org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper の継承関係図

org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper 連携図

クラス
class	MSADUserModelDelegate

公開メンバ関数
	MSADLDSUserAccountControlStorageMapper (ComponentModel mapperModel, LDAPStorageProvider ldapProvider)

void	beforeLDAPQuery (LDAPQuery query)

LDAPOperationDecorator	beforePasswordUpdate (UserModel user, LDAPObject ldapUser, PasswordUserCredentialModel password)

void	passwordUpdated (UserModel user, LDAPObject ldapUser, PasswordUserCredentialModel password)

void	passwordUpdateFailed (UserModel user, LDAPObject ldapUser, PasswordUserCredentialModel password, ModelException exception)

UserModel	proxy (LDAPObject ldapUser, UserModel delegate, RealmModel realm)

void	onRegisterUserToLDAP (LDAPObject ldapUser, UserModel localUser, RealmModel realm)

void	onImportUserFromLDAP (LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate)

boolean	onAuthenticationFailure (LDAPObject ldapUser, UserModel user, AuthenticationException ldapException, RealmModel realm)

SynchronizationResult	syncDataFromFederationProviderToKeycloak (RealmModel realm)

SynchronizationResult	syncDataFromKeycloakToFederationProvider (RealmModel realm)

List< UserModel >	getGroupMembers (RealmModel realm, GroupModel group, int firstResult, int maxResults)

LDAPStorageProvider	getLdapProvider ()

void	close ()

静的公開メンバ関数
static boolean	parseBooleanParameter (ComponentModel mapperModel, String paramName)

限定公開メンバ関数
boolean	processAuthErrorCode (String errorCode, UserModel user)

ModelException	processFailedPasswordUpdateException (ModelException e)

限定公開変数類
final KeycloakSession	session

final ComponentModel	mapperModel

final LDAPStorageProvider	ldapProvider

静的非公開変数類
static final Logger	logger = Logger.getLogger(MSADLDSUserAccountControlStorageMapper.class)

static final Pattern	AUTH_EXCEPTION_REGEX = Pattern.compile(".AcceptSecurityContext error, data ([0-9a-f]), v.*")

static final Pattern	AUTH_INVALID_NEW_PASSWORD = Pattern.compile("(?s).problem 1005 \\(CONSTRAINT_ATT_TYPE\\), data [0-9a-f], Att 23 \\(userPassword\\).*")

詳解

Mapper specific to MSAD LDS. It's able to read the msDS-UserAccountDisabled, msDS-UserPasswordExpired and pwdLastSet attributes and set actions in Keycloak based on that. It's also able to handle exception code from LDAP user authentication (See http://www-01.ibm.com/support/docview.wss?uid=swg21290631 )

著者: Marek Posolda; Slawomir Dabek

構築子と解体子

◆ MSADLDSUserAccountControlStorageMapper()

org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.MSADLDSUserAccountControlStorageMapper	(	ComponentModel	mapperModel,
		LDAPStorageProvider	ldapProvider
	)

inline

                                                                                                                 {
         super(mapperModel, ldapProvider);
         ldapProvider.setUpdater(this);
     }

関数詳解

◆ beforeLDAPQuery()

void org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.beforeLDAPQuery ( LDAPQuery query )

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                  {
         query.addReturningLdapAttribute(LDAPConstants.PWD_LAST_SET);
         query.addReturningLdapAttribute(LDAPConstants.MSDS_USER_ACCOUNT_DISABLED);
 
         // This needs to be read-only and can be set to writable just on demand
         query.addReturningReadOnlyLdapAttribute(LDAPConstants.PWD_LAST_SET);
 
         if (ldapProvider.getEditMode() != UserStorageProvider.EditMode.WRITABLE) {
             query.addReturningReadOnlyLdapAttribute(LDAPConstants.MSDS_USER_ACCOUNT_DISABLED);
         }
     }

◆ beforePasswordUpdate()

