org.keycloak.storage.ldap.LDAPStorageProvider の継承関係図

org.keycloak.storage.ldap.LDAPStorageProvider 連携図

公開メンバ関数
	LDAPStorageProvider (LDAPStorageProviderFactory factory, KeycloakSession session, ComponentModel model, LDAPIdentityStore ldapIdentityStore)

void	setUpdater (PasswordUpdateCallback updater)

KeycloakSession	getSession ()

LDAPIdentityStore	getLdapIdentityStore ()

EditMode	getEditMode ()

UserStorageProviderModel	getModel ()

LDAPStorageMapperManager	getMapperManager ()

LDAPStorageUserManager	getUserManager ()

UserModel	validate (RealmModel realm, UserModel local)

boolean	supportsCredentialAuthenticationFor (String type)

List< UserModel >	searchForUserByUserAttribute (String attrName, String attrValue, RealmModel realm)

boolean	synchronizeRegistrations ()

UserModel	addUser (RealmModel realm, String username)

boolean	removeUser (RealmModel realm, UserModel user)

UserModel	getUserById (String id, RealmModel realm)

int	getUsersCount (RealmModel realm)

List< UserModel >	getUsers (RealmModel realm)

List< UserModel >	getUsers (RealmModel realm, int firstResult, int maxResults)

List< UserModel >	searchForUser (String search, RealmModel realm)

List< UserModel >	searchForUser (String search, RealmModel realm, int firstResult, int maxResults)

List< UserModel >	searchForUser (Map< String, String > params, RealmModel realm)

List< UserModel >	searchForUser (Map< String, String > params, RealmModel realm, int firstResult, int maxResults)

List< UserModel >	getGroupMembers (RealmModel realm, GroupModel group)

List< UserModel >	getGroupMembers (RealmModel realm, GroupModel group, int firstResult, int maxResults)

List< UserModel >	loadUsersByUsernames (List< String > usernames, RealmModel realm)

UserModel	getUserByUsername (String username, RealmModel realm)

UserModel	getUserByEmail (String email, RealmModel realm)

void	preRemove (RealmModel realm)

void	preRemove (RealmModel realm, RoleModel role)

void	preRemove (RealmModel realm, GroupModel group)

boolean	validPassword (RealmModel realm, UserModel user, String password)

boolean	updateCredential (RealmModel realm, UserModel user, CredentialInput input)

void	disableCredentialType (RealmModel realm, UserModel user, String credentialType)

Set< String >	getDisableableCredentialTypes (RealmModel realm, UserModel user)

Set< String >	getSupportedCredentialTypes ()

boolean	supportsCredentialType (String credentialType)

boolean	isConfiguredFor (RealmModel realm, UserModel user, String credentialType)

boolean	isValid (RealmModel realm, UserModel user, CredentialInput input)

CredentialValidationOutput	authenticate (RealmModel realm, CredentialInput cred)

void	close ()

LDAPObject	loadLDAPUserByUsername (RealmModel realm, String username)

限定公開メンバ関数
UserModel	proxy (RealmModel realm, UserModel local, LDAPObject ldapObject)

List< LDAPObject >	searchLDAP (RealmModel realm, Map< String, String > attributes, int maxResults)

LDAPObject	loadAndValidateUser (RealmModel realm, UserModel local)

UserModel	importUserFromLDAP (KeycloakSession session, RealmModel realm, LDAPObject ldapUser)

LDAPObject	queryByEmail (RealmModel realm, String email)

UserModel	findOrCreateAuthenticatedUser (RealmModel realm, String username)

限定公開変数類
LDAPStorageProviderFactory	factory

KeycloakSession	session

UserStorageProviderModel	model

LDAPIdentityStore	ldapIdentityStore

EditMode	editMode

LDAPProviderKerberosConfig	kerberosConfig

PasswordUpdateCallback	updater

LDAPStorageMapperManager	mapperManager

LDAPStorageUserManager	userManager

final Set< String >	supportedCredentialTypes = new HashSet<>()

非公開メンバ関数
void	checkDNChanged (RealmModel realm, UserModel local, LDAPObject ldapObject)

静的非公開変数類
static final Logger	logger = Logger.getLogger(LDAPStorageProvider.class)

詳解

著者: Marek Posolda; Bill Burke

バージョン

Revision: 1

構築子と解体子

◆ LDAPStorageProvider()

org.keycloak.storage.ldap.LDAPStorageProvider.LDAPStorageProvider	(	LDAPStorageProviderFactory	factory,
		KeycloakSession	session,
		ComponentModel	model,
		LDAPIdentityStore	ldapIdentityStore
	)

inline

                                                                                                                                                        {
         this.factory = factory;
         this.session = session;
         this.model = new UserStorageProviderModel(model);
         this.ldapIdentityStore = ldapIdentityStore;
         this.kerberosConfig = new LDAPProviderKerberosConfig(model);
         this.editMode = ldapIdentityStore.getConfig().getEditMode();
         this.mapperManager = new LDAPStorageMapperManager(this);
         this.userManager = new LDAPStorageUserManager(this);
 
         supportedCredentialTypes.add(UserCredentialModel.PASSWORD);
         if (kerberosConfig.isAllowKerberosAuthentication()) {
             supportedCredentialTypes.add(UserCredentialModel.KERBEROS);
         }
     }

