keycloak-federation
公開メンバ関数 | 静的公開メンバ関数 | 静的公開変数類 | 限定公開メンバ関数 | 静的限定公開変数類 | 静的関数 | 非公開メンバ関数 | 静的非公開メンバ関数 | 非公開変数類 | 静的非公開変数類 | 全メンバ一覧
org.keycloak.storage.ldap.LDAPStorageProviderFactory クラス
org.keycloak.storage.ldap.LDAPStorageProviderFactory の継承関係図
Inheritance graph
org.keycloak.storage.ldap.LDAPStorageProviderFactory 連携図
Collaboration graph

公開メンバ関数

List< ProviderConfigProperty > getConfigProperties ()
 
LDAPStorageProvider create (KeycloakSession session, ComponentModel model)
 
void validateConfiguration (KeycloakSession session, RealmModel realm, ComponentModel config) throws ComponentValidationException
 
void init (Config.Scope config)
 
void close ()
 
String getId ()
 
void onCreate (KeycloakSession session, RealmModel realm, ComponentModel model)
 
void onUpdate (KeycloakSession session, RealmModel realm, ComponentModel oldModel, ComponentModel newModel)
 
void preRemove (KeycloakSession session, RealmModel realm, ComponentModel model)
 
SynchronizationResult sync (KeycloakSessionFactory sessionFactory, String realmId, UserStorageProviderModel model)
 
SynchronizationResult syncSince (Date lastSync, KeycloakSessionFactory sessionFactory, String realmId, UserStorageProviderModel model)
 

静的公開メンバ関数

static boolean checkKerberosCredential (KeycloakSession session, RealmModel realm, ComponentModel model)
 

静的公開変数類

static final String PROVIDER_NAME = LDAPConstants.LDAP_PROVIDER
 

限定公開メンバ関数

Map< ComponentModel, LDAPConfigDecoratorgetLDAPConfigDecorators (KeycloakSession session, ComponentModel ldapModel)
 
void syncMappers (KeycloakSessionFactory sessionFactory, final String realmId, final ComponentModel model)
 
SynchronizationResult syncImpl (KeycloakSessionFactory sessionFactory, LDAPQuery userQuery, final String realmId, final ComponentModel fedModel)
 
SynchronizationResult importLdapUsers (KeycloakSessionFactory sessionFactory, final String realmId, final ComponentModel fedModel, List< LDAPObject > ldapUsers)
 
SPNEGOAuthenticator createSPNEGOAuthenticator (String spnegoToken, CommonKerberosConfig kerberosConfig)
 
KerberosServerSubjectAuthenticator createKerberosSubjectAuthenticator (CommonKerberosConfig kerberosConfig)
 
KerberosUsernamePasswordAuthenticator createKerberosUsernamePasswordAuthenticator (CommonKerberosConfig kerberosConfig)
 

静的限定公開変数類

static final List< ProviderConfigProperty > configProperties
 

静的関数

 [static initializer]
 

非公開メンバ関数

LDAPQuery createQuery (KeycloakSessionFactory sessionFactory, final String realmId, final ComponentModel model)
 

静的非公開メンバ関数

static List< ProviderConfigProperty > getConfigProps (ComponentModel parent)
 

非公開変数類

LDAPIdentityStoreRegistry ldapStoreRegistry
 

静的非公開変数類

static final Logger logger = Logger.getLogger(LDAPStorageProviderFactory.class)
 

詳解

著者
Marek Posolda
Bill Burke
バージョン
Revision
1

関数詳解

◆ [static initializer]()

org.keycloak.storage.ldap.LDAPStorageProviderFactory.[static initializer] ( )
inlinestaticpackage

◆ checkKerberosCredential()

static boolean org.keycloak.storage.ldap.LDAPStorageProviderFactory.checkKerberosCredential ( KeycloakSession  session,
RealmModel  realm,
ComponentModel  model 
)
inlinestatic
629  {
630  String allowKerberosCfg = model.getConfig().getFirst(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION);
631  if (Boolean.valueOf(allowKerberosCfg)) {
632  CredentialHelper.setOrReplaceAuthenticationRequirement(session, realm, CredentialRepresentation.KERBEROS,
633  AuthenticationExecutionModel.Requirement.ALTERNATIVE, AuthenticationExecutionModel.Requirement.DISABLED);
634  return true;
635  }
636  return false;
637  }

◆ close()

void org.keycloak.storage.ldap.LDAPStorageProviderFactory.close ( )
inline
278  {
279  this.ldapStoreRegistry = null;
280  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.ldapStoreRegistry
LDAPIdentityStoreRegistry ldapStoreRegistry
Definition: LDAPStorageProviderFactory.java:78

◆ create()

