", + "membershipLdapAttribute": "Membership LDAP attribute", + "membershipAttributeType": "Membership attribute type", + "membershipUserLdapAttribute": "Membership user LDAP attribute", + "ldapFilter": "LDAP filter", + "mode": "Mode", + "userGroupsRetrieveStrategy": "User groups retrieve strategy", + "memberofLdapAttribute": "Member-of LDAP attribute", + "mappedGroupAttributes": "Mapped group attributes", + "dropNonexistingGroupsDuringSync": "Drop non-existing groups during sync", + "groupsPath": "Groups path", + + "userModelAttribute": "User model attribute", + "ldapAttribute": "LDAP attribute", + "readOnly": "Read only", + "alwaysReadValueFromLdap": "Always read value from LDAP", + "isMandatoryInLdap": "Is mandatory in LDAP", + "isBinaryAttribute": "Is binary attribute", + + "ldapRolesDN": "LDAP roles DN", + "roleNameLdapAttribute": "Role Name LDAP attribute", + "roleObjectClasses": "Role object classes", + "useRealmRolesMapping": "Use realm roles mapping", + "clientId": "Client ID", + + "role": "Role", + + "derFormatted": "DER formatted", + + "ldapFullNameAttribute": "LDAP full name attribute", + "writeOnly": "Write only", + + "group": "Group", + + "ldapAttributeName": "LDAP attribute name", + "ldapAttributeValue": "LDAP attribute value" } }