関数詳解

◆ addUser()

UserModel org.keycloak.storage.ldap.LDAPStorageProvider.addUser	(	RealmModel	realm,
		String	username
	)

inline

                                                                 {
         if (!synchronizeRegistrations()) {
             return null;
         }
         UserModel user = null;
         if (model.isImportEnabled()) {
             user = session.userLocalStorage().addUser(realm, username);
             user.setFederationLink(model.getId());
         } else {
             user = new InMemoryUserAdapter(session, realm, new StorageId(model.getId(), username).getId());
             user.setUsername(username);
         }
         LDAPObject ldapUser = LDAPUtils.addUserToLDAP(this, realm, user);
         LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig());
         user.setSingleAttribute(LDAPConstants.LDAP_ID, ldapUser.getUuid());
         user.setSingleAttribute(LDAPConstants.LDAP_ENTRY_DN, ldapUser.getDn().toString());
 
         // Add the user to the default groups and add default required actions
         UserModel proxy = proxy(realm, user, ldapUser);
         DefaultRoles.addDefaultRoles(realm, proxy);
 
         for (GroupModel g : realm.getDefaultGroups()) {
             proxy.joinGroup(g);
         }
         for (RequiredActionProviderModel r : realm.getRequiredActionProviders()) {
             if (r.isEnabled() && r.isDefaultAction()) {
                 proxy.addRequiredAction(r.getAlias());
             }
         }
 
         return proxy;
     }

◆ authenticate()

CredentialValidationOutput org.keycloak.storage.ldap.LDAPStorageProvider.authenticate	(	RealmModel	realm,
		CredentialInput	cred
	)

inline

                                                                                            {
         if (!(cred instanceof UserCredentialModel)) CredentialValidationOutput.failed();
         UserCredentialModel credential = (UserCredentialModel)cred;
         if (credential.getType().equals(UserCredentialModel.KERBEROS)) {
             if (kerberosConfig.isAllowKerberosAuthentication()) {
                 String spnegoToken = credential.getValue();
                 SPNEGOAuthenticator spnegoAuthenticator = factory.createSPNEGOAuthenticator(spnegoToken, kerberosConfig);
 
                 spnegoAuthenticator.authenticate();
 
                 Map<String, String> state = new HashMap<String, String>();
                 if (spnegoAuthenticator.isAuthenticated()) {
 
                     // TODO: This assumes that LDAP "uid" is equal to kerberos principal name. Like uid "hnelson" and kerberos principal "hnelson@KEYCLOAK.ORG".
                     // Check if it's correct or if LDAP attribute for mapping kerberos principal should be available (For ApacheDS it seems to be attribute "krb5PrincipalName" but on MSAD it's likely different)
                     String username = spnegoAuthenticator.getAuthenticatedUsername();
                     UserModel user = findOrCreateAuthenticatedUser(realm, username);
 
                     if (user == null) {
                         logger.warnf("Kerberos/SPNEGO authentication succeeded with username [%s], but couldn't find or create user with federation provider [%s]", username, model.getName());
                         return CredentialValidationOutput.failed();
                     } else {
                         String delegationCredential = spnegoAuthenticator.getSerializedDelegationCredential();
                         if (delegationCredential != null) {
                             state.put(KerberosConstants.GSS_DELEGATION_CREDENTIAL, delegationCredential);
                         }
 
                         return new CredentialValidationOutput(user, CredentialValidationOutput.Status.AUTHENTICATED, state);
                     }
                 }  else {
                     state.put(KerberosConstants.RESPONSE_TOKEN, spnegoAuthenticator.getResponseToken());
                     return new CredentialValidationOutput(null, CredentialValidationOutput.Status.CONTINUE, state);
                 }
             }
         }
 
         return CredentialValidationOutput.failed();
     }

◆ checkDNChanged()

void org.keycloak.storage.ldap.LDAPStorageProvider.checkDNChanged	(	RealmModel	realm,
		UserModel	local,
		LDAPObject	ldapObject
	)

inlineprivate

                                                                                           {
         String dnFromDB = local.getFirstAttribute(LDAPConstants.LDAP_ENTRY_DN);
         String ldapDn = ldapObject.getDn().toString();
         if (!ldapDn.equals(dnFromDB)) {
             logger.debugf("Updated LDAP DN of user '%s' to '%s'", local.getUsername(), ldapDn);
             local.setSingleAttribute(LDAPConstants.LDAP_ENTRY_DN, ldapDn);
 
             UserCache userCache = session.userCache();
             if (userCache != null) {
                 userCache.evict(realm, local);
             }
         }
     }

◆ close()

void org.keycloak.storage.ldap.LDAPStorageProvider.close ( )

inline

713 {

714 }

◆ disableCredentialType()

void org.keycloak.storage.ldap.LDAPStorageProvider.disableCredentialType	(	RealmModel	realm,
		UserModel	user,
		String	credentialType
	)

inline

                                                                                                {
 
     }

◆ findOrCreateAuthenticatedUser()