LDAPStorageProvider org.keycloak.storage.ldap.LDAPStorageProviderFactory.create ( KeycloakSession  session,
ComponentModel  model 
)
inline
221  {
222  Map<ComponentModel, LDAPConfigDecorator> configDecorators = getLDAPConfigDecorators(session, model);
223 
224  LDAPIdentityStore ldapIdentityStore = this.ldapStoreRegistry.getLdapStore(session, model, configDecorators);
225  return new LDAPStorageProvider(this, session, model, ldapIdentityStore);
226  }
org.keycloak.storage.ldap.LDAPIdentityStoreRegistry.getLdapStore
LDAPIdentityStore getLdapStore(KeycloakSession session, ComponentModel ldapModel, Map< ComponentModel, LDAPConfigDecorator > configDecorators)
Definition: LDAPIdentityStoreRegistry.java:42
org.keycloak.storage.ldap.LDAPStorageProviderFactory.ldapStoreRegistry
LDAPIdentityStoreRegistry ldapStoreRegistry
Definition: LDAPStorageProviderFactory.java:78
org.keycloak.storage.ldap.LDAPStorageProviderFactory.getLDAPConfigDecorators
Map< ComponentModel, LDAPConfigDecorator > getLDAPConfigDecorators(KeycloakSession session, ComponentModel ldapModel)
Definition: LDAPStorageProviderFactory.java:230

◆ createKerberosSubjectAuthenticator()

KerberosServerSubjectAuthenticator org.keycloak.storage.ldap.LDAPStorageProviderFactory.createKerberosSubjectAuthenticator ( CommonKerberosConfig  kerberosConfig)
inlineprotected
621  {
622  return new KerberosServerSubjectAuthenticator(kerberosConfig);
623  }

◆ createKerberosUsernamePasswordAuthenticator()

KerberosUsernamePasswordAuthenticator org.keycloak.storage.ldap.LDAPStorageProviderFactory.createKerberosUsernamePasswordAuthenticator ( CommonKerberosConfig  kerberosConfig)
inlineprotected
625  {
626  return new KerberosUsernamePasswordAuthenticator(kerberosConfig);
627  }

◆ createQuery()

LDAPQuery org.keycloak.storage.ldap.LDAPStorageProviderFactory.createQuery ( KeycloakSessionFactory  sessionFactory,
final String  realmId,
final ComponentModel  model 
)
inlineprivate
503  {
504  class QueryHolder {
505  LDAPQuery query;
506  }
507 
508  final QueryHolder queryHolder = new QueryHolder();
509  KeycloakModelUtils.runJobInTransaction(sessionFactory, new KeycloakSessionTask() {
510 
511  @Override
512  public void run(KeycloakSession session) {
513  LDAPStorageProvider ldapFedProvider = (LDAPStorageProvider)session.getProvider(UserStorageProvider.class, model);
514  RealmModel realm = session.realms().getRealm(realmId);
515  queryHolder.query = LDAPUtils.createQueryForUserSearch(ldapFedProvider, realm);
516  }
517 
518  });
519  return queryHolder.query;
520  }

◆ createSPNEGOAuthenticator()

SPNEGOAuthenticator org.keycloak.storage.ldap.LDAPStorageProviderFactory.createSPNEGOAuthenticator ( String  spnegoToken,
CommonKerberosConfig  kerberosConfig 
)
inlineprotected
616  {
617  KerberosServerSubjectAuthenticator kerberosAuth = createKerberosSubjectAuthenticator(kerberosConfig);
618  return new SPNEGOAuthenticator(kerberosConfig, kerberosAuth, spnegoToken);
619  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.createKerberosSubjectAuthenticator
KerberosServerSubjectAuthenticator createKerberosSubjectAuthenticator(CommonKerberosConfig kerberosConfig)
Definition: LDAPStorageProviderFactory.java:621

◆ getConfigProperties()

List<ProviderConfigProperty> org.keycloak.storage.ldap.LDAPStorageProviderFactory.getConfigProperties ( )
inline
216  {
217  return configProperties;
218  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.configProperties
static final List< ProviderConfigProperty > configProperties
Definition: LDAPStorageProviderFactory.java:80

◆ getConfigProps()

