org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper の継承関係図

org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper 連携図

クラス
class	LDAPGroupMappingsUserDelegate

公開メンバ関数
	GroupLDAPStorageMapper (ComponentModel mapperModel, LDAPStorageProvider ldapProvider, GroupLDAPStorageMapperFactory factory)

LDAPQuery	createLDAPGroupQuery ()

CommonLDAPGroupMapperConfig	getConfig ()

LDAPQuery	createGroupQuery (boolean includeMemberAttribute)

LDAPObject	createLDAPGroup (String groupName, Map< String, Set< String >> additionalAttributes)

LDAPObject	loadLDAPGroupByName (String groupName)

SynchronizationResult	syncDataFromFederationProviderToKeycloak (RealmModel realm)

SynchronizationResult	syncDataFromKeycloakToFederationProvider (RealmModel realm)

List< UserModel >	getGroupMembers (RealmModel realm, GroupModel kcGroup, int firstResult, int maxResults)

void	addGroupMappingInLDAP (RealmModel realm, GroupModel kcGroup, LDAPObject ldapUser)

void	deleteGroupMappingInLDAP (LDAPObject ldapUser, LDAPObject ldapGroup)

void	beforeLDAPQuery (LDAPQuery query)

UserModel	proxy (LDAPObject ldapUser, UserModel delegate, RealmModel realm)

void	onRegisterUserToLDAP (LDAPObject ldapUser, UserModel localUser, RealmModel realm)

void	onImportUserFromLDAP (LDAPObject ldapUser, UserModel user, RealmModel realm, boolean isCreate)

boolean	onAuthenticationFailure (LDAPObject ldapUser, UserModel user, AuthenticationException ldapException, RealmModel realm)

LDAPStorageProvider	getLdapProvider ()

void	close ()

静的公開メンバ関数
static boolean	parseBooleanParameter (ComponentModel mapperModel, String paramName)

限定公開メンバ関数
Set< LDAPDn >	getLDAPSubgroups (LDAPObject ldapGroup)

GroupModel	findKcGroupByLDAPGroup (RealmModel realm, LDAPObject ldapGroup)

GroupModel	findKcGroupOrSyncFromLDAP (RealmModel realm, LDAPObject ldapGroup, UserModel user)

List< LDAPObject >	getAllLDAPGroups (boolean includeMemberAttribute)

List< LDAPObject >	getLDAPGroupMappings (LDAPObject ldapUser)

String	getMembershipUserLdapAttribute ()

限定公開変数類
final KeycloakSession	session

final ComponentModel	mapperModel

final LDAPStorageProvider	ldapProvider

非公開メンバ関数
void	updateKeycloakGroupTree (RealmModel realm, List< GroupTreeResolver.GroupTreeEntry > groupTrees, Map< String, LDAPObject > ldapGroups, SynchronizationResult syncResult)

void	updateKeycloakGroupTreeEntry (RealmModel realm, GroupTreeResolver.GroupTreeEntry groupTreeEntry, Map< String, LDAPObject > ldapGroups, GroupModel kcParent, SynchronizationResult syncResult, Set< String > visitedGroupIds)

void	dropNonExistingKcGroups (RealmModel realm, SynchronizationResult syncResult, Set< String > visitedGroupIds)

void	updateAttributesOfKCGroup (GroupModel kcGroup, LDAPObject ldapGroup)

void	processKeycloakGroupSyncToLDAP (GroupModel kcGroup, Map< String, LDAPObject > ldapGroupsMap, Set< String > ldapGroupNames, SynchronizationResult syncResult)

void	processKeycloakGroupMembershipsSyncToLDAP (GroupModel kcGroup, Map< String, LDAPObject > ldapGroupsMap)

GroupModel	getHighestPredecessorNotExistentInLdap (GroupModel group)

非公開変数類
final GroupMapperConfig	config

final GroupLDAPStorageMapperFactory	factory

boolean	syncFromLDAPPerformedInThisTransaction = false

静的非公開変数類
static final Logger	logger = Logger.getLogger(GroupLDAPStorageMapper.class)