UserModel org.keycloak.storage.ldap.LDAPStorageProvider.findOrCreateAuthenticatedUser	(	RealmModel	realm,
		String	username
	)

inlineprotected

Called after successful kerberos authentication

引数

realm	realm
username	username without realm prefix

戻り値: finded or newly created user

                                                                                          {
         UserModel user = session.userLocalStorage().getUserByUsername(username, realm);
         if (user != null) {
             logger.debugf("Kerberos authenticated user [%s] found in Keycloak storage", username);
             if (!model.getId().equals(user.getFederationLink())) {
                 logger.warnf("User with username [%s] already exists, but is not linked to provider [%s]", username, model.getName());
                 return null;
             } else {
                 LDAPObject ldapObject = loadAndValidateUser(realm, user);
                 if (ldapObject != null) {
                     return proxy(realm, user, ldapObject);
                 } else {
                     logger.warnf("User with username [%s] aready exists and is linked to provider [%s] but is not valid. Stale LDAP_ID on local user is: %s",
                             username,  model.getName(), user.getFirstAttribute(LDAPConstants.LDAP_ID));
                     logger.warn("Will re-create user");
                     UserCache userCache = session.userCache();
                     if (userCache != null) {
                         userCache.evict(realm, user);
                     }
                     new UserManager(session).removeUser(realm, user, session.userLocalStorage());
                 }
             }
         }
 
         // Creating user to local storage
         logger.debugf("Kerberos authenticated user [%s] not in Keycloak storage. Creating him", username);
         return getUserByUsername(username, realm);
     }

◆ getDisableableCredentialTypes()

Set<String> org.keycloak.storage.ldap.LDAPStorageProvider.getDisableableCredentialTypes	(	RealmModel	realm,
		UserModel	user
	)

inline

                                                                                        {
         return Collections.EMPTY_SET;
     }

◆ getEditMode()

EditMode org.keycloak.storage.ldap.LDAPStorageProvider.getEditMode ( )

inline

                                   {
         return editMode;
     }

◆ getGroupMembers() [1/2]

List<UserModel> org.keycloak.storage.ldap.LDAPStorageProvider.getGroupMembers	(	RealmModel	realm,
		GroupModel	group
	)

inline

                                                                                {
         return getGroupMembers(realm, group, 0, Integer.MAX_VALUE - 1);
     }

◆ getGroupMembers() [2/2]

List<UserModel> org.keycloak.storage.ldap.LDAPStorageProvider.getGroupMembers	(	RealmModel	realm,
		GroupModel	group,
		int	firstResult,
		int	maxResults
	)

inline

                                                                                                                 {
         List<ComponentModel> mappers = realm.getComponents(model.getId(), LDAPStorageMapper.class.getName());
         List<ComponentModel> sortedMappers = mapperManager.sortMappersAsc(mappers);
         for (ComponentModel mapperModel : sortedMappers) {
             LDAPStorageMapper ldapMapper = mapperManager.getMapper(mapperModel);
             List<UserModel> users = ldapMapper.getGroupMembers(realm, group, firstResult, maxResults);
 
             // Sufficient for now
             if (users.size() > 0) {
                 return users;
             }
         }
         return Collections.emptyList();
     }

◆ getLdapIdentityStore()

LDAPIdentityStore org.keycloak.storage.ldap.LDAPStorageProvider.getLdapIdentityStore ( )

inline

                                                     {
         return this.ldapIdentityStore;
     }

◆ getMapperManager()

LDAPStorageMapperManager org.keycloak.storage.ldap.LDAPStorageProvider.getMapperManager ( )

inline

                                                        {
         return mapperManager;
     }

◆ getModel()

UserStorageProviderModel org.keycloak.storage.ldap.LDAPStorageProvider.getModel ( )

inline

                                                {
         return model;
     }

◆ getSession()

KeycloakSession org.keycloak.storage.ldap.LDAPStorageProvider.getSession ( )

inline

                                         {
         return session;
     }

◆ getSupportedCredentialTypes()

Set<String> org.keycloak.storage.ldap.LDAPStorageProvider.getSupportedCredentialTypes ( )

inline

                                                      {
         return new HashSet<String>(this.supportedCredentialTypes);
     }

◆ getUserByEmail()

UserModel org.keycloak.storage.ldap.LDAPStorageProvider.getUserByEmail	(	String	email,
		RealmModel	realm
	)

inline

                                                                     {
         LDAPObject ldapUser = queryByEmail(realm, email);
         if (ldapUser == null) {
             return null;
         }
 
         // Check here if user already exists
         String ldapUsername = LDAPUtils.getUsername(ldapUser, ldapIdentityStore.getConfig());
         UserModel user = session.userLocalStorage().getUserByUsername(ldapUsername, realm);
 
         if (user != null) {
             LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig());
             // If email attribute mapper is set to "Always Read Value From LDAP" the user may be in Keycloak DB with an old email address
             if (ldapUser.getUuid().equals(user.getFirstAttribute(LDAPConstants.LDAP_ID))) return user;
             throw new ModelDuplicateException("User with username '" + ldapUsername + "' already exists in Keycloak. It conflicts with LDAP user with email '" + email + "'");
         }
 
         return importUserFromLDAP(session, realm, ldapUser);
     }

◆ getUserById()