static List<ProviderConfigProperty> org.keycloak.storage.ldap.LDAPStorageProviderFactory.getConfigProps ( ComponentModel  parent)
inlinestaticprivate
86  {
87  boolean readOnly = false;
88  if (parent != null) {
89  LDAPConfig config = new LDAPConfig(parent.getConfig());
90  readOnly = config.getEditMode() != UserStorageProvider.EditMode.WRITABLE;
91  }
92 
93 
94  return ProviderConfigurationBuilder.create()
95  .property().name(LDAPConstants.EDIT_MODE)
96  .type(ProviderConfigProperty.STRING_TYPE)
97  .add()
98  .property().name(UserStorageProviderModel.IMPORT_ENABLED)
99  .type(ProviderConfigProperty.BOOLEAN_TYPE)
100  .defaultValue("true")
101  .add()
102  .property().name(LDAPConstants.SYNC_REGISTRATIONS)
103  .type(ProviderConfigProperty.BOOLEAN_TYPE)
104  .defaultValue("false")
105  .add()
106  .property().name(LDAPConstants.VENDOR)
107  .type(ProviderConfigProperty.STRING_TYPE)
108  .add()
109  .property().name(LDAPConstants.USERNAME_LDAP_ATTRIBUTE)
110  .type(ProviderConfigProperty.STRING_TYPE)
111  .add()
112  .property().name(LDAPConstants.RDN_LDAP_ATTRIBUTE)
113  .type(ProviderConfigProperty.STRING_TYPE)
114  .add()
115  .property().name(LDAPConstants.UUID_LDAP_ATTRIBUTE)
116  .type(ProviderConfigProperty.STRING_TYPE)
117  .add()
118  .property().name(LDAPConstants.USER_OBJECT_CLASSES)
119  .type(ProviderConfigProperty.STRING_TYPE)
120  .add()
121  .property().name(LDAPConstants.CONNECTION_URL)
122  .type(ProviderConfigProperty.STRING_TYPE)
123  .add()
124  .property().name(LDAPConstants.USERS_DN)
125  .type(ProviderConfigProperty.STRING_TYPE)
126  .add()
127  .property().name(LDAPConstants.AUTH_TYPE)
128  .type(ProviderConfigProperty.STRING_TYPE)
129  .defaultValue("simple")
130  .add()
131  .property().name(LDAPConstants.BIND_DN)
132  .type(ProviderConfigProperty.STRING_TYPE)
133  .add()
134  .property().name(LDAPConstants.BIND_CREDENTIAL)
135  .type(ProviderConfigProperty.PASSWORD)
136  .secret(true)
137  .add()
138  .property().name(LDAPConstants.CUSTOM_USER_SEARCH_FILTER)
139  .type(ProviderConfigProperty.STRING_TYPE)
140  .add()
141  .property().name(LDAPConstants.SEARCH_SCOPE)
142  .type(ProviderConfigProperty.STRING_TYPE)
143  .defaultValue("1")
144  .add()
145  .property().name(LDAPConstants.VALIDATE_PASSWORD_POLICY)
146  .type(ProviderConfigProperty.BOOLEAN_TYPE)
147  .defaultValue("false")
148  .add()
149  .property().name(LDAPConstants.USE_TRUSTSTORE_SPI)
150  .type(ProviderConfigProperty.STRING_TYPE)
151  .defaultValue("ldapsOnly")
152  .add()
153  .property().name(LDAPConstants.CONNECTION_POOLING)
154  .type(ProviderConfigProperty.BOOLEAN_TYPE)
155  .defaultValue("true")
156  .add()
157  .property().name(LDAPConstants.CONNECTION_POOLING_AUTHENTICATION)
158  .type(ProviderConfigProperty.STRING_TYPE)
159  .add()
160  .property().name(LDAPConstants.CONNECTION_POOLING_DEBUG)
161  .type(ProviderConfigProperty.STRING_TYPE)
162  .add()
163  .property().name(LDAPConstants.CONNECTION_POOLING_INITSIZE)
164  .type(ProviderConfigProperty.STRING_TYPE)
165  .add()
166  .property().name(LDAPConstants.CONNECTION_POOLING_MAXSIZE)
167  .type(ProviderConfigProperty.STRING_TYPE)
168  .add()
169  .property().name(LDAPConstants.CONNECTION_POOLING_PREFSIZE)
170  .type(ProviderConfigProperty.STRING_TYPE)
171  .add()
172  .property().name(LDAPConstants.CONNECTION_POOLING_PROTOCOL)
173  .type(ProviderConfigProperty.STRING_TYPE)
174  .add()
175  .property().name(LDAPConstants.CONNECTION_POOLING_TIMEOUT)
176  .type(ProviderConfigProperty.STRING_TYPE)
177  .add()
178  .property().name(LDAPConstants.CONNECTION_TIMEOUT)
179  .type(ProviderConfigProperty.STRING_TYPE)
180  .add()
181  .property().name(LDAPConstants.READ_TIMEOUT)
182  .type(ProviderConfigProperty.STRING_TYPE)
183  .add()
184  .property().name(LDAPConstants.PAGINATION)
185  .type(ProviderConfigProperty.BOOLEAN_TYPE)
186  .defaultValue("true")
187  .add()
188  .property().name(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION)
189  .type(ProviderConfigProperty.BOOLEAN_TYPE)
190  .defaultValue("false")
191  .add()
192  .property().name(KerberosConstants.SERVER_PRINCIPAL)
193  .type(ProviderConfigProperty.STRING_TYPE)
194  .add()
195  .property().name(KerberosConstants.KEYTAB)
196  .type(ProviderConfigProperty.STRING_TYPE)
197  .add()
198  .property().name(KerberosConstants.KERBEROS_REALM)
199  .type(ProviderConfigProperty.STRING_TYPE)
200  .add()
201  .property().name(KerberosConstants.DEBUG)
202  .type(ProviderConfigProperty.BOOLEAN_TYPE)
203  .defaultValue("false")
204  .add()
205  .property().name(KerberosConstants.USE_KERBEROS_FOR_PASSWORD_AUTHENTICATION)
206  .type(ProviderConfigProperty.BOOLEAN_TYPE)
207  .defaultValue("false")
208  .add()
209  .property().name(KerberosConstants.SERVER_PRINCIPAL)
210  .type(ProviderConfigProperty.STRING_TYPE)
211  .add()
212  .build();
213  }

◆ getId()

String org.keycloak.storage.ldap.LDAPStorageProviderFactory.getId ( )
inline
283  {
284  return PROVIDER_NAME;
285  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.PROVIDER_NAME
static final String PROVIDER_NAME
Definition: LDAPStorageProviderFactory.java:76