LDAPOperationDecorator org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.beforePasswordUpdate	(	UserModel	user,
		LDAPObject	ldapUser,
		PasswordUserCredentialModel	password
	)

inline

org.keycloak.storage.ldap.mappers.PasswordUpdateCallbackを実装しています。

                                                                                                                                   {
         return null; // Not supported for now. Not sure if LDAP_SERVER_POLICY_HINTS_OID works in MSAD LDS
     }

◆ close()

void org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.close ( )

inlineinherited

                         {
 
     }

◆ getGroupMembers()

List<UserModel> org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.getGroupMembers	(	RealmModel	realm,
		GroupModel	group,
		int	firstResult,
		int	maxResults
	)

inlineinherited

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                                                 {
         return Collections.emptyList();
     }

◆ getLdapProvider()

LDAPStorageProvider org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.getLdapProvider ( )

inlineinherited

                                                  {
         return ldapProvider;
     }

◆ onAuthenticationFailure()

boolean org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.onAuthenticationFailure	(	LDAPObject	ldapUser,
		UserModel	user,
		AuthenticationException	ldapException,
		RealmModel	realm
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                                                                          {
         String exceptionMessage = ldapException.getMessage();
         Matcher m = AUTH_EXCEPTION_REGEX.matcher(exceptionMessage);
         if (m.matches()) {
             String errorCode = m.group(1);
             return processAuthErrorCode(errorCode, user);
         } else {
             return false;
         }
     }

◆ onImportUserFromLDAP()

void org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.onImportUserFromLDAP	(	LDAPObject	ldapUser,
		UserModel	user,
		RealmModel	realm,
		boolean	isCreate
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                                               {
 
     }

◆ onRegisterUserToLDAP()

void org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.onRegisterUserToLDAP	(	LDAPObject	ldapUser,
		UserModel	localUser,
		RealmModel	realm
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                                  {
 
     }

◆ parseBooleanParameter()

static boolean org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.parseBooleanParameter	(	ComponentModel	mapperModel,
		String	paramName
	)

inlinestaticinherited

                                                                                               {
         String paramm = mapperModel.getConfig().getFirst(paramName);
         return Boolean.parseBoolean(paramm);
     }

◆ passwordUpdated()

void org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.passwordUpdated	(	UserModel	user,
		LDAPObject	ldapUser,
		PasswordUserCredentialModel	password
	)

inline

org.keycloak.storage.ldap.mappers.PasswordUpdateCallbackを実装しています。

                                                                                                            {
         logger.debugf("Going to update pwdLastSet for ldap user '%s' after successful password update", ldapUser.getDn().toString());
 
         // Normally it's read-only
         ldapUser.removeReadOnlyAttributeName(LDAPConstants.PWD_LAST_SET);
 
         ldapUser.setSingleAttribute(LDAPConstants.PWD_LAST_SET, "-1");
         
         if (user.isEnabled()) {
             // TODO: Use removeAttribute once available
             ldapUser.setSingleAttribute(LDAPConstants.MSDS_USER_ACCOUNT_DISABLED, "FALSE");
             logger.debugf("Removing msDS-UserPasswordExpired of user '%s'", ldapUser.getDn().toString());
         }
 
         ldapProvider.getLdapIdentityStore().update(ldapUser);
     }

◆ passwordUpdateFailed()

void org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.passwordUpdateFailed	(	UserModel	user,
		LDAPObject	ldapUser,
		PasswordUserCredentialModel	password,
		ModelException	exception
	)

inline

org.keycloak.storage.ldap.mappers.PasswordUpdateCallbackを実装しています。

                                                                                                                                           {
         throw processFailedPasswordUpdateException(exception);
     }

◆ processAuthErrorCode()

boolean org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.processAuthErrorCode	(	String	errorCode,
		UserModel	user
	)

inlineprotected

                                                                              {
         logger.debugf("MSAD LDS Error code is '%s' after failed LDAP login of user '%s'", errorCode, user.getUsername());
 