詳解

著者: Marek Posolda

構築子と解体子

◆ GroupLDAPStorageMapper()

org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.GroupLDAPStorageMapper	(	ComponentModel	mapperModel,
		LDAPStorageProvider	ldapProvider,
		GroupLDAPStorageMapperFactory	factory
	)

inline

                                                                                                                                        {
         super(mapperModel, ldapProvider);
         this.config = new GroupMapperConfig(mapperModel);
         this.factory = factory;
     }

関数詳解

◆ addGroupMappingInLDAP()

void org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.addGroupMappingInLDAP	(	RealmModel	realm,
		GroupModel	kcGroup,
		LDAPObject	ldapUser
	)

inline

                                                                                                  {
         String groupName = kcGroup.getName();
         LDAPObject ldapGroup = loadLDAPGroupByName(groupName);
 
         if (ldapGroup == null) {
             // Needs to partially sync Keycloak groups to LDAP
             if (config.isPreserveGroupsInheritance()) {
                 GroupModel highestGroupToSync = getHighestPredecessorNotExistentInLdap(kcGroup);
 
                 logger.debugf("Will sync group '%s' and it's subgroups from DB to LDAP", highestGroupToSync.getName());
 
                 Map<String, LDAPObject> syncedLDAPGroups = new HashMap<>();
                 processKeycloakGroupSyncToLDAP(highestGroupToSync, syncedLDAPGroups, new HashSet<>(), new SynchronizationResult());
                 processKeycloakGroupMembershipsSyncToLDAP(highestGroupToSync, syncedLDAPGroups);
 
                 ldapGroup = loadLDAPGroupByName(groupName);
 
                 // Finally update LDAP membership in the parent group
                 if (highestGroupToSync.getParent() != null) {
                     LDAPObject ldapParentGroup = loadLDAPGroupByName(highestGroupToSync.getParent().getName());
                     LDAPUtils.addMember(ldapProvider, MembershipType.DN, config.getMembershipLdapAttribute(), getMembershipUserLdapAttribute(), ldapParentGroup, ldapGroup, true);
                 }
             } else {
                 // No care about group inheritance. Let's just sync current group
                 logger.debugf("Will sync group '%s' from DB to LDAP", groupName);
                 processKeycloakGroupSyncToLDAP(kcGroup, new HashMap<>(), new HashSet<>(), new SynchronizationResult());
                 ldapGroup = loadLDAPGroupByName(groupName);
             }
         }
 
         String membershipUserLdapAttrName = getMembershipUserLdapAttribute();
 
         LDAPUtils.addMember(ldapProvider, config.getMembershipTypeLdapAttribute(), config.getMembershipLdapAttribute(), membershipUserLdapAttrName, ldapGroup, ldapUser, true);
     }

◆ beforeLDAPQuery()

void org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.beforeLDAPQuery ( LDAPQuery query )

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                  {
         String strategyKey = config.getUserGroupsRetrieveStrategy();
         UserRolesRetrieveStrategy strategy = factory.getUserGroupsRetrieveStrategy(strategyKey);
         strategy.beforeUserLDAPQuery(this, query);
     }

◆ close()

void org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.close ( )

inlineinherited

org.keycloak.provider.Providerを実装しています。

                         {
 
     }

◆ createGroupQuery()

LDAPQuery org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.createGroupQuery ( boolean includeMemberAttribute )

inline

                                                                       {
         LDAPQuery ldapQuery = new LDAPQuery(ldapProvider);
 
         // For now, use same search scope, which is configured "globally" and used for user's search.
         ldapQuery.setSearchScope(ldapProvider.getLdapIdentityStore().getConfig().getSearchScope());
 
         String groupsDn = config.getGroupsDn();
         ldapQuery.setSearchDn(groupsDn);
 
         Collection<String> groupObjectClasses = config.getGroupObjectClasses(ldapProvider);
         ldapQuery.addObjectClasses(groupObjectClasses);
 
         String customFilter = config.getCustomLdapFilter();
         if (customFilter != null && customFilter.trim().length() > 0) {
             Condition customFilterCondition = new LDAPQueryConditionsBuilder().addCustomLDAPFilter(customFilter);
             ldapQuery.addWhereCondition(customFilterCondition);
         }
 
         ldapQuery.addReturningLdapAttribute(config.getGroupNameLdapAttribute());
 
