org.keycloak.storage.ldap.LDAPUtils 連携図

静的公開メンバ関数
static LDAPObject	addUserToLDAP (LDAPStorageProvider ldapProvider, RealmModel realm, UserModel user)

static LDAPQuery	createQueryForUserSearch (LDAPStorageProvider ldapProvider, RealmModel realm)

static void	computeAndSetDn (LDAPConfig config, LDAPObject ldapUser)

static String	getUsername (LDAPObject ldapUser, LDAPConfig config)

static void	checkUuid (LDAPObject ldapUser, LDAPConfig config)

static LDAPObject	createLDAPGroup (LDAPStorageProvider ldapProvider, String groupName, String groupNameAttribute, Collection< String > objectClasses, String parentDn, Map< String, Set< String >> additionalAttributes)

static void	addMember (LDAPStorageProvider ldapProvider, MembershipType membershipType, String memberAttrName, String memberChildAttrName, LDAPObject ldapParent, LDAPObject ldapChild, boolean sendLDAPUpdateRequest)

static void	deleteMember (LDAPStorageProvider ldapProvider, MembershipType membershipType, String memberAttrName, String memberChildAttrName, LDAPObject ldapParent, LDAPObject ldapChild)

static Set< String >	getExistingMemberships (String memberAttrName, LDAPObject ldapRole)

static String	getMemberValueOfChildObject (LDAPObject ldapUser, MembershipType membershipType, String memberChildAttrName)

static List< LDAPObject >	loadAllLDAPObjects (LDAPQuery ldapQuery, LDAPStorageProvider ldapProvider)

static void	validateCustomLdapFilter (String customFilter) throws ComponentValidationException

詳解

Allow to directly call some operations against LDAPIdentityStore.

著者: Marek Posolda

関数詳解

◆ addMember()

static void org.keycloak.storage.ldap.LDAPUtils.addMember	(	LDAPStorageProvider	ldapProvider,
		MembershipType	membershipType,
		String	memberAttrName,
		String	memberChildAttrName,
		LDAPObject	ldapParent,
		LDAPObject	ldapChild,
		boolean	sendLDAPUpdateRequest
	)

inlinestatic

Add ldapChild as member of ldapParent and save ldapParent to LDAP.

引数

ldapProvider
membershipType	how is 'member' attribute saved (full DN or just uid)
memberAttrName	usually 'member'
memberChildAttrName	used just if membershipType is UID. Usually 'uid'
ldapParent	role or group
ldapChild	usually user (or child group or child role)
sendLDAPUpdateRequest	if true, the method will send LDAP update request too. Otherwise it will skip it

                                                                                                                                                                                                                                  {
 
         Set<String> memberships = getExistingMemberships(memberAttrName, ldapParent);
 
         // Remove membership placeholder if present
         if (membershipType == MembershipType.DN) {
             for (String membership : memberships) {
                 if (LDAPConstants.EMPTY_MEMBER_ATTRIBUTE_VALUE.equals(membership)) {
                     memberships.remove(membership);
                     break;
                 }
             }
         }
 
         String membership = getMemberValueOfChildObject(ldapChild, membershipType, memberChildAttrName);
 
         memberships.add(membership);
         ldapParent.setAttribute(memberAttrName, memberships);
 
         if (sendLDAPUpdateRequest) {
             ldapProvider.getLdapIdentityStore().update(ldapParent);
         }
     }

◆ addUserToLDAP()

static LDAPObject org.keycloak.storage.ldap.LDAPUtils.addUserToLDAP	(	LDAPStorageProvider	ldapProvider,
		RealmModel	realm,
		UserModel	user
	)

inlinestatic

引数

ldapProvider
realm
user

戻り値: newly created LDAPObject with all the attributes, uuid and DN properly set

                                                                                                                {
         LDAPObject ldapUser = new LDAPObject();
 
         LDAPIdentityStore ldapStore = ldapProvider.getLdapIdentityStore();
         LDAPConfig ldapConfig = ldapStore.getConfig();
         ldapUser.setRdnAttributeName(ldapConfig.getRdnLdapAttribute());
         ldapUser.setObjectClasses(ldapConfig.getUserObjectClasses());
 
         List<ComponentModel> federationMappers = realm.getComponents(ldapProvider.getModel().getId(), LDAPStorageMapper.class.getName());
         List<ComponentModel> sortedMappers = ldapProvider.getMapperManager().sortMappersAsc(federationMappers);
         for (ComponentModel mapperModel : sortedMappers) {
             LDAPStorageMapper ldapMapper = ldapProvider.getMapperManager().getMapper(mapperModel);
             ldapMapper.onRegisterUserToLDAP(ldapUser, user, realm);
         }
 
         LDAPUtils.computeAndSetDn(ldapConfig, ldapUser);
         ldapStore.add(ldapUser);
         return ldapUser;
     }