UserModel org.keycloak.storage.ldap.LDAPStorageProvider.getUserById	(	String	id,
		RealmModel	realm
	)

inline

                                                               {
         UserModel alreadyLoadedInSession = userManager.getManagedProxiedUser(id);
         if (alreadyLoadedInSession != null) return alreadyLoadedInSession;
 
         StorageId storageId = new StorageId(id);
         return getUserByUsername(storageId.getExternalId(), realm);
     }

◆ getUserByUsername()

UserModel org.keycloak.storage.ldap.LDAPStorageProvider.getUserByUsername	(	String	username,
		RealmModel	realm
	)

inline

                                                                           {
         LDAPObject ldapUser = loadLDAPUserByUsername(realm, username);
         if (ldapUser == null) {
             return null;
         }
 
         return importUserFromLDAP(session, realm, ldapUser);
     }

◆ getUserManager()

LDAPStorageUserManager org.keycloak.storage.ldap.LDAPStorageProvider.getUserManager ( )

inline

                                                    {
         return userManager;
     }

◆ getUsers() [1/2]

List<UserModel> org.keycloak.storage.ldap.LDAPStorageProvider.getUsers ( RealmModel realm )

inline

                                                       {
         return Collections.EMPTY_LIST;
     }

◆ getUsers() [2/2]

List<UserModel> org.keycloak.storage.ldap.LDAPStorageProvider.getUsers	(	RealmModel	realm,
		int	firstResult,
		int	maxResults
	)

inline

                                                                                        {
         return Collections.EMPTY_LIST;
     }

◆ getUsersCount()

int org.keycloak.storage.ldap.LDAPStorageProvider.getUsersCount ( RealmModel realm )

inline

                                                {
         return 0;
     }

◆ importUserFromLDAP()

UserModel org.keycloak.storage.ldap.LDAPStorageProvider.importUserFromLDAP	(	KeycloakSession	session,
		RealmModel	realm,
		LDAPObject	ldapUser
	)

inlineprotected

                                                                                                            {
         String ldapUsername = LDAPUtils.getUsername(ldapUser, ldapIdentityStore.getConfig());
         LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig());
 
         UserModel imported = null;
         if (model.isImportEnabled()) {
             imported = session.userLocalStorage().addUser(realm, ldapUsername);
         } else {
             InMemoryUserAdapter adapter = new InMemoryUserAdapter(session, realm, new StorageId(model.getId(), ldapUsername).getId());
             adapter.addDefaults();
             imported = adapter;
         }
         imported.setEnabled(true);
 
         List<ComponentModel> mappers = realm.getComponents(model.getId(), LDAPStorageMapper.class.getName());
         List<ComponentModel> sortedMappers = mapperManager.sortMappersDesc(mappers);
         for (ComponentModel mapperModel : sortedMappers) {
             if (logger.isTraceEnabled()) {
                 logger.tracef("Using mapper %s during import user from LDAP", mapperModel);
             }
             LDAPStorageMapper ldapMapper = mapperManager.getMapper(mapperModel);
             ldapMapper.onImportUserFromLDAP(ldapUser, imported, realm, true);
         }
 
         String userDN = ldapUser.getDn().toString();
         if (model.isImportEnabled()) imported.setFederationLink(model.getId());
         imported.setSingleAttribute(LDAPConstants.LDAP_ID, ldapUser.getUuid());
         imported.setSingleAttribute(LDAPConstants.LDAP_ENTRY_DN, userDN);
 
 
         logger.debugf("Imported new user from LDAP to Keycloak DB. Username: [%s], Email: [%s], LDAP_ID: [%s], LDAP Entry DN: [%s]", imported.getUsername(), imported.getEmail(),
                 ldapUser.getUuid(), userDN);
         UserModel proxy = proxy(realm, imported, ldapUser);
         return proxy;
     }

◆ isConfiguredFor()

boolean org.keycloak.storage.ldap.LDAPStorageProvider.isConfiguredFor	(	RealmModel	realm,
		UserModel	user,
		String	credentialType
	)

inline

                                                                                             {
         return getSupportedCredentialTypes().contains(credentialType);
     }

◆ isValid()

boolean org.keycloak.storage.ldap.LDAPStorageProvider.isValid	(	RealmModel	realm,
		UserModel	user,
		CredentialInput	input
	)

inline

                                                                                     {
         if (!(input instanceof UserCredentialModel)) return false;
         if (input.getType().equals(UserCredentialModel.PASSWORD) && !session.userCredentialManager().isConfiguredLocally(realm, user, UserCredentialModel.PASSWORD)) {
             return validPassword(realm, user, ((UserCredentialModel)input).getValue());
         } else {
             return false; // invalid cred type
         }
     }

◆ loadAndValidateUser()

LDAPObject org.keycloak.storage.ldap.LDAPStorageProvider.loadAndValidateUser	(	RealmModel	realm,
		UserModel	local
	)

inlineprotected

引数

local

戻り値: ldapUser corresponding to local user or null if user is no longer in LDAP

                                                                                 {
         LDAPObject existing = userManager.getManagedLDAPUser(local.getId());
         if (existing != null) {
             return existing;
         }
 
