16.1.1.7. Resolver endpoints

The resolver REST API manages user-id resolver definitions. A resolver points privacyIDEA at a user store (LDAP/AD, SQL, /etc/passwd, SCIM, …); realms are then composed of one or more resolvers. See User ID Resolvers for the conceptual chapter.

All endpoints require admin authentication. Read access is gated by the admin policy action resolverwrite, resolverread, resolverdelete, write access by resolverwrite, resolverread, resolverdelete, and deletion by resolverwrite, resolverread, resolverdelete.

GET /resolver/(resolver)
GET /resolver/

Return user-id resolver definitions. Without a path component all resolvers are listed; with <resolver> only the matching one is returned. Passwords (LDAP bind passwords, SQL passwords, …) are returned as the literal string __CENSORED__. A subsequent POST /resolver/(resolver) request that includes the censored value will leave the stored password untouched, and so will a POST /resolver/test call.

Requires admin authentication and the policy action resolverwrite, resolverread, resolverdelete.

Parameters:

  • resolver – optional path component selecting a single resolver.

Query Parameters:

  • type – filter by resolver type (e.g. ldapresolver, sqlresolver, passwdresolver, scimresolver).

  • editable – pass 1 to return only editable resolvers.

Status Codes:

  • 200 OK – dict of resolver definitions keyed by name in result.value.

POST /resolver/(resolver)

Create or update a user-id resolver. If a resolver with the given name already exists it is updated; otherwise it is created. On update only fields that should be changed need to be supplied, but the resolver type must not be changed (it is bound to the resolver class).

When updating a resolver, password fields submitted as the literal __CENSORED__ are ignored — the stored password is kept. This lets the WebUI round-trip a redacted GET response without leaking or losing the secret.

Requires admin authentication and the policy action resolverwrite, resolverread, resolverdelete.

Parameters:

  • resolver – path component, the name of the resolver.

JSON Parameters:

  • type – resolver type. Required on creation. The set of supported types is determined by the resolver classes installed on the server (currently shipped: LDAP, SQL, passwd, SCIM, HTTP, Keycloak, Entra ID). Use GET /resolver/(resolvertype)/default to discover the fields each type accepts.

Jsonparam:

any resolver-type-specific configuration fields.

Status Codes:

  • 200 OK – database id of the resolver in result.value.

Resolver-type fields:

  • ldapresolverLDAPURI, LDAPBASE, AUTHTYPE, BINDDN, BINDPW, TIMEOUT, CACHE_TIMEOUT, SIZELIMIT, LOGINNAMEATTRIBUTE, LDAPSEARCHFILTER, LDAPFILTER, MULTIVALUEATTRIBUTES, USERINFO, UIDTYPE, NOREFERRALS, NOSCHEMAS, EDITABLE, START_TLS, TLS_VERIFY, TLS_VERSION.

  • sqlresolverDatabase, Driver, Server, Port, User, Password, Table, Map.

  • passwdresolverFilename.

Other resolver types accept their own fields; query GET /resolver/(resolvertype)/default to discover them.

DELETE /resolver/(resolver)

Delete the user-id resolver with the given name. A resolver that is still part of a realm cannot be deleted — remove it from all realms first.

Requires admin authentication and the policy action resolverwrite, resolverread, resolverdelete.

Parameters:

  • resolver – path component, the name of the resolver.

Status Codes:

  • 200 OK – id of the deleted resolver in result.value.

  • 400 Bad Request – the resolver is still in use by one or more realms.

POST /resolver/test

Test whether the supplied parameters yield a working resolver, including network connectivity to the underlying user store. The resolver class itself performs the verification; nothing is persisted.

When testing an existing resolver, password fields may be submitted as the literal __CENSORED__ and privacyIDEA will substitute the stored password from the database.

Requires admin authentication and the policy action resolverwrite, resolverread, resolverdelete.

JSON Parameters:

  • type – resolver type (required).

Jsonparam:

any type-specific configuration fields.

Status Codes:

  • 200 OKresult.value is True if the test succeeded, False otherwise; detail.description carries a human-readable message.

GET /resolver/(resolvertype)/default

Return the default configuration for a resolver type. The WebUI calls this when an admin starts creating a new resolver, in order to populate the form with sensible defaults and discover the field set the chosen resolver class accepts.

Requires admin authentication.

Note

Unlike the other resolver endpoints, this one is not gated by a specific policy action — admin auth is the only check.

Parameters:

  • resolvertype – path component, the resolver type (e.g. ldapresolver, sqlresolver).

Status Codes:

  • 200 OK – dict of default configuration values in result.value.