◆ checkUuid()

static void org.keycloak.storage.ldap.LDAPUtils.checkUuid	(	LDAPObject	ldapUser,
		LDAPConfig	config
	)

inlinestatic

                                                                          {
         if (ldapUser.getUuid() == null) {
             throw new ModelException("User returned from LDAP has null uuid! Check configuration of your LDAP settings. UUID Attribute must be unique among your LDAP records and available on all the LDAP user records. " +
                     "If your LDAP server really doesn't support the notion of UUID, you can use any other attribute, which is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN' . " +
                     "Mapped UUID LDAP attribute: " + config.getUuidLDAPAttributeName() + ", user DN: " + ldapUser.getDn());
         }
     }

◆ computeAndSetDn()

static void org.keycloak.storage.ldap.LDAPUtils.computeAndSetDn	(	LDAPConfig	config,
		LDAPObject	ldapUser
	)

inlinestatic

                                                                                {
         String rdnLdapAttrName = config.getRdnLdapAttribute();
         String rdnLdapAttrValue = ldapUser.getAttributeAsString(rdnLdapAttrName);
         if (rdnLdapAttrValue == null) {
             throw new ModelException("RDN Attribute [" + rdnLdapAttrName + "] is not filled. Filled attributes: " + ldapUser.getAttributes());
         }
 
         LDAPDn dn = LDAPDn.fromString(config.getUsersDn());
         dn.addFirst(rdnLdapAttrName, rdnLdapAttrValue);
         ldapUser.setDn(dn);
     }

◆ createLDAPGroup()

static LDAPObject org.keycloak.storage.ldap.LDAPUtils.createLDAPGroup	(	LDAPStorageProvider	ldapProvider,
		String	groupName,
		String	groupNameAttribute,
		Collection< String >	objectClasses,
		String	parentDn,
		Map< String, Set< String >>	additionalAttributes
	)

inlinestatic

                                                                                                              {
         LDAPObject ldapObject = new LDAPObject();
 
         ldapObject.setRdnAttributeName(groupNameAttribute);
         ldapObject.setObjectClasses(objectClasses);
         ldapObject.setSingleAttribute(groupNameAttribute, groupName);
 
         LDAPDn roleDn = LDAPDn.fromString(parentDn);
         roleDn.addFirst(groupNameAttribute, groupName);
         ldapObject.setDn(roleDn);
 
         for (Map.Entry<String, Set<String>> attrEntry : additionalAttributes.entrySet()) {
             ldapObject.setAttribute(attrEntry.getKey(), attrEntry.getValue());
         }
 
         ldapProvider.getLdapIdentityStore().add(ldapObject);
         return ldapObject;
     }

◆ createQueryForUserSearch()

static LDAPQuery org.keycloak.storage.ldap.LDAPUtils.createQueryForUserSearch	(	LDAPStorageProvider	ldapProvider,
		RealmModel	realm
	)

inlinestatic

                                                                                                          {
         LDAPQuery ldapQuery = new LDAPQuery(ldapProvider);
         LDAPConfig config = ldapProvider.getLdapIdentityStore().getConfig();
         ldapQuery.setSearchScope(config.getSearchScope());
         ldapQuery.setSearchDn(config.getUsersDn());
         ldapQuery.addObjectClasses(config.getUserObjectClasses());
 
         String customFilter = config.getCustomUserSearchFilter();
         if (customFilter != null) {
             Condition customFilterCondition = new LDAPQueryConditionsBuilder().addCustomLDAPFilter(customFilter);
             ldapQuery.addWhereCondition(customFilterCondition);
         }
 
         List<ComponentModel> mapperModels = realm.getComponents(ldapProvider.getModel().getId(), LDAPStorageMapper.class.getName());
         ldapQuery.addMappers(mapperModels);
 
         return ldapQuery;
     }

◆ deleteMember()

static void org.keycloak.storage.ldap.LDAPUtils.deleteMember	(	LDAPStorageProvider	ldapProvider,
		MembershipType	membershipType,
		String	memberAttrName,
		String	memberChildAttrName,
		LDAPObject	ldapParent,
		LDAPObject	ldapChild
	)

inlinestatic

Remove ldapChild as member of ldapParent and save ldapParent to LDAP.