◆ getLDAPConfigDecorators()

Map<ComponentModel, LDAPConfigDecorator> org.keycloak.storage.ldap.LDAPStorageProviderFactory.getLDAPConfigDecorators ( KeycloakSession  session,
ComponentModel  ldapModel 
)
inlineprotected
230  {
231  RealmModel realm = session.realms().getRealm(ldapModel.getParentId());
232  List<ComponentModel> mapperComponents = realm.getComponents(ldapModel.getId(), LDAPStorageMapper.class.getName());
233 
234  Map<ComponentModel, LDAPConfigDecorator> result = new HashMap<>();
235  for (ComponentModel mapperModel : mapperComponents) {
236  LDAPStorageMapperFactory mapperFactory = (LDAPStorageMapperFactory) session.getKeycloakSessionFactory().getProviderFactory(LDAPStorageMapper.class, mapperModel.getProviderId());
237  if (mapperFactory instanceof LDAPConfigDecorator) {
238  result.put(mapperModel, (LDAPConfigDecorator) mapperFactory);
239  }
240  }
241 
242  return result;
243  }

◆ importLdapUsers()

SynchronizationResult org.keycloak.storage.ldap.LDAPStorageProviderFactory.importLdapUsers ( KeycloakSessionFactory  sessionFactory,
final String  realmId,
final ComponentModel  fedModel,
List< LDAPObject ldapUsers 
)
inlineprotected
522  {
523  final SynchronizationResult syncResult = new SynchronizationResult();
524 
525  class BooleanHolder {
526  private boolean value = true;
527  }
528  final BooleanHolder exists = new BooleanHolder();
529 
530  for (final LDAPObject ldapUser : ldapUsers) {
531 
532  try {
533 
534  // Process each user in it's own transaction to avoid global fail
535  KeycloakModelUtils.runJobInTransaction(sessionFactory, new KeycloakSessionTask() {
536 
537  @Override
538  public void run(KeycloakSession session) {
539  LDAPStorageProvider ldapFedProvider = (LDAPStorageProvider)session.getProvider(UserStorageProvider.class, fedModel);
540  RealmModel currentRealm = session.realms().getRealm(realmId);
541 
542  String username = LDAPUtils.getUsername(ldapUser, ldapFedProvider.getLdapIdentityStore().getConfig());
543  exists.value = true;
544  LDAPUtils.checkUuid(ldapUser, ldapFedProvider.getLdapIdentityStore().getConfig());
545  UserModel currentUser = session.userLocalStorage().getUserByUsername(username, currentRealm);
546 
547  if (currentUser == null) {
548 
549  // Add new user to Keycloak
550  exists.value = false;
551  ldapFedProvider.importUserFromLDAP(session, currentRealm, ldapUser);
552  syncResult.increaseAdded();
553 
554  } else {
555  if ((fedModel.getId().equals(currentUser.getFederationLink())) && (ldapUser.getUuid().equals(currentUser.getFirstAttribute(LDAPConstants.LDAP_ID)))) {
556 
557  // Update keycloak user
558  List<ComponentModel> federationMappers = currentRealm.getComponents(fedModel.getId(), LDAPStorageMapper.class.getName());
559  List<ComponentModel> sortedMappers = ldapFedProvider.getMapperManager().sortMappersDesc(federationMappers);
560  for (ComponentModel mapperModel : sortedMappers) {
561  LDAPStorageMapper ldapMapper = ldapFedProvider.getMapperManager().getMapper(mapperModel);
562  ldapMapper.onImportUserFromLDAP(ldapUser, currentUser, currentRealm, false);
563  }
564  UserCache userCache = session.userCache();
565  if (userCache != null) {
566  userCache.evict(currentRealm, currentUser);
567  }
568  logger.debugf("Updated user from LDAP: %s", currentUser.getUsername());
569  syncResult.increaseUpdated();
570  } else {
571  logger.warnf("User '%s' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider '%s'", username, fedModel.getName());
572  syncResult.increaseFailed();
573  }
574  }
575  }
576 
577  });
578  } catch (ModelException me) {
579  logger.error("Failed during import user from LDAP", me);
580  syncResult.increaseFailed();
581 
582  // Remove user if we already added him during this transaction
583  if (!exists.value) {
584  KeycloakModelUtils.runJobInTransaction(sessionFactory, new KeycloakSessionTask() {
585 
586  @Override
587  public void run(KeycloakSession session) {
588  LDAPStorageProvider ldapFedProvider = (LDAPStorageProvider)session.getProvider(UserStorageProvider.class, fedModel);
589  RealmModel currentRealm = session.realms().getRealm(realmId);
590  String username = null;
591  try {
592  username = LDAPUtils.getUsername(ldapUser, ldapFedProvider.getLdapIdentityStore().getConfig());
593  } catch (ModelException ignore) {
594  }
595 
596  if (username != null) {
597  UserModel existing = session.userLocalStorage().getUserByUsername(username, currentRealm);
598  if (existing != null) {
599  UserCache userCache = session.userCache();
600  if (userCache != null) {
601  userCache.evict(currentRealm, existing);
602  }
603  session.userLocalStorage().removeUser(currentRealm, existing);
604  }
605  }
606  }
607 
608  });
609  }
610  }
611  }
612 
613  return syncResult;
614  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.logger
static final Logger logger
Definition: LDAPStorageProviderFactory.java:75

