org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper の継承関係図

org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper 連携図

クラス
class	MSADUserModelDelegate

公開メンバ関数
	MSADUserAccountControlStorageMapper (ComponentModel mapperModel, LDAPStorageProvider ldapProvider)

void	beforeLDAPQuery (LDAPQuery query)

LDAPOperationDecorator	beforePasswordUpdate (UserModel user, LDAPObject ldapUser, PasswordUserCredentialModel password)

void	passwordUpdated (UserModel user, LDAPObject ldapUser, PasswordUserCredentialModel password)

void	passwordUpdateFailed (UserModel user, LDAPObject ldapUser, PasswordUserCredentialModel password, ModelException exception)

UserModel	proxy (LDAPObject ldapUser, UserModel delegate, RealmModel realm)

void	onRegisterUserToLDAP (LDAPObject ldapUser, UserModel localUser, RealmModel realm)

void	onImportUserFromLDAP (LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate)

boolean	onAuthenticationFailure (LDAPObject ldapUser, UserModel user, AuthenticationException ldapException, RealmModel realm)

SynchronizationResult	syncDataFromFederationProviderToKeycloak (RealmModel realm)

SynchronizationResult	syncDataFromKeycloakToFederationProvider (RealmModel realm)

List< UserModel >	getGroupMembers (RealmModel realm, GroupModel group, int firstResult, int maxResults)

LDAPStorageProvider	getLdapProvider ()

void	close ()

静的公開メンバ関数
static boolean	parseBooleanParameter (ComponentModel mapperModel, String paramName)

静的公開変数類
static final String	LDAP_PASSWORD_POLICY_HINTS_ENABLED = "ldap.password.policy.hints.enabled"

限定公開メンバ関数
boolean	processAuthErrorCode (String errorCode, UserModel user)

ModelException	processFailedPasswordUpdateException (ModelException e)

UserAccountControl	getUserAccountControl (LDAPObject ldapUser)

void	updateUserAccountControl (boolean updateInLDAP, LDAPObject ldapUser, UserAccountControl accountControl)

限定公開変数類
final KeycloakSession	session

final ComponentModel	mapperModel

final LDAPStorageProvider	ldapProvider

静的非公開変数類
static final Logger	logger = Logger.getLogger(MSADUserAccountControlStorageMapper.class)

static final Pattern	AUTH_EXCEPTION_REGEX = Pattern.compile(".AcceptSecurityContext error, data ([0-9a-f]), v.*")

static final Pattern	AUTH_INVALID_NEW_PASSWORD = Pattern.compile(".ERROR CODE ([0-9A-F]+) - ([0-9A-F]+): .WILL_NOT_PERFORM.*")

詳解

Mapper specific to MSAD. It's able to read the userAccountControl and pwdLastSet attributes and set actions in Keycloak based on that. It's also able to handle exception code from LDAP user authentication (See http://www-01.ibm.com/support/docview.wss?uid=swg21290631 )

著者: Marek Posolda

構築子と解体子

◆ MSADUserAccountControlStorageMapper()

org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.MSADUserAccountControlStorageMapper	(	ComponentModel	mapperModel,
		LDAPStorageProvider	ldapProvider
	)

inline

                                                                                                              {
         super(mapperModel, ldapProvider);
         ldapProvider.setUpdater(this);
     }

関数詳解

◆ beforeLDAPQuery()

void org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.beforeLDAPQuery ( LDAPQuery query )

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                  {
         query.addReturningLdapAttribute(LDAPConstants.PWD_LAST_SET);
         query.addReturningLdapAttribute(LDAPConstants.USER_ACCOUNT_CONTROL);
 
         // This needs to be read-only and can be set to writable just on demand
         query.addReturningReadOnlyLdapAttribute(LDAPConstants.PWD_LAST_SET);
 
         if (ldapProvider.getEditMode() != UserStorageProvider.EditMode.WRITABLE) {
             query.addReturningReadOnlyLdapAttribute(LDAPConstants.USER_ACCOUNT_CONTROL);
         }
     }

◆ beforePasswordUpdate()

LDAPOperationDecorator org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.beforePasswordUpdate	(	UserModel	user,
		LDAPObject	ldapUser,
		PasswordUserCredentialModel	password
	)

inline

org.keycloak.storage.ldap.mappers.PasswordUpdateCallbackを実装しています。

                                                                                                                                   {
         // Not apply policies if password is reset by admin (not by user himself)
         if (password.isAdminRequest()) {
             return null;
         }
 
         boolean applyDecorator = mapperModel.get(LDAP_PASSWORD_POLICY_HINTS_ENABLED, false);
         return applyDecorator ? new LDAPServerPolicyHintsDecorator() : null;
     }

