diff --git a/REFERENCE.md b/REFERENCE.md
index 16dbf1e4..677d1648 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -2680,6 +2680,12 @@ keycloak_ldap_user_provider { 'LDAP on test':
 
 The following properties are available in the `keycloak_ldap_user_provider` type.
 
+##### `allow_kerberos_authentication`
+
+Valid values: ``true``, ``false``
+
+allowKerberosAuthentication
+
 ##### `auth_type`
 
 Valid values: `none`, `simple`
@@ -2758,6 +2764,14 @@ importEnabled
 
 Default value: `true`
 
+##### `kerberos_realm`
+
+kerberosRealm
+
+##### `key_tab`
+
+keyTab
+
 ##### `priority`
 
 priority
@@ -2776,6 +2790,10 @@ Valid values: `one`, `one_level`, `subtree`, `1`, `2`, `1`, `2`
 
 searchScope
 
+##### `server_principal`
+
+serverPrincipal
+
 ##### `sync_registrations`
 
 Valid values: ``true``, ``false``
diff --git a/lib/puppet/type/keycloak_ldap_user_provider.rb b/lib/puppet/type/keycloak_ldap_user_provider.rb
index c46b4316..0ff4fcfd 100644
--- a/lib/puppet/type/keycloak_ldap_user_provider.rb
+++ b/lib/puppet/type/keycloak_ldap_user_provider.rb
@@ -161,6 +161,23 @@ def should_to_s(_newvalue)
     newvalues(:true, :false)
   end
 
+  newproperty(:allow_kerberos_authentication, boolean: true) do
+    desc 'allowKerberosAuthentication'
+    newvalues(:true, :false)
+  end
+
+  newproperty(:kerberos_realm) do
+    desc 'kerberosRealm'
+  end
+
+  newproperty(:key_tab) do
+    desc 'keyTab'
+  end
+
+  newproperty(:server_principal) do
+    desc 'serverPrincipal'
+  end
+
   newproperty(:user_object_classes, array_matching: :all, parent: PuppetX::Keycloak::ArrayProperty) do
     desc 'userObjectClasses'
     defaultto ['inetOrgPerson', 'organizationalPerson']
diff --git a/spec/unit/puppet/type/keycloak_ldap_user_provider_spec.rb b/spec/unit/puppet/type/keycloak_ldap_user_provider_spec.rb
index 0390c6e8..5d0456cb 100644
--- a/spec/unit/puppet/type/keycloak_ldap_user_provider_spec.rb
+++ b/spec/unit/puppet/type/keycloak_ldap_user_provider_spec.rb
@@ -108,6 +108,18 @@
     expect(resource[:use_kerberos_for_password_authentication]).to eq(:true)
   end
 
+  it 'allows kerberos configuration' do
+    config[:auth_type] = 'simple'
+    config[:allow_kerberos_authentication] = true
+    config[:kerberos_realm] = 'BAR.COM'
+    config[:key_tab] = '/etc/krb5.keytab'
+    config[:server_principal] = 'host/foo@BAR.COM'
+    expect(resource[:allow_kerberos_authentication]).to eq(:true)
+    expect(resource[:kerberos_realm]).to eq('BAR.COM')
+    expect(resource[:key_tab]).to eq('/etc/krb5.keytab')
+    expect(resource[:server_principal]).to eq('host/foo@BAR.COM')
+  end
+
   it 'does not allow invalid bind_credential' do
     config[:auth_type] = 'simple'
     config[:use_kerberos_for_password_authentication] = 'foo'