◆ init()

void org.keycloak.storage.ldap.LDAPStorageProviderFactory.init ( Config.Scope  config)
inline
273  {
274  this.ldapStoreRegistry = new LDAPIdentityStoreRegistry();
275  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.ldapStoreRegistry
LDAPIdentityStoreRegistry ldapStoreRegistry
Definition: LDAPStorageProviderFactory.java:78

◆ onCreate()

void org.keycloak.storage.ldap.LDAPStorageProviderFactory.onCreate ( KeycloakSession  session,
RealmModel  realm,
ComponentModel  model 
)
inline
289  {
290  LDAPConfig ldapConfig = new LDAPConfig(model.getConfig());
291 
292  boolean activeDirectory = ldapConfig.isActiveDirectory();
293  UserStorageProvider.EditMode editMode = ldapConfig.getEditMode();
294  String readOnly = String.valueOf(editMode == UserStorageProvider.EditMode.READ_ONLY || editMode == UserStorageProvider.EditMode.UNSYNCED);
295  String usernameLdapAttribute = ldapConfig.getUsernameLdapAttribute();
296 
297  String alwaysReadValueFromLDAP = String.valueOf(editMode== UserStorageProvider.EditMode.READ_ONLY || editMode== UserStorageProvider.EditMode.WRITABLE);
298 
299  ComponentModel mapperModel;
300  mapperModel = KeycloakModelUtils.createComponentModel("username", model.getId(), UserAttributeLDAPStorageMapperFactory.PROVIDER_ID, LDAPStorageMapper.class.getName(),
301  UserAttributeLDAPStorageMapper.USER_MODEL_ATTRIBUTE, UserModel.USERNAME,
302  UserAttributeLDAPStorageMapper.LDAP_ATTRIBUTE, usernameLdapAttribute,
303  UserAttributeLDAPStorageMapper.READ_ONLY, readOnly,
304  UserAttributeLDAPStorageMapper.ALWAYS_READ_VALUE_FROM_LDAP, "false",
305  UserAttributeLDAPStorageMapper.IS_MANDATORY_IN_LDAP, "true");
306  realm.addComponentModel(mapperModel);
307 
308  // CN is typically used as RDN for Active Directory deployments
309  if (ldapConfig.getRdnLdapAttribute().equalsIgnoreCase(LDAPConstants.CN)) {
310 
311  if (usernameLdapAttribute.equalsIgnoreCase(LDAPConstants.CN)) {
312 
313  // For AD deployments with "cn" as username, we will map "givenName" to first name
314  mapperModel = KeycloakModelUtils.createComponentModel("first name", model.getId(), UserAttributeLDAPStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName(),
315  UserAttributeLDAPStorageMapper.USER_MODEL_ATTRIBUTE, UserModel.FIRST_NAME,
316  UserAttributeLDAPStorageMapper.LDAP_ATTRIBUTE, LDAPConstants.GIVENNAME,
317  UserAttributeLDAPStorageMapper.READ_ONLY, readOnly,
318  UserAttributeLDAPStorageMapper.ALWAYS_READ_VALUE_FROM_LDAP, alwaysReadValueFromLDAP,
319  UserAttributeLDAPStorageMapper.IS_MANDATORY_IN_LDAP, "true");
320  realm.addComponentModel(mapperModel);
321 
322  } else {
323  if (editMode == UserStorageProvider.EditMode.WRITABLE) {
324 
325  // For AD deployments with "sAMAccountName" as username and writable, we need to map "cn" as username as well (this is needed so we can register new users from KC into LDAP) and we will map "givenName" to first name.
326  mapperModel = KeycloakModelUtils.createComponentModel("first name", model.getId(), UserAttributeLDAPStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName(),
327  UserAttributeLDAPStorageMapper.USER_MODEL_ATTRIBUTE, UserModel.FIRST_NAME,
328  UserAttributeLDAPStorageMapper.LDAP_ATTRIBUTE, LDAPConstants.GIVENNAME,
329  UserAttributeLDAPStorageMapper.READ_ONLY, readOnly,
330  UserAttributeLDAPStorageMapper.ALWAYS_READ_VALUE_FROM_LDAP, alwaysReadValueFromLDAP,
331  UserAttributeLDAPStorageMapper.IS_MANDATORY_IN_LDAP, "true");
332  realm.addComponentModel(mapperModel);
333 
334  mapperModel = KeycloakModelUtils.createComponentModel("username-cn", model.getId(), UserAttributeLDAPStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName(),
335  UserAttributeLDAPStorageMapper.USER_MODEL_ATTRIBUTE, UserModel.USERNAME,
336  UserAttributeLDAPStorageMapper.LDAP_ATTRIBUTE, LDAPConstants.CN,
337  UserAttributeLDAPStorageMapper.READ_ONLY, readOnly,
338  UserAttributeLDAPStorageMapper.ALWAYS_READ_VALUE_FROM_LDAP, "false",
339  UserAttributeLDAPStorageMapper.IS_MANDATORY_IN_LDAP, "true");
340  realm.addComponentModel(mapperModel);
341  } else {
342 
343  // For read-only LDAP, we map "cn" as full name