         // Performance improvement
         if (includeMemberAttribute) {
             ldapQuery.addReturningLdapAttribute(config.getMembershipLdapAttribute());
         }
 
         for (String groupAttr : config.getGroupAttributes()) {
             ldapQuery.addReturningLdapAttribute(groupAttr);
         }
 
         return ldapQuery;
     }

◆ createLDAPGroup()

LDAPObject org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.createLDAPGroup	(	String	groupName,
		Map< String, Set< String >>	additionalAttributes
	)

inline

                                                                                                        {
         LDAPObject ldapGroup = LDAPUtils.createLDAPGroup(ldapProvider, groupName, config.getGroupNameLdapAttribute(), config.getGroupObjectClasses(ldapProvider),
                 config.getGroupsDn(), additionalAttributes);
 
         logger.debugf("Creating group [%s] to LDAP with DN [%s]", groupName, ldapGroup.getDn().toString());
         return ldapGroup;
     }

◆ createLDAPGroupQuery()

LDAPQuery org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.createLDAPGroupQuery ( )

inline

org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapperを実装しています。

                                             {
         return createGroupQuery(false);
     }

◆ deleteGroupMappingInLDAP()

void org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.deleteGroupMappingInLDAP	(	LDAPObject	ldapUser,
		LDAPObject	ldapGroup
	)

inline

                                                                                     {
         String membershipUserLdapAttrName = getMembershipUserLdapAttribute();
         LDAPUtils.deleteMember(ldapProvider, config.getMembershipTypeLdapAttribute(), config.getMembershipLdapAttribute(), membershipUserLdapAttrName, ldapGroup, ldapUser);
     }

◆ dropNonExistingKcGroups()

void org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.dropNonExistingKcGroups	(	RealmModel	realm,
		SynchronizationResult	syncResult,
		Set< String >	visitedGroupIds
	)

inlineprivate

                                                                                                                           {
         // Remove keycloak groups, which doesn't exists in LDAP
         List<GroupModel> allGroups = realm.getGroups();
         for (GroupModel kcGroup : allGroups) {
             if (!visitedGroupIds.contains(kcGroup.getId())) {
                 logger.debugf("Removing Keycloak group '%s', which doesn't exist in LDAP", kcGroup.getName());
                 realm.removeGroup(kcGroup);
                 syncResult.increaseRemoved();
             }
         }
     }

◆ findKcGroupByLDAPGroup()

GroupModel org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.findKcGroupByLDAPGroup	(	RealmModel	realm,
		LDAPObject	ldapGroup
	)

inlineprotected

                                                                                         {
         String groupNameAttr = config.getGroupNameLdapAttribute();
         String groupName = ldapGroup.getAttributeAsString(groupNameAttr);
 
         if (config.isPreserveGroupsInheritance()) {
             // Override if better effectivity or different algorithm is needed
             List<GroupModel> groups = realm.getGroups();
             for (GroupModel group : groups) {
                 if (group.getName().equals(groupName)) {
                     return group;
                 }
             }
 
             return null;
         } else {
             // Without preserved inheritance, it's always top-level group
             return KeycloakModelUtils.findGroupByPath(realm, "/" + groupName);
         }
     }

◆ findKcGroupOrSyncFromLDAP()

GroupModel org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.findKcGroupOrSyncFromLDAP	(	RealmModel	realm,
		LDAPObject	ldapGroup,
		UserModel	user
	)

inlineprotected

                                                                                                            {
         GroupModel kcGroup = findKcGroupByLDAPGroup(realm, ldapGroup);
 
         if (kcGroup == null) {
 
             if (config.isPreserveGroupsInheritance()) {
 
                 // Better to sync all groups from LDAP with preserved inheritance
                 if (!syncFromLDAPPerformedInThisTransaction) {
                     syncDataFromFederationProviderToKeycloak(realm);
                     kcGroup = findKcGroupByLDAPGroup(realm, ldapGroup);
                 }
             } else {
                 String groupNameAttr = config.getGroupNameLdapAttribute();
                 String groupName = ldapGroup.getAttributeAsString(groupNameAttr);
 
                 kcGroup = realm.createGroup(groupName);
                 updateAttributesOfKCGroup(kcGroup, ldapGroup);
                 realm.moveGroup(kcGroup, null);
             }
 