◆ close()

void org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.close ( )

inlineinherited

                         {
 
     }

◆ getGroupMembers()

List<UserModel> org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.getGroupMembers	(	RealmModel	realm,
		GroupModel	group,
		int	firstResult,
		int	maxResults
	)

inlineinherited

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                                                 {
         return Collections.emptyList();
     }

◆ getLdapProvider()

LDAPStorageProvider org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.getLdapProvider ( )

inlineinherited

                                                  {
         return ldapProvider;
     }

◆ getUserAccountControl()

UserAccountControl org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.getUserAccountControl ( LDAPObject ldapUser )

inlineprotected

                                                                             {
         String userAccountControl = ldapUser.getAttributeAsString(LDAPConstants.USER_ACCOUNT_CONTROL);
         long longValue = userAccountControl == null ? 0 : Long.parseLong(userAccountControl);
         return new UserAccountControl(longValue);
     }

◆ onAuthenticationFailure()

boolean org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.onAuthenticationFailure	(	LDAPObject	ldapUser,
		UserModel	user,
		AuthenticationException	ldapException,
		RealmModel	realm
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                                                                          {
         String exceptionMessage = ldapException.getMessage();
         Matcher m = AUTH_EXCEPTION_REGEX.matcher(exceptionMessage);
         if (m.matches()) {
             String errorCode = m.group(1);
             return processAuthErrorCode(errorCode, user);
         } else {
             return false;
         }
     }

◆ onImportUserFromLDAP()

void org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.onImportUserFromLDAP	(	LDAPObject	ldapUser,
		UserModel	user,
		RealmModel	realm,
		boolean	isCreate
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                                               {
 
     }

◆ onRegisterUserToLDAP()

void org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.onRegisterUserToLDAP	(	LDAPObject	ldapUser,
		UserModel	localUser,
		RealmModel	realm
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                                  {
 
     }

◆ parseBooleanParameter()

static boolean org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.parseBooleanParameter	(	ComponentModel	mapperModel,
		String	paramName
	)

inlinestaticinherited

                                                                                               {
         String paramm = mapperModel.getConfig().getFirst(paramName);
         return Boolean.parseBoolean(paramm);
     }

◆ passwordUpdated()

void org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.passwordUpdated	(	UserModel	user,
		LDAPObject	ldapUser,
		PasswordUserCredentialModel	password
	)

inline

org.keycloak.storage.ldap.mappers.PasswordUpdateCallbackを実装しています。

                                                                                                            {
         logger.debugf("Going to update userAccountControl for ldap user '%s' after successful password update", ldapUser.getDn().toString());
 
         // Normally it's read-only
         ldapUser.removeReadOnlyAttributeName(LDAPConstants.PWD_LAST_SET);
 
         ldapUser.setSingleAttribute(LDAPConstants.PWD_LAST_SET, "-1");
 
         UserAccountControl control = getUserAccountControl(ldapUser);
         control.remove(UserAccountControl.PASSWD_NOTREQD);
         control.remove(UserAccountControl.PASSWORD_EXPIRED);
 
         if (user.isEnabled()) {
             control.remove(UserAccountControl.ACCOUNTDISABLE);
         }
 
         updateUserAccountControl(true, ldapUser, control);
     }

◆ passwordUpdateFailed()

void org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.passwordUpdateFailed	(	UserModel	user,
		LDAPObject	ldapUser,
		PasswordUserCredentialModel	password,
		ModelException	exception
	)

inline

org.keycloak.storage.ldap.mappers.PasswordUpdateCallbackを実装しています。

                                                                                                                                           {
         throw processFailedPasswordUpdateException(exception);
     }

◆ processAuthErrorCode()

boolean org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.processAuthErrorCode	(	String	errorCode,
		UserModel	user
	)

inlineprotected

                                                                              {
         logger.debugf("MSAD Error code is '%s' after failed LDAP login of user '%s'", errorCode, user.getUsername());
 
         if (ldapProvider.getEditMode() == UserStorageProvider.EditMode.WRITABLE) {
             if (errorCode.equals("532") || errorCode.equals("773")) {
                 // User needs to change his MSAD password. Allow him to login, but add UPDATE_PASSWORD required action
                 if (!user.getRequiredActions().contains(UserModel.RequiredAction.UPDATE_PASSWORD.name())) {
                     user.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
                 }
                 return true;
             } else if (errorCode.equals("533")) {
                 // User is disabled in MSAD. Set him to disabled in KC as well
                 if (user.isEnabled()) {
                     user.setEnabled(false);
                 }
                 return true;
             } else if (errorCode.equals("775")) {
                 logger.warnf("Locked user '%s' attempt to login", user.getUsername());
             }
         }
 
         return false;
     }

◆ processFailedPasswordUpdateException()