         if (ldapProvider.getEditMode() == UserStorageProvider.EditMode.WRITABLE) {
             if (errorCode.equals("532") || errorCode.equals("773")) {
                 // User needs to change his MSAD password. Allow him to login, but add UPDATE_PASSWORD required action
                 if (!user.getRequiredActions().contains(UserModel.RequiredAction.UPDATE_PASSWORD.name())) {
                     user.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
                 }
                 return true;
             } else if (errorCode.equals("533")) {
                 // User is disabled in MSAD LDS. Set him to disabled in KC as well
                 if (user.isEnabled()) {
                     user.setEnabled(false);
                 }
                 return true;
             } else if (errorCode.equals("775")) {
                 logger.warnf("Locked user '%s' attempt to login", user.getUsername());
             }
         }
 
         return false;
     }

◆ processFailedPasswordUpdateException()

ModelException org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.processFailedPasswordUpdateException ( ModelException e )

inlineprotected

                                                                                     {
         if (e.getCause() == null || e.getCause().getMessage() == null) {
             return e;
         }
 
         String exceptionMessage = e.getCause().getMessage();
         Matcher m = AUTH_INVALID_NEW_PASSWORD.matcher(exceptionMessage);
         if (m.matches()) {
             ModelException me = new ModelException("invalidPasswordRegexPatternMessage", e);
             me.setParameters(new Object[]{"passwordConstraintViolation"});
             return me;
         }
 
         return e;
     }

◆ proxy()

UserModel org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.proxy	(	LDAPObject	ldapUser,
		UserModel	delegate,
		RealmModel	realm
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                       {
         return new MSADUserModelDelegate(delegate, ldapUser);
     }

◆ syncDataFromFederationProviderToKeycloak()

SynchronizationResult org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.syncDataFromFederationProviderToKeycloak ( RealmModel realm )

inlineinherited

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                             {
         return new SynchronizationResult();
     }

◆ syncDataFromKeycloakToFederationProvider()

SynchronizationResult org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.syncDataFromKeycloakToFederationProvider ( RealmModel realm )

inlineinherited

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                             {
         return new SynchronizationResult();
     }

メンバ詳解

◆ AUTH_EXCEPTION_REGEX

final Pattern org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.AUTH_EXCEPTION_REGEX = Pattern.compile(".*AcceptSecurityContext error, data ([0-9a-f]*), v.*")

staticprivate

◆ AUTH_INVALID_NEW_PASSWORD

final Pattern org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.AUTH_INVALID_NEW_PASSWORD = Pattern.compile("(?s).*problem 1005 \\(CONSTRAINT_ATT_TYPE\\), data [0-9a-f]*, Att 23 \\(userPassword\\).*")

staticprivate

◆ ldapProvider

final LDAPStorageProvider org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.ldapProvider

protectedinherited

◆ logger

final Logger org.keycloak.storage.ldap.mappers.msadlds.MSADLDSUserAccountControlStorageMapper.logger = Logger.getLogger(MSADLDSUserAccountControlStorageMapper.class)

staticprivate

◆ mapperModel

final ComponentModel org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.mapperModel

protectedinherited

◆ session

final KeycloakSession org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.session

protectedinherited

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/federation/src/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msadlds/MSADLDSUserAccountControlStorageMapper.java

クラス

公開メンバ関数

静的公開メンバ関数

限定公開メンバ関数

限定公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ MSADLDSUserAccountControlStorageMapper()

関数詳解

◆ beforeLDAPQuery()

◆ beforePasswordUpdate()

◆ close()

◆ getGroupMembers()

◆ getLdapProvider()

◆ onAuthenticationFailure()

◆ onImportUserFromLDAP()

◆ onRegisterUserToLDAP()

◆ parseBooleanParameter()

◆ passwordUpdated()

◆ passwordUpdateFailed()

◆ processAuthErrorCode()

◆ processFailedPasswordUpdateException()

◆ proxy()

◆ syncDataFromFederationProviderToKeycloak()

◆ syncDataFromKeycloakToFederationProvider()

メンバ詳解

◆ AUTH_EXCEPTION_REGEX

◆ AUTH_INVALID_NEW_PASSWORD

◆ ldapProvider

◆ logger

◆ mapperModel

◆ session