             // Could theoretically happen on some LDAP servers if 'memberof' style is used and 'memberof' attribute of user references non-existing group
             if (kcGroup == null) {
                 String groupName = ldapGroup.getAttributeAsString(config.getGroupNameLdapAttribute());
                 logger.warnf("User '%s' is member of group '%s', which doesn't exists in LDAP", user.getUsername(), groupName);
             }
         }
 
         return kcGroup;
     }

◆ getAllLDAPGroups()

List<LDAPObject> org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getAllLDAPGroups ( boolean includeMemberAttribute )

inlineprotected

                                                                                 {
         LDAPQuery ldapGroupQuery = createGroupQuery(includeMemberAttribute);
         return LDAPUtils.loadAllLDAPObjects(ldapGroupQuery, ldapProvider);
     }

◆ getConfig()

CommonLDAPGroupMapperConfig org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getConfig ( )

inline

org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapperを実装しています。

                                                    {
         return config;
     }

◆ getGroupMembers()

List<UserModel> org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getGroupMembers	(	RealmModel	realm,
		GroupModel	kcGroup,
		int	firstResult,
		int	maxResults
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                                                   {
         LDAPObject ldapGroup = loadLDAPGroupByName(kcGroup.getName());
         if (ldapGroup == null) {
             return Collections.emptyList();
         }
 
         MembershipType membershipType = config.getMembershipTypeLdapAttribute();
         return membershipType.getGroupMembers(realm, this, ldapGroup, firstResult, maxResults);
     }

◆ getHighestPredecessorNotExistentInLdap()

GroupModel org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getHighestPredecessorNotExistentInLdap ( GroupModel group )

inlineprivate

                                                                                 {
         GroupModel parentGroup = group.getParent();
         if (parentGroup == null) {
             return group;
         }
 
         LDAPObject ldapGroup = loadLDAPGroupByName(parentGroup.getName());
         if (ldapGroup != null) {
             // Parent exists in LDAP. Let's return current group
             return group;
         } else {
             // Parent doesn't exists in LDAP. Let's recursively go up.
             return getHighestPredecessorNotExistentInLdap(parentGroup);
         }
     }

◆ getLDAPGroupMappings()

List<LDAPObject> org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getLDAPGroupMappings ( LDAPObject ldapUser )

inlineprotected

                                                                          {
         String strategyKey = config.getUserGroupsRetrieveStrategy();
         UserRolesRetrieveStrategy strategy = factory.getUserGroupsRetrieveStrategy(strategyKey);
 
         LDAPConfig ldapConfig = ldapProvider.getLdapIdentityStore().getConfig();
         return strategy.getLDAPRoleMappings(this, ldapUser, ldapConfig);
     }

◆ getLdapProvider()

LDAPStorageProvider org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.getLdapProvider ( )

inlineinherited

                                                  {
         return ldapProvider;
     }

◆ getLDAPSubgroups()

Set<LDAPDn> org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getLDAPSubgroups ( LDAPObject ldapGroup )

inlineprotected

                                                                  {
         MembershipType membershipType = config.getMembershipTypeLdapAttribute();
         return membershipType.getLDAPSubgroups(this, ldapGroup);
     }

◆ getMembershipUserLdapAttribute()

String org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getMembershipUserLdapAttribute ( )

inlineprotected

                                                       {
         LDAPConfig ldapConfig = ldapProvider.getLdapIdentityStore().getConfig();
         return config.getMembershipUserLdapAttribute(ldapConfig);
     }

◆ loadLDAPGroupByName()

LDAPObject org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.loadLDAPGroupByName ( String groupName )

inline

                                                             {
         LDAPQuery ldapQuery = createGroupQuery(true);
         Condition roleNameCondition = new LDAPQueryConditionsBuilder().equal(config.getGroupNameLdapAttribute(), groupName);
         ldapQuery.addWhereCondition(roleNameCondition);
         return ldapQuery.getFirstResult();
     }