         LDAPObject ldapUser = loadLDAPUserByUsername(realm, local.getUsername());
         if (ldapUser == null) {
             return null;
         }
         LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig());
 
         if (ldapUser.getUuid().equals(local.getFirstAttribute(LDAPConstants.LDAP_ID))) {
             return ldapUser;
         } else {
             logger.warnf("LDAP User invalid. ID doesn't match. ID from LDAP [%s], LDAP ID from local DB: [%s]", ldapUser.getUuid(), local.getFirstAttribute(LDAPConstants.LDAP_ID));
             return null;
         }
     }

◆ loadLDAPUserByUsername()

LDAPObject org.keycloak.storage.ldap.LDAPStorageProvider.loadLDAPUserByUsername	(	RealmModel	realm,
		String	username
	)

inline

                                                                                 {
         LDAPQuery ldapQuery = LDAPUtils.createQueryForUserSearch(this, realm);
         LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
 
         String usernameMappedAttribute = this.ldapIdentityStore.getConfig().getUsernameLdapAttribute();
         Condition usernameCondition = conditionsBuilder.equal(usernameMappedAttribute, username, EscapeStrategy.DEFAULT);
         ldapQuery.addWhereCondition(usernameCondition);
 
         LDAPObject ldapUser = ldapQuery.getFirstResult();
         if (ldapUser == null) {
             return null;
         }
 
         return ldapUser;
     }

◆ loadUsersByUsernames()

List<UserModel> org.keycloak.storage.ldap.LDAPStorageProvider.loadUsersByUsernames	(	List< String >	usernames,
		RealmModel	realm
	)

inline

                                                                                           {
         List<UserModel> result = new ArrayList<>();
         for (String username : usernames) {
             UserModel kcUser = session.users().getUserByUsername(username, realm);
             if (kcUser == null) {
                 logger.warnf("User '%s' referenced by membership wasn't found in LDAP", username);
             } else if (model.isImportEnabled() && !model.getId().equals(kcUser.getFederationLink())) {
                 logger.warnf("Incorrect federation provider of user '%s'", kcUser.getUsername());
             } else {
                 result.add(kcUser);
             }
         }
         return result;
     }

◆ preRemove() [1/3]

void org.keycloak.storage.ldap.LDAPStorageProvider.preRemove ( RealmModel realm )

inline

                                             {
         // complete Don't think we have to do anything
     }

◆ preRemove() [2/3]

void org.keycloak.storage.ldap.LDAPStorageProvider.preRemove	(	RealmModel	realm,
		RoleModel	role
	)

inline

                                                             {
         // TODO: Maybe mappers callback to ensure role deletion propagated to LDAP by RoleLDAPFederationMapper?
     }

◆ preRemove() [3/3]

void org.keycloak.storage.ldap.LDAPStorageProvider.preRemove	(	RealmModel	realm,
		GroupModel	group
	)

inline

                                                               {
 
     }

◆ proxy()

UserModel org.keycloak.storage.ldap.LDAPStorageProvider.proxy	(	RealmModel	realm,
		UserModel	local,
		LDAPObject	ldapObject
	)

inlineprotected

                                                                                         {
         UserModel existing = userManager.getManagedProxiedUser(local.getId());
         if (existing != null) {
             return existing;
         }
 
         UserModel proxied = local;
 
         checkDNChanged(realm, local, ldapObject);
 
         switch (editMode) {
             case READ_ONLY:
                 if (model.isImportEnabled()) {
                     proxied = new ReadonlyLDAPUserModelDelegate(local, this);
                 } else {
                     proxied = new ReadOnlyUserModelDelegate(local);
                 }
                 break;
             case WRITABLE:
                 proxied = new WritableLDAPUserModelDelegate(local, this, ldapObject);
                 break;
             case UNSYNCED:
                 proxied = new UnsyncedLDAPUserModelDelegate(local, this);
         }
 
         List<ComponentModel> mappers = realm.getComponents(model.getId(), LDAPStorageMapper.class.getName());
         List<ComponentModel> sortedMappers = mapperManager.sortMappersAsc(mappers);
         for (ComponentModel mapperModel : sortedMappers) {
             LDAPStorageMapper ldapMapper = mapperManager.getMapper(mapperModel);
             proxied = ldapMapper.proxy(ldapObject, proxied, realm);
         }
 
         userManager.setManagedProxiedUser(proxied, ldapObject);
 
         return proxied;
     }

◆ queryByEmail()

LDAPObject org.keycloak.storage.ldap.LDAPStorageProvider.queryByEmail	(	RealmModel	realm,
		String	email
	)

inlineprotected

                                                                       {
         LDAPQuery ldapQuery = LDAPUtils.createQueryForUserSearch(this, realm);
         LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
 