344  mapperModel = KeycloakModelUtils.createComponentModel("full name", model.getId(), FullNameLDAPStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName(),
345  FullNameLDAPStorageMapper.LDAP_FULL_NAME_ATTRIBUTE, LDAPConstants.CN,
346  FullNameLDAPStorageMapper.READ_ONLY, readOnly,
347  FullNameLDAPStorageMapper.WRITE_ONLY, "false");
348  realm.addComponentModel(mapperModel);
349  }
350  }
351  } else {
352  mapperModel = KeycloakModelUtils.createComponentModel("first name", model.getId(), UserAttributeLDAPStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName(),
353  UserAttributeLDAPStorageMapper.USER_MODEL_ATTRIBUTE, UserModel.FIRST_NAME,
354  UserAttributeLDAPStorageMapper.LDAP_ATTRIBUTE, LDAPConstants.CN,
355  UserAttributeLDAPStorageMapper.READ_ONLY, readOnly,
356  UserAttributeLDAPStorageMapper.ALWAYS_READ_VALUE_FROM_LDAP, alwaysReadValueFromLDAP,
357  UserAttributeLDAPStorageMapper.IS_MANDATORY_IN_LDAP, "true");
358  realm.addComponentModel(mapperModel);
359  }
360 
361  mapperModel = KeycloakModelUtils.createComponentModel("last name", model.getId(), UserAttributeLDAPStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName(),
362  UserAttributeLDAPStorageMapper.USER_MODEL_ATTRIBUTE, UserModel.LAST_NAME,
363  UserAttributeLDAPStorageMapper.LDAP_ATTRIBUTE, LDAPConstants.SN,
364  UserAttributeLDAPStorageMapper.READ_ONLY, readOnly,
365  UserAttributeLDAPStorageMapper.ALWAYS_READ_VALUE_FROM_LDAP, alwaysReadValueFromLDAP,
366  UserAttributeLDAPStorageMapper.IS_MANDATORY_IN_LDAP, "true");
367  realm.addComponentModel(mapperModel);
368 
369  mapperModel = KeycloakModelUtils.createComponentModel("email", model.getId(), UserAttributeLDAPStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName(),
370  UserAttributeLDAPStorageMapper.USER_MODEL_ATTRIBUTE, UserModel.EMAIL,
371  UserAttributeLDAPStorageMapper.LDAP_ATTRIBUTE, LDAPConstants.EMAIL,
372  UserAttributeLDAPStorageMapper.READ_ONLY, readOnly,
373  UserAttributeLDAPStorageMapper.ALWAYS_READ_VALUE_FROM_LDAP, "false",
374  UserAttributeLDAPStorageMapper.IS_MANDATORY_IN_LDAP, "false");
375  realm.addComponentModel(mapperModel);
376 
377  String createTimestampLdapAttrName = activeDirectory ? "whenCreated" : LDAPConstants.CREATE_TIMESTAMP;
378  String modifyTimestampLdapAttrName = activeDirectory ? "whenChanged" : LDAPConstants.MODIFY_TIMESTAMP;
379 
380  // map createTimeStamp as read-only
381  mapperModel = KeycloakModelUtils.createComponentModel("creation date", model.getId(), UserAttributeLDAPStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName(),
382  UserAttributeLDAPStorageMapper.USER_MODEL_ATTRIBUTE, LDAPConstants.CREATE_TIMESTAMP,
383  UserAttributeLDAPStorageMapper.LDAP_ATTRIBUTE, createTimestampLdapAttrName,
384  UserAttributeLDAPStorageMapper.READ_ONLY, "true",
385  UserAttributeLDAPStorageMapper.ALWAYS_READ_VALUE_FROM_LDAP, alwaysReadValueFromLDAP,
386  UserAttributeLDAPStorageMapper.IS_MANDATORY_IN_LDAP, "false");
387  realm.addComponentModel(mapperModel);
388 
389  // map modifyTimeStamp as read-only
390  mapperModel = KeycloakModelUtils.createComponentModel("modify date", model.getId(), UserAttributeLDAPStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName(),
391  UserAttributeLDAPStorageMapper.USER_MODEL_ATTRIBUTE, LDAPConstants.MODIFY_TIMESTAMP,
392  UserAttributeLDAPStorageMapper.LDAP_ATTRIBUTE, modifyTimestampLdapAttrName,
393  UserAttributeLDAPStorageMapper.READ_ONLY, "true",
394  UserAttributeLDAPStorageMapper.ALWAYS_READ_VALUE_FROM_LDAP, alwaysReadValueFromLDAP,
395  UserAttributeLDAPStorageMapper.IS_MANDATORY_IN_LDAP, "false");
396  realm.addComponentModel(mapperModel);
397 
398  // MSAD specific mapper for account state propagation
399  if (activeDirectory) {
400  mapperModel = KeycloakModelUtils.createComponentModel("MSAD account controls", model.getId(), MSADUserAccountControlStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName());
401  realm.addComponentModel(mapperModel);
402  }
403  checkKerberosCredential(session, realm, model);
404  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.checkKerberosCredential
static boolean checkKerberosCredential(KeycloakSession session, RealmModel realm, ComponentModel model)
Definition: LDAPStorageProviderFactory.java:629