◆ onAuthenticationFailure()

boolean org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.onAuthenticationFailure	(	LDAPObject	ldapUser,
		UserModel	user,
		AuthenticationException	ldapException,
		RealmModel	realm
	)

inlineinherited

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                                                                          {
         return false;
     }

◆ onImportUserFromLDAP()

void org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.onImportUserFromLDAP	(	LDAPObject	ldapUser,
		UserModel	user,
		RealmModel	realm,
		boolean	isCreate
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                                               {
         LDAPGroupMapperMode mode = config.getMode();
 
         // For now, import LDAP group mappings just during create
         if (mode == LDAPGroupMapperMode.IMPORT && isCreate) {
 
             List<LDAPObject> ldapGroups = getLDAPGroupMappings(ldapUser);
 
             // Import role mappings from LDAP into Keycloak DB
             for (LDAPObject ldapGroup : ldapGroups) {
 
                 GroupModel kcGroup = findKcGroupOrSyncFromLDAP(realm, ldapGroup, user);
                 if (kcGroup != null) {
                     logger.debugf("User '%s' joins group '%s' during import from LDAP", user.getUsername(), kcGroup.getName());
                     user.joinGroup(kcGroup);
                 }
             }
         }
     }

◆ onRegisterUserToLDAP()

void org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.onRegisterUserToLDAP	(	LDAPObject	ldapUser,
		UserModel	localUser,
		RealmModel	realm
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

589 {

590 }

◆ parseBooleanParameter()

static boolean org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.parseBooleanParameter	(	ComponentModel	mapperModel,
		String	paramName
	)

inlinestaticinherited

                                                                                               {
         String paramm = mapperModel.getConfig().getFirst(paramName);
         return Boolean.parseBoolean(paramm);
     }

◆ processKeycloakGroupMembershipsSyncToLDAP()

void org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.processKeycloakGroupMembershipsSyncToLDAP	(	GroupModel	kcGroup,
		Map< String, LDAPObject >	ldapGroupsMap
	)

inlineprivate

                                                                                                                       {
         LDAPObject ldapGroup = ldapGroupsMap.get(kcGroup.getName());
         Set<LDAPDn> toRemoveSubgroupsDNs = getLDAPSubgroups(ldapGroup);
 
         String membershipUserLdapAttrName = getMembershipUserLdapAttribute(); // Not applicable for groups, but needs to be here
 
         // Add LDAP subgroups, which are KC subgroups
         Set<GroupModel> kcSubgroups = kcGroup.getSubGroups();
         for (GroupModel kcSubgroup : kcSubgroups) {
             LDAPObject ldapSubgroup = ldapGroupsMap.get(kcSubgroup.getName());
             LDAPUtils.addMember(ldapProvider, MembershipType.DN, config.getMembershipLdapAttribute(), membershipUserLdapAttrName, ldapGroup, ldapSubgroup, false);
             toRemoveSubgroupsDNs.remove(ldapSubgroup.getDn());
         }
 
         // Remove LDAP subgroups, which are not members in KC anymore
         for (LDAPDn toRemoveDN : toRemoveSubgroupsDNs) {
             LDAPObject fakeGroup = new LDAPObject();
             fakeGroup.setDn(toRemoveDN);
             LDAPUtils.deleteMember(ldapProvider, MembershipType.DN, config.getMembershipLdapAttribute(), membershipUserLdapAttrName, ldapGroup, fakeGroup);
         }
 
         // Update group to LDAP
         if (!kcGroup.getSubGroups().isEmpty() || !toRemoveSubgroupsDNs.isEmpty()) {
             ldapProvider.getLdapIdentityStore().update(ldapGroup);
         }
 
         for (GroupModel kcSubgroup : kcGroup.getSubGroups()) {
             processKeycloakGroupMembershipsSyncToLDAP(kcSubgroup, ldapGroupsMap);
         }
     }

◆ processKeycloakGroupSyncToLDAP()

void org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.processKeycloakGroupSyncToLDAP	(	GroupModel	kcGroup,
		Map< String, LDAPObject >	ldapGroupsMap,
		Set< String >	ldapGroupNames,
		SynchronizationResult	syncResult
	)

inlineprivate

                                                                                                                                                                          {
         String groupName = kcGroup.getName();
 