         // Mapper should replace "email" in parameter name with correct LDAP mapped attribute
         Condition emailCondition = conditionsBuilder.equal(UserModel.EMAIL, email, EscapeStrategy.DEFAULT);
         ldapQuery.addWhereCondition(emailCondition);
 
         return ldapQuery.getFirstResult();
     }

◆ removeUser()

boolean org.keycloak.storage.ldap.LDAPStorageProvider.removeUser	(	RealmModel	realm,
		UserModel	user
	)

inline

                                                                 {
         if (editMode == UserStorageProvider.EditMode.READ_ONLY || editMode == UserStorageProvider.EditMode.UNSYNCED) {
             logger.warnf("User '%s' can't be deleted in LDAP as editMode is '%s'. Deleting user just from Keycloak DB, but he will be re-imported from LDAP again once searched in Keycloak", user.getUsername(), editMode.toString());
             return true;
         }
 
         LDAPObject ldapObject = loadAndValidateUser(realm, user);
         if (ldapObject == null) {
             logger.warnf("User '%s' can't be deleted from LDAP as it doesn't exist here", user.getUsername());
             return false;
         }
 
         ldapIdentityStore.remove(ldapObject);
         userManager.removeManagedUserEntry(user.getId());
 
         return true;
     }

◆ searchForUser() [1/4]

List<UserModel> org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser	(	String	search,
		RealmModel	realm
	)

inline

                                                                           {
         return searchForUser(search, realm, 0, Integer.MAX_VALUE - 1);
     }

◆ searchForUser() [2/4]

List<UserModel> org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser	(	String	search,
		RealmModel	realm,
		int	firstResult,
		int	maxResults
	)

inline

                                                                                                            {
         Map<String, String> attributes = new HashMap<String, String>();
         int spaceIndex = search.lastIndexOf(' ');
         if (spaceIndex > -1) {
             String firstName = search.substring(0, spaceIndex).trim();
             String lastName = search.substring(spaceIndex).trim();
             attributes.put(UserModel.FIRST_NAME, firstName);
             attributes.put(UserModel.LAST_NAME, lastName);
         } else if (search.indexOf('@') > -1) {
             attributes.put(UserModel.USERNAME, search.trim().toLowerCase());
             attributes.put(UserModel.EMAIL, search.trim().toLowerCase());
         } else {
             attributes.put(UserModel.LAST_NAME, search.trim());
             attributes.put(UserModel.USERNAME, search.trim().toLowerCase());
         }
         return searchForUser(attributes, realm, firstResult, maxResults);
     }

◆ searchForUser() [3/4]

List<UserModel> org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser	(	Map< String, String >	params,
		RealmModel	realm
	)

inline

                                                                                        {
         return searchForUser(params, realm, 0, Integer.MAX_VALUE - 1);
     }

◆ searchForUser() [4/4]

List<UserModel> org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser	(	Map< String, String >	params,
		RealmModel	realm,
		int	firstResult,
		int	maxResults
	)

inline

                                                                                                                         {
         List<UserModel> searchResults =new LinkedList<UserModel>();
 
         List<LDAPObject> ldapUsers = searchLDAP(realm, params, maxResults + firstResult);
         int counter = 0;
         for (LDAPObject ldapUser : ldapUsers) {
             if (counter++ < firstResult) continue;
             String ldapUsername = LDAPUtils.getUsername(ldapUser, this.ldapIdentityStore.getConfig());
             if (session.userLocalStorage().getUserByUsername(ldapUsername, realm) == null) {
                 UserModel imported = importUserFromLDAP(session, realm, ldapUser);
                 searchResults.add(imported);
             }
         }
 
         return searchResults;
     }

◆ searchForUserByUserAttribute()

List<UserModel> org.keycloak.storage.ldap.LDAPStorageProvider.searchForUserByUserAttribute	(	String	attrName,
		String	attrValue,
		RealmModel	realm
	)

inline

                                                                                                              {
          LDAPQuery ldapQuery = LDAPUtils.createQueryForUserSearch(this, realm);
          LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
 
          Condition attrCondition = conditionsBuilder.equal(attrName, attrValue, EscapeStrategy.DEFAULT);
          ldapQuery.addWhereCondition(attrCondition);
 
          List<LDAPObject> ldapObjects = ldapQuery.getResultList();
          
          if (ldapObjects == null || ldapObjects.isEmpty()) {
                  return Collections.emptyList();
          }
          
          List<UserModel> searchResults =new LinkedList<UserModel>();
          
          for (LDAPObject ldapUser : ldapObjects) {
              String ldapUsername = LDAPUtils.getUsername(ldapUser, this.ldapIdentityStore.getConfig());
              if (session.userLocalStorage().getUserByUsername(ldapUsername, realm) == null) {
                  UserModel imported = importUserFromLDAP(session, realm, ldapUser);
                  searchResults.add(imported);
              }
          }
 
          return searchResults;
          
     }

◆ searchLDAP()

List<LDAPObject> org.keycloak.storage.ldap.LDAPStorageProvider.searchLDAP	(	RealmModel	realm,
		Map< String, String >	attributes,
		int	maxResults
	)

inlineprotected

                                                                                                             {
 
         List<LDAPObject> results = new ArrayList<LDAPObject>();
         if (attributes.containsKey(UserModel.USERNAME)) {
             LDAPQuery ldapQuery = LDAPUtils.createQueryForUserSearch(this, realm);
             LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
 
             // Mapper should replace "username" in parameter name with correct LDAP mapped attribute
             Condition usernameCondition = conditionsBuilder.equal(UserModel.USERNAME, attributes.get(UserModel.USERNAME), EscapeStrategy.NON_ASCII_CHARS_ONLY);
             ldapQuery.addWhereCondition(usernameCondition);
 