◆ onUpdate()

void org.keycloak.storage.ldap.LDAPStorageProviderFactory.onUpdate ( KeycloakSession  session,
RealmModel  realm,
ComponentModel  oldModel,
ComponentModel  newModel 
)
inline
407  {
408  checkKerberosCredential(session, realm, newModel);
409 
410  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.checkKerberosCredential
static boolean checkKerberosCredential(KeycloakSession session, RealmModel realm, ComponentModel model)
Definition: LDAPStorageProviderFactory.java:629

◆ preRemove()

void org.keycloak.storage.ldap.LDAPStorageProviderFactory.preRemove ( KeycloakSession  session,
RealmModel  realm,
ComponentModel  model 
)
inline
413  {
414  String allowKerberosCfg = model.getConfig().getFirst(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION);
415  if (Boolean.valueOf(allowKerberosCfg)) {
416  CredentialHelper.setOrReplaceAuthenticationRequirement(session, realm, CredentialRepresentation.KERBEROS,
417  AuthenticationExecutionModel.Requirement.DISABLED, null);
418  }
419  }

◆ sync()

SynchronizationResult org.keycloak.storage.ldap.LDAPStorageProviderFactory.sync ( KeycloakSessionFactory  sessionFactory,
String  realmId,
UserStorageProviderModel  model 
)
inline
422  {
423  syncMappers(sessionFactory, realmId, model);
424 
425  logger.infof("Sync all users from LDAP to local store: realm: %s, federation provider: %s", realmId, model.getName());
426 
427  LDAPQuery userQuery = createQuery(sessionFactory, realmId, model);
428  SynchronizationResult syncResult = syncImpl(sessionFactory, userQuery, realmId, model);
429 
430  // TODO: Remove all existing keycloak users, which have federation links, but are not in LDAP. Perhaps don't check users, which were just added or updated during this sync?
431 
432  logger.infof("Sync all users finished: %s", syncResult.getStatus());
433  return syncResult;
434  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.createQuery
LDAPQuery createQuery(KeycloakSessionFactory sessionFactory, final String realmId, final ComponentModel model)
Definition: LDAPStorageProviderFactory.java:503
org.keycloak.storage.ldap.LDAPStorageProviderFactory.syncMappers
void syncMappers(KeycloakSessionFactory sessionFactory, final String realmId, final ComponentModel model)
Definition: LDAPStorageProviderFactory.java:456
org.keycloak.storage.ldap.LDAPStorageProviderFactory.logger
static final Logger logger
Definition: LDAPStorageProviderFactory.java:75
org.keycloak.storage.ldap.LDAPStorageProviderFactory.syncImpl
SynchronizationResult syncImpl(KeycloakSessionFactory sessionFactory, LDAPQuery userQuery, final String realmId, final ComponentModel fedModel)
Definition: LDAPStorageProviderFactory.java:476

◆ syncImpl()

SynchronizationResult org.keycloak.storage.ldap.LDAPStorageProviderFactory.syncImpl ( KeycloakSessionFactory  sessionFactory,
LDAPQuery  userQuery,
final String  realmId,
final ComponentModel  fedModel 
)
inlineprotected
476  {
477 
478  final SynchronizationResult syncResult = new SynchronizationResult();
479 
480  LDAPConfig ldapConfig = new LDAPConfig(fedModel.getConfig());
481  boolean pagination = ldapConfig.isPagination();
482  if (pagination) {
483  int pageSize = ldapConfig.getBatchSizeForSync();
484 
485  boolean nextPage = true;
486  while (nextPage) {
487  userQuery.setLimit(pageSize);
488  final List<LDAPObject> users = userQuery.getResultList();
489  nextPage = userQuery.getPaginationContext() != null;
490  SynchronizationResult currentPageSync = importLdapUsers(sessionFactory, realmId, fedModel, users);
491  syncResult.add(currentPageSync);
492  }
493  } else {
494  // LDAP pagination not available. Do everything in single transaction
495  final List<LDAPObject> users = userQuery.getResultList();
496  SynchronizationResult currentSync = importLdapUsers(sessionFactory, realmId, fedModel, users);
497  syncResult.add(currentSync);
498  }
499 
500  return syncResult;
501  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.importLdapUsers
SynchronizationResult importLdapUsers(KeycloakSessionFactory sessionFactory, final String realmId, final ComponentModel fedModel, List< LDAPObject > ldapUsers)
Definition: LDAPStorageProviderFactory.java:522