         // extract group attributes to be updated to LDAP
         Map<String, Set<String>> supportedLdapAttributes = new HashMap<>();
         for (String attrName : config.getGroupAttributes()) {
             List<String> kcAttrValues = kcGroup.getAttribute(attrName);
             Set<String> attrValues2 = (kcAttrValues == null || kcAttrValues.isEmpty()) ? null : new HashSet<>(kcAttrValues);
             supportedLdapAttributes.put(attrName, attrValues2);
         }
 
         LDAPObject ldapGroup = ldapGroupsMap.get(groupName);
 
         if (ldapGroup == null) {
             ldapGroup = createLDAPGroup(groupName, supportedLdapAttributes);
             syncResult.increaseAdded();
         } else {
             for (Map.Entry<String, Set<String>> attrEntry : supportedLdapAttributes.entrySet()) {
                 ldapGroup.setAttribute(attrEntry.getKey(), attrEntry.getValue());
             }
 
             ldapProvider.getLdapIdentityStore().update(ldapGroup);
             syncResult.increaseUpdated();
         }
 
         ldapGroupsMap.put(groupName, ldapGroup);
         ldapGroupNames.add(groupName);
 
         // process KC subgroups
         for (GroupModel kcSubgroup : kcGroup.getSubGroups()) {
             processKeycloakGroupSyncToLDAP(kcSubgroup, ldapGroupsMap, ldapGroupNames, syncResult);
         }
     }

◆ proxy()

UserModel org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.proxy	(	LDAPObject	ldapUser,
		UserModel	delegate,
		RealmModel	realm
	)

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                       {
         final LDAPGroupMapperMode mode = config.getMode();
 
         // For IMPORT mode, all operations are performed against local DB
         if (mode == LDAPGroupMapperMode.IMPORT) {
             return delegate;
         } else {
             return new LDAPGroupMappingsUserDelegate(realm, delegate, ldapUser);
         }
     }

◆ syncDataFromFederationProviderToKeycloak()

SynchronizationResult org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.syncDataFromFederationProviderToKeycloak ( RealmModel realm )

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                             {
         SynchronizationResult syncResult = new SynchronizationResult() {
 
             @Override
             public String getStatus() {
                 return String.format("%d imported groups, %d updated groups, %d removed groups", getAdded(), getUpdated(), getRemoved());
             }
 
         };
 
         logger.debugf("Syncing groups from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName());
 
         // Get all LDAP groups
         List<LDAPObject> ldapGroups = getAllLDAPGroups(config.isPreserveGroupsInheritance());
 
         // Convert to internal format
         Map<String, LDAPObject> ldapGroupsMap = new HashMap<>();
         List<GroupTreeResolver.Group> ldapGroupsRep = new LinkedList<>();
 
         String groupsRdnAttr = config.getGroupNameLdapAttribute();
         for (LDAPObject ldapGroup : ldapGroups) {
             String groupName = ldapGroup.getAttributeAsString(groupsRdnAttr);
 
             if (config.isPreserveGroupsInheritance()) {
                 Set<String> subgroupNames = new HashSet<>();
                 for (LDAPDn groupDn : getLDAPSubgroups(ldapGroup)) {
                     subgroupNames.add(groupDn.getFirstRdnAttrValue());
                 }
 
                 ldapGroupsRep.add(new GroupTreeResolver.Group(groupName, subgroupNames));
             }
 
             ldapGroupsMap.put(groupName, ldapGroup);
         }
 
         // Now we have list of LDAP groups. Let's form the tree (if needed)
         if (config.isPreserveGroupsInheritance()) {
             try {
                 List<GroupTreeResolver.GroupTreeEntry> groupTrees = new GroupTreeResolver().resolveGroupTree(ldapGroupsRep, config.isIgnoreMissingGroups());
 
                 updateKeycloakGroupTree(realm, groupTrees, ldapGroupsMap, syncResult);
             } catch (GroupTreeResolver.GroupTreeResolveException gre) {
                 throw new ModelException("Couldn't resolve groups from LDAP. Fix LDAP or skip preserve inheritance. Details: " + gre.getMessage(), gre);
             }
         } else {
             Set<String> visitedGroupIds = new HashSet<>();
 