ModelException org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.processFailedPasswordUpdateException ( ModelException e )

inlineprotected

                                                                                     {
         if (e.getCause() == null || e.getCause().getMessage() == null) {
             return e;
         }
 
         String exceptionMessage = e.getCause().getMessage().replace('\n', ' ');
         logger.debugf("Failed to update password in Active Directory. Exception message: %s", exceptionMessage);
         exceptionMessage = exceptionMessage.toUpperCase();
 
         Matcher m = AUTH_INVALID_NEW_PASSWORD.matcher(exceptionMessage);
         if (m.matches()) {
             String errorCode = m.group(1);
             String errorCode2 = m.group(2);
 
             // 52D corresponds to ERROR_PASSWORD_RESTRICTION. See https://msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx
             if ((errorCode.equals("53")) && errorCode2.endsWith("52D")) {
                 ModelException me = new ModelException("invalidPasswordGenericMessage", e);
                 return me;
             }
         }
 
         return e;
     }

◆ proxy()

UserModel org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.proxy	(	LDAPObject	ldapUser,
		UserModel	delegate,
		RealmModel	realm
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                       {
         return new MSADUserModelDelegate(delegate, ldapUser);
     }

◆ syncDataFromFederationProviderToKeycloak()

SynchronizationResult org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.syncDataFromFederationProviderToKeycloak ( RealmModel realm )

inlineinherited

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                             {
         return new SynchronizationResult();
     }

◆ syncDataFromKeycloakToFederationProvider()

SynchronizationResult org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.syncDataFromKeycloakToFederationProvider ( RealmModel realm )

inlineinherited

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                             {
         return new SynchronizationResult();
     }

◆ updateUserAccountControl()

void org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.updateUserAccountControl	(	boolean	updateInLDAP,
		LDAPObject	ldapUser,
		UserAccountControl	accountControl
	)

inlineprotected

                                                                                                                           {
         String userAccountControlValue = String.valueOf(accountControl.getValue());
         logger.debugf("Updating userAccountControl of user '%s' to value '%s'", ldapUser.getDn().toString(), userAccountControlValue);
 
         ldapUser.setSingleAttribute(LDAPConstants.USER_ACCOUNT_CONTROL, userAccountControlValue);
 
         if (updateInLDAP) {
             ldapProvider.getLdapIdentityStore().update(ldapUser);
         }
     }

メンバ詳解

◆ AUTH_EXCEPTION_REGEX

final Pattern org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.AUTH_EXCEPTION_REGEX = Pattern.compile(".*AcceptSecurityContext error, data ([0-9a-f]*), v.*")

staticprivate

◆ AUTH_INVALID_NEW_PASSWORD

final Pattern org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.AUTH_INVALID_NEW_PASSWORD = Pattern.compile(".*ERROR CODE ([0-9A-F]+) - ([0-9A-F]+): .*WILL_NOT_PERFORM.*")

staticprivate

◆ LDAP_PASSWORD_POLICY_HINTS_ENABLED

final String org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.LDAP_PASSWORD_POLICY_HINTS_ENABLED = "ldap.password.policy.hints.enabled"

static

◆ ldapProvider

final LDAPStorageProvider org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.ldapProvider

protectedinherited

◆ logger

final Logger org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper.logger = Logger.getLogger(MSADUserAccountControlStorageMapper.class)

staticprivate

◆ mapperModel

final ComponentModel org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.mapperModel

protectedinherited

◆ session

final KeycloakSession org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.session

protectedinherited

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/federation/src/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java

クラス

公開メンバ関数

静的公開メンバ関数

静的公開変数類

限定公開メンバ関数

限定公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ MSADUserAccountControlStorageMapper()

関数詳解

◆ beforeLDAPQuery()

◆ beforePasswordUpdate()

◆ close()

◆ getGroupMembers()

◆ getLdapProvider()

◆ getUserAccountControl()

◆ onAuthenticationFailure()

◆ onImportUserFromLDAP()

◆ onRegisterUserToLDAP()

◆ parseBooleanParameter()

◆ passwordUpdated()

◆ passwordUpdateFailed()

◆ processAuthErrorCode()

◆ processFailedPasswordUpdateException()

◆ proxy()

◆ syncDataFromFederationProviderToKeycloak()

◆ syncDataFromKeycloakToFederationProvider()

◆ updateUserAccountControl()

メンバ詳解

◆ AUTH_EXCEPTION_REGEX

◆ AUTH_INVALID_NEW_PASSWORD

◆ LDAP_PASSWORD_POLICY_HINTS_ENABLED

◆ ldapProvider

◆ logger

◆ mapperModel

◆ session