             List<LDAPObject> ldapObjects = ldapQuery.getResultList();
             results.addAll(ldapObjects);
         }
 
         if (attributes.containsKey(UserModel.EMAIL)) {
             LDAPQuery ldapQuery = LDAPUtils.createQueryForUserSearch(this, realm);
             LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
 
             // Mapper should replace "email" in parameter name with correct LDAP mapped attribute
             Condition emailCondition = conditionsBuilder.equal(UserModel.EMAIL, attributes.get(UserModel.EMAIL), EscapeStrategy.NON_ASCII_CHARS_ONLY);
             ldapQuery.addWhereCondition(emailCondition);
 
             List<LDAPObject> ldapObjects = ldapQuery.getResultList();
             results.addAll(ldapObjects);
         }
 
         if (attributes.containsKey(UserModel.FIRST_NAME) || attributes.containsKey(UserModel.LAST_NAME)) {
             LDAPQuery ldapQuery = LDAPUtils.createQueryForUserSearch(this, realm);
             LDAPQueryConditionsBuilder conditionsBuilder = new LDAPQueryConditionsBuilder();
 
             // Mapper should replace parameter with correct LDAP mapped attributes
             if (attributes.containsKey(UserModel.FIRST_NAME)) {
                 ldapQuery.addWhereCondition(conditionsBuilder.equal(UserModel.FIRST_NAME, attributes.get(UserModel.FIRST_NAME), EscapeStrategy.NON_ASCII_CHARS_ONLY));
             }
             if (attributes.containsKey(UserModel.LAST_NAME)) {
                 ldapQuery.addWhereCondition(conditionsBuilder.equal(UserModel.LAST_NAME, attributes.get(UserModel.LAST_NAME), EscapeStrategy.NON_ASCII_CHARS_ONLY));
             }
 
             List<LDAPObject> ldapObjects = ldapQuery.getResultList();
             results.addAll(ldapObjects);
         }
 
         return results;
     }

◆ setUpdater()

void org.keycloak.storage.ldap.LDAPStorageProvider.setUpdater ( PasswordUpdateCallback updater )

inline

                                                            {
         this.updater = updater;
     }

◆ supportsCredentialAuthenticationFor()

boolean org.keycloak.storage.ldap.LDAPStorageProvider.supportsCredentialAuthenticationFor ( String type )

inline

                                                                     {
         return type.equals(CredentialModel.KERBEROS) && kerberosConfig.isAllowKerberosAuthentication();
     }

◆ supportsCredentialType()

boolean org.keycloak.storage.ldap.LDAPStorageProvider.supportsCredentialType ( String credentialType )

inline

                                                                  {
         return getSupportedCredentialTypes().contains(credentialType);
     }

◆ synchronizeRegistrations()

boolean org.keycloak.storage.ldap.LDAPStorageProvider.synchronizeRegistrations ( )

inline

                                               {
         return "true".equalsIgnoreCase(model.getConfig().getFirst(LDAPConstants.SYNC_REGISTRATIONS)) && editMode == UserStorageProvider.EditMode.WRITABLE;
     }

◆ updateCredential()

boolean org.keycloak.storage.ldap.LDAPStorageProvider.updateCredential	(	RealmModel	realm,
		UserModel	user,
		CredentialInput	input
	)

inline

                                                                                              {
         if (!CredentialModel.PASSWORD.equals(input.getType()) || ! (input instanceof PasswordUserCredentialModel)) return false;
         if (editMode == UserStorageProvider.EditMode.READ_ONLY) {
             throw new ReadOnlyException("Federated storage is not writable");
 
         } else if (editMode == UserStorageProvider.EditMode.WRITABLE) {
             LDAPIdentityStore ldapIdentityStore = getLdapIdentityStore();
             PasswordUserCredentialModel cred = (PasswordUserCredentialModel)input;
             String password = cred.getValue();
             LDAPObject ldapUser = loadAndValidateUser(realm, user);
             if (ldapIdentityStore.getConfig().isValidatePasswordPolicy()) {
                 PolicyError error = session.getProvider(PasswordPolicyManagerProvider.class).validate(realm, user, password);
                 if (error != null) throw new ModelException(error.getMessage(), error.getParameters());
             }
             try {
                 LDAPOperationDecorator operationDecorator = null;
                 if (updater != null) {
                     operationDecorator = updater.beforePasswordUpdate(user, ldapUser, cred);
                 }
 
                 ldapIdentityStore.updatePassword(ldapUser, password, operationDecorator);
 
                 if (updater != null) updater.passwordUpdated(user, ldapUser, cred);
                 return true;
             } catch (ModelException me) {
                 if (updater != null) {
                     updater.passwordUpdateFailed(user, ldapUser, cred, me);
                     return false;
                 } else {
                     throw me;
                 }
             }
 
         } else {
             return false;
         }
     }

◆ validate()