引数

ldapProvider
membershipType	how is 'member' attribute saved (full DN or just uid)
memberAttrName	usually 'member'
memberChildAttrName	used just if membershipType is UID. Usually 'uid'
ldapParent	role or group
ldapChild	usually user (or child group or child role)

                                                                                                                                                                                                      {
         Set<String> memberships = getExistingMemberships(memberAttrName, ldapParent);
 
         String userMembership = getMemberValueOfChildObject(ldapChild, membershipType, memberChildAttrName);
 
         memberships.remove(userMembership);
 
         // Some membership placeholder needs to be always here as "member" is mandatory attribute on some LDAP servers. But not on active directory! (Placeholder, which not matches any real object is not allowed here)
         if (memberships.size() == 0 && membershipType== MembershipType.DN && !ldapProvider.getLdapIdentityStore().getConfig().isActiveDirectory()) {
             memberships.add(LDAPConstants.EMPTY_MEMBER_ATTRIBUTE_VALUE);
         }
 
         ldapParent.setAttribute(memberAttrName, memberships);
         ldapProvider.getLdapIdentityStore().update(ldapParent);
     }

◆ getExistingMemberships()

static Set<String> org.keycloak.storage.ldap.LDAPUtils.getExistingMemberships	(	String	memberAttrName,
		LDAPObject	ldapRole
	)

inlinestatic

Return all existing memberships (values of attribute 'member' ) from the given ldapRole or ldapGroup

引数

memberAttrName	usually 'member'
ldapRole

戻り値

                                                                                                  {
         Set<String> memberships = ldapRole.getAttributeAsSet(memberAttrName);
         if (memberships == null) {
             memberships = new HashSet<>();
         }
         return memberships;
     }

◆ getMemberValueOfChildObject()

static String org.keycloak.storage.ldap.LDAPUtils.getMemberValueOfChildObject	(	LDAPObject	ldapUser,
		MembershipType	membershipType,
		String	memberChildAttrName
	)

inlinestatic

Get value to be used as attribute 'member' or 'memberUid' in some parent ldapObject

                                                                                                                                      {
         if (membershipType == MembershipType.DN) {
             return ldapUser.getDn().toString();
         } else {
             return ldapUser.getAttributeAsString(memberChildAttrName);
         }
     }

◆ getUsername()

static String org.keycloak.storage.ldap.LDAPUtils.getUsername	(	LDAPObject	ldapUser,
		LDAPConfig	config
	)

inlinestatic

                                                                              {
         String usernameAttr = config.getUsernameLdapAttribute();
         String ldapUsername = ldapUser.getAttributeAsString(usernameAttr);
 
         if (ldapUsername == null) {
             throw new ModelException("User returned from LDAP has null username! Check configuration of your LDAP mappings. Mapped username LDAP attribute: " +
                     config.getUsernameLdapAttribute() + ", user DN: " + ldapUser.getDn() + ", attributes from LDAP: " + ldapUser.getAttributes());
         }
 
         return ldapUsername;
     }

◆ loadAllLDAPObjects()

static List<LDAPObject> org.keycloak.storage.ldap.LDAPUtils.loadAllLDAPObjects	(	LDAPQuery	ldapQuery,
		LDAPStorageProvider	ldapProvider
	)

inlinestatic

Load all LDAP objects corresponding to given query. We will load them paginated, so we allow to bypass the limitation of 1000 maximum loaded objects in single query in MSAD

引数

ldapQuery
ldapProvider

戻り値

                                                                                                              {
         LDAPConfig ldapConfig = ldapProvider.getLdapIdentityStore().getConfig();
         boolean pagination = ldapConfig.isPagination();
         if (pagination) {
             // For now reuse globally configured batch size in LDAP provider page
             int pageSize = ldapConfig.getBatchSizeForSync();
 
             List<LDAPObject> result = new LinkedList<>();
             boolean nextPage = true;
 
             while (nextPage) {
                 ldapQuery.setLimit(pageSize);
                 final List<LDAPObject> currentPageGroups = ldapQuery.getResultList();
                 result.addAll(currentPageGroups);
                 nextPage = ldapQuery.getPaginationContext() != null;
             }
 
             return result;
         } else {
             // LDAP pagination not available. Do everything in single transaction
             return ldapQuery.getResultList();
         }
     }

◆ validateCustomLdapFilter()

static void org.keycloak.storage.ldap.LDAPUtils.validateCustomLdapFilter ( String customFilter ) throws ComponentValidationException

inlinestatic

Validate configured customFilter matches the requested format

引数

customFilter

例外

ComponentValidationException

                                                                                                          {
         if (customFilter != null) {
 
             customFilter = customFilter.trim();
             if (customFilter.isEmpty()) {
                 return;
             }
 
             if (!customFilter.startsWith("(") || !customFilter.endsWith(")")) {
                 throw new ComponentValidationException("ldapErrorInvalidCustomFilter");
             }
         }
     }

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/federation/src/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java

静的公開メンバ関数

詳解

関数詳解

◆ addMember()

◆ addUserToLDAP()

◆ checkUuid()

◆ computeAndSetDn()

◆ createLDAPGroup()

◆ createQueryForUserSearch()

◆ deleteMember()

◆ getExistingMemberships()

◆ getMemberValueOfChildObject()

◆ getUsername()

◆ loadAllLDAPObjects()

◆ validateCustomLdapFilter()