◆ syncMappers()

void org.keycloak.storage.ldap.LDAPStorageProviderFactory.syncMappers ( KeycloakSessionFactory  sessionFactory,
final String  realmId,
final ComponentModel  model 
)
inlineprotected
456  {
457  KeycloakModelUtils.runJobInTransaction(sessionFactory, new KeycloakSessionTask() {
458 
459  @Override
460  public void run(KeycloakSession session) {
461  RealmModel realm = session.realms().getRealm(realmId);
462  session.getProvider(UserStorageProvider.class, model);
463  List<ComponentModel> mappers = realm.getComponents(model.getId(), LDAPStorageMapper.class.getName());
464  for (ComponentModel mapperModel : mappers) {
465  LDAPStorageMapper ldapMapper = session.getProvider(LDAPStorageMapper.class, mapperModel);
466  SynchronizationResult syncResult = ldapMapper.syncDataFromFederationProviderToKeycloak(realm);
467  if (syncResult.getAdded() > 0 || syncResult.getUpdated() > 0 || syncResult.getRemoved() > 0 || syncResult.getFailed() > 0) {
468  logger.infof("Sync of federation mapper '%s' finished. Status: %s", mapperModel.getName(), syncResult.toString());
469  }
470  }
471  }
472 
473  });
474  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.logger
static final Logger logger
Definition: LDAPStorageProviderFactory.java:75

◆ syncSince()

SynchronizationResult org.keycloak.storage.ldap.LDAPStorageProviderFactory.syncSince ( Date  lastSync,
KeycloakSessionFactory  sessionFactory,
String  realmId,
UserStorageProviderModel  model 
)
inline
437  {
438  syncMappers(sessionFactory, realmId, model);
439 
440  logger.infof("Sync changed users from LDAP to local store: realm: %s, federation provider: %s, last sync time: " + lastSync, realmId, model.getName());
441 
442  // Sync newly created and updated users
443  LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
444  Condition createCondition = conditionsBuilder.greaterThanOrEqualTo(LDAPConstants.CREATE_TIMESTAMP, lastSync);
445  Condition modifyCondition = conditionsBuilder.greaterThanOrEqualTo(LDAPConstants.MODIFY_TIMESTAMP, lastSync);
446  Condition orCondition = conditionsBuilder.orCondition(createCondition, modifyCondition);
447 
448  LDAPQuery userQuery = createQuery(sessionFactory, realmId, model);
449  userQuery.addWhereCondition(orCondition);
450  SynchronizationResult result = syncImpl(sessionFactory, userQuery, realmId, model);
451 
452  logger.infof("Sync changed users finished: %s", result.getStatus());
453  return result;
454  }
org.keycloak.storage.ldap.LDAPStorageProviderFactory.createQuery
LDAPQuery createQuery(KeycloakSessionFactory sessionFactory, final String realmId, final ComponentModel model)
Definition: LDAPStorageProviderFactory.java:503
org.keycloak.storage.ldap.LDAPStorageProviderFactory.syncMappers
void syncMappers(KeycloakSessionFactory sessionFactory, final String realmId, final ComponentModel model)
Definition: LDAPStorageProviderFactory.java:456
org.keycloak.storage.ldap.LDAPStorageProviderFactory.logger
static final Logger logger
Definition: LDAPStorageProviderFactory.java:75
org.keycloak.storage.ldap.LDAPStorageProviderFactory.syncImpl
SynchronizationResult syncImpl(KeycloakSessionFactory sessionFactory, LDAPQuery userQuery, final String realmId, final ComponentModel fedModel)
Definition: LDAPStorageProviderFactory.java:476

◆ validateConfiguration()

void org.keycloak.storage.ldap.LDAPStorageProviderFactory.validateConfiguration ( KeycloakSession  session,
RealmModel  realm,
ComponentModel  config 
) throws ComponentValidationException
inline
247  {
248  LDAPConfig cfg = new LDAPConfig(config.getConfig());
249  String customFilter = cfg.getCustomUserSearchFilter();
250  LDAPUtils.validateCustomLdapFilter(customFilter);
251 
252  String connectionTimeout = cfg.getConnectionTimeout();
253  if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
254  try {
255  Long.parseLong(connectionTimeout);
256  } catch (NumberFormatException nfe) {
257  throw new ComponentValidationException("ldapErrorConnectionTimeoutNotNumber");
258  }
259  }
260 
261  String readTimeout = cfg.getReadTimeout();
262  if (readTimeout != null && !readTimeout.isEmpty()) {
263  try {
264  Long.parseLong(readTimeout);
265  } catch (NumberFormatException nfe) {
266  throw new ComponentValidationException("ldapErrorReadTimeoutNotNumber");
267  }
268  }
269 
270  }

メンバ詳解

◆ configProperties

final List<ProviderConfigProperty> org.keycloak.storage.ldap.LDAPStorageProviderFactory.configProperties
staticprotected

◆ ldapStoreRegistry

LDAPIdentityStoreRegistry org.keycloak.storage.ldap.LDAPStorageProviderFactory.ldapStoreRegistry
private

◆ logger

final Logger org.keycloak.storage.ldap.LDAPStorageProviderFactory.logger = Logger.getLogger(LDAPStorageProviderFactory.class)
staticprivate

◆ PROVIDER_NAME

final String org.keycloak.storage.ldap.LDAPStorageProviderFactory.PROVIDER_NAME = LDAPConstants.LDAP_PROVIDER
static
このクラス詳解は次のファイルから抽出されました:
2018年11月18日(日) 14時11分24秒作成 - keycloak-federation / 構成:   doxygen 1.8.13