UserModel org.keycloak.storage.ldap.LDAPStorageProvider.validate	(	RealmModel	realm,
		UserModel	local
	)

inline

                                                                  {
         LDAPObject ldapObject = loadAndValidateUser(realm, local);
         if (ldapObject == null) {
             return null;
         }
 
         return proxy(realm, local, ldapObject);
     }

◆ validPassword()

boolean org.keycloak.storage.ldap.LDAPStorageProvider.validPassword	(	RealmModel	realm,
		UserModel	user,
		String	password
	)

inline

                                                                                     {
         if (kerberosConfig.isAllowKerberosAuthentication() && kerberosConfig.isUseKerberosForPasswordAuthentication()) {
             // Use Kerberos JAAS (Krb5LoginModule)
             KerberosUsernamePasswordAuthenticator authenticator = factory.createKerberosUsernamePasswordAuthenticator(kerberosConfig);
             return authenticator.validUser(user.getUsername(), password);
         } else {
             // Use Naming LDAP API
             LDAPObject ldapUser = loadAndValidateUser(realm, user);
 
             try {
                 ldapIdentityStore.validatePassword(ldapUser, password);
                 return true;
             } catch (AuthenticationException ae) {
                 boolean processed = false;
                 List<ComponentModel> mappers = realm.getComponents(model.getId(), LDAPStorageMapper.class.getName());
                 List<ComponentModel> sortedMappers = mapperManager.sortMappersDesc(mappers);
                 for (ComponentModel mapperModel : sortedMappers) {
                     if (logger.isTraceEnabled()) {
                         logger.tracef("Using mapper %s during import user from LDAP", mapperModel);
                     }
                     LDAPStorageMapper ldapMapper = mapperManager.getMapper(mapperModel);
                     processed = processed || ldapMapper.onAuthenticationFailure(ldapUser, user, ae, realm);
                 }
                 return processed;
             }
         }
     }

メンバ詳解

◆ editMode

EditMode org.keycloak.storage.ldap.LDAPStorageProvider.editMode

protected

◆ factory

LDAPStorageProviderFactory org.keycloak.storage.ldap.LDAPStorageProvider.factory

protected

◆ kerberosConfig

LDAPProviderKerberosConfig org.keycloak.storage.ldap.LDAPStorageProvider.kerberosConfig

protected

◆ ldapIdentityStore

LDAPIdentityStore org.keycloak.storage.ldap.LDAPStorageProvider.ldapIdentityStore

protected

◆ logger

final Logger org.keycloak.storage.ldap.LDAPStorageProvider.logger = Logger.getLogger(LDAPStorageProvider.class)

staticprivate

◆ mapperManager

LDAPStorageMapperManager org.keycloak.storage.ldap.LDAPStorageProvider.mapperManager

protected

◆ model

UserStorageProviderModel org.keycloak.storage.ldap.LDAPStorageProvider.model

protected

◆ session

KeycloakSession org.keycloak.storage.ldap.LDAPStorageProvider.session

protected

◆ supportedCredentialTypes

final Set<String> org.keycloak.storage.ldap.LDAPStorageProvider.supportedCredentialTypes = new HashSet<>()

protected

◆ updater

PasswordUpdateCallback org.keycloak.storage.ldap.LDAPStorageProvider.updater

protected

◆ userManager

LDAPStorageUserManager org.keycloak.storage.ldap.LDAPStorageProvider.userManager

protected

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/federation/src/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java

公開メンバ関数

限定公開メンバ関数

限定公開変数類

非公開メンバ関数

静的非公開変数類

詳解

構築子と解体子

◆ LDAPStorageProvider()

関数詳解

◆ addUser()

◆ authenticate()

◆ checkDNChanged()

◆ close()

◆ disableCredentialType()

◆ findOrCreateAuthenticatedUser()

◆ getDisableableCredentialTypes()

◆ getEditMode()

◆ getGroupMembers() [1/2]

◆ getGroupMembers() [2/2]

◆ getLdapIdentityStore()

◆ getMapperManager()

◆ getModel()

◆ getSession()

◆ getSupportedCredentialTypes()

◆ getUserByEmail()

◆ getUserById()

◆ getUserByUsername()

◆ getUserManager()

◆ getUsers() [1/2]

◆ getUsers() [2/2]

◆ getUsersCount()

◆ importUserFromLDAP()

◆ isConfiguredFor()

◆ isValid()

◆ loadAndValidateUser()

◆ loadLDAPUserByUsername()

◆ loadUsersByUsernames()

◆ preRemove() [1/3]

◆ preRemove() [2/3]

◆ preRemove() [3/3]

◆ proxy()

◆ queryByEmail()

◆ removeUser()

◆ searchForUser() [1/4]

◆ searchForUser() [2/4]

◆ searchForUser() [3/4]

◆ searchForUser() [4/4]

◆ searchForUserByUserAttribute()

◆ searchLDAP()

◆ setUpdater()

◆ supportsCredentialAuthenticationFor()

◆ supportsCredentialType()

◆ synchronizeRegistrations()

◆ updateCredential()

◆ validate()

◆ validPassword()

メンバ詳解

◆ editMode

◆ factory

◆ kerberosConfig

◆ ldapIdentityStore

◆ logger

◆ mapperManager

◆ model

◆ session

◆ supportedCredentialTypes

◆ updater

◆ userManager