             // Just add flat structure of groups with all groups at top-level
             for (Map.Entry<String, LDAPObject> groupEntry : ldapGroupsMap.entrySet()) {
                 String groupName = groupEntry.getKey();
                 GroupModel kcExistingGroup = KeycloakModelUtils.findGroupByPath(realm, "/" + groupName);
 
                 if (kcExistingGroup != null) {
                     updateAttributesOfKCGroup(kcExistingGroup, groupEntry.getValue());
                     syncResult.increaseUpdated();
                     visitedGroupIds.add(kcExistingGroup.getId());
                 } else {
                     GroupModel kcGroup = realm.createGroup(groupName);
                     updateAttributesOfKCGroup(kcGroup, groupEntry.getValue());
                     realm.moveGroup(kcGroup, null);
                     syncResult.increaseAdded();
                     visitedGroupIds.add(kcGroup.getId());
                 }
             }
 
             // Possibly remove keycloak groups, which doesn't exists in LDAP
             if (config.isDropNonExistingGroupsDuringSync()) {
                 dropNonExistingKcGroups(realm, syncResult, visitedGroupIds);
             }
         }
 
         syncFromLDAPPerformedInThisTransaction = true;
 
         return syncResult;
     }

◆ syncDataFromKeycloakToFederationProvider()

SynchronizationResult org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.syncDataFromKeycloakToFederationProvider ( RealmModel realm )

inline

org.keycloak.storage.ldap.mappers.LDAPStorageMapperを実装しています。

                                                                                             {
         SynchronizationResult syncResult = new SynchronizationResult() {
 
             @Override
             public String getStatus() {
                 return String.format("%d groups imported to LDAP, %d groups updated to LDAP, %d groups removed from LDAP", getAdded(), getUpdated(), getRemoved());
             }
 
         };
 
         if (config.getMode() != LDAPGroupMapperMode.LDAP_ONLY) {
             logger.warnf("Ignored sync for federation mapper '%s' as it's mode is '%s'", mapperModel.getName(), config.getMode().toString());
             return syncResult;
         }
 
         logger.debugf("Syncing groups from Keycloak into LDAP. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName());
 
         // Query existing LDAP groups
         LDAPQuery ldapQuery = createGroupQuery(config.isPreserveGroupsInheritance());
         List<LDAPObject> ldapGroups = ldapQuery.getResultList();
 
         // Convert them to Map<String, LDAPObject>
         Map<String, LDAPObject> ldapGroupsMap = new HashMap<>();
         String groupsRdnAttr = config.getGroupNameLdapAttribute();
         for (LDAPObject ldapGroup : ldapGroups) {
             String groupName = ldapGroup.getAttributeAsString(groupsRdnAttr);
             ldapGroupsMap.put(groupName, ldapGroup);
         }
 
         // Map to track all LDAP groups also exists in Keycloak
         Set<String> ldapGroupNames = new HashSet<>();
 
         // Create or update KC groups to LDAP including their attributes
         for (GroupModel kcGroup : realm.getTopLevelGroups()) {
             processKeycloakGroupSyncToLDAP(kcGroup, ldapGroupsMap, ldapGroupNames, syncResult);
         }
 
         // If dropNonExisting, then drop all groups, which doesn't exist in KC from LDAP as well
         if (config.isDropNonExistingGroupsDuringSync()) {
             Set<String> copy = new HashSet<>(ldapGroupsMap.keySet());
             for (String groupName : copy) {
                 if (!ldapGroupNames.contains(groupName)) {
                     LDAPObject ldapGroup = ldapGroupsMap.remove(groupName);
                     ldapProvider.getLdapIdentityStore().remove(ldapGroup);
                     syncResult.increaseRemoved();
                 }
             }
         }
 
         // Finally process memberships,
         if (config.isPreserveGroupsInheritance()) {
             for (GroupModel kcGroup : realm.getTopLevelGroups()) {
                 processKeycloakGroupMembershipsSyncToLDAP(kcGroup