From c7e2875a4d8a92e81ff09d037a206e2eae8cfdae Mon Sep 17 00:00:00 2001
From: fgruenbauer <gruenbauer@b1-systems.de>
Date: Mon, 7 Oct 2024 22:13:14 +0200
Subject: [PATCH] keycloak_user_federation: add user federation config
 parameter `referral` to module args (#8954)

* add keycloak referral parameter to module args

* add changelog fragment

* Update plugins/modules/keycloak_user_federation.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update changelogs/fragments/8954-keycloak-user-federation-add-referral-parameter.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
---
 ...ycloak-user-federation-add-referral-parameter.yml |  2 ++
 plugins/modules/keycloak_user_federation.py          | 12 ++++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 changelogs/fragments/8954-keycloak-user-federation-add-referral-parameter.yml

diff --git a/changelogs/fragments/8954-keycloak-user-federation-add-referral-parameter.yml b/changelogs/fragments/8954-keycloak-user-federation-add-referral-parameter.yml
new file mode 100644
index 0000000000..cd8347faf0
--- /dev/null
+++ b/changelogs/fragments/8954-keycloak-user-federation-add-referral-parameter.yml
@@ -0,0 +1,2 @@
+minor_changes:
+    - keycloak_user_federation - add the user federation config parameter ``referral`` to the module arguments (https://github.com/ansible-collections/community.general/pull/8954).
\ No newline at end of file
diff --git a/plugins/modules/keycloak_user_federation.py b/plugins/modules/keycloak_user_federation.py
index 0b3b610806..160d67edb4 100644
--- a/plugins/modules/keycloak_user_federation.py
+++ b/plugins/modules/keycloak_user_federation.py
@@ -442,6 +442,17 @@ options:
                     - Max lifespan of cache entry in milliseconds.
                 type: int
 
+            referral:
+                description:
+                    - Specifies if LDAP referrals should be followed or ignored. Please note that enabling
+                      referrals can slow down authentication as it allows the LDAP server to decide which other
+                      LDAP servers to use. This could potentially include untrusted servers.
+                type: str
+                choices:
+                    - ignore
+                    - follow
+                version_added: 9.5.0
+
     mappers:
         description:
             - A list of dicts defining mappers associated with this Identity Provider.
@@ -788,6 +799,7 @@ def main():
         priority=dict(type='int', default=0),
         rdnLDAPAttribute=dict(type='str'),
         readTimeout=dict(type='int'),
+        referral=dict(type='str', choices=['ignore', 'follow']),
         searchScope=dict(type='str', choices=['1', '2'], default='1'),
         serverPrincipal=dict(type='str'),
         krbPrincipalAttribute=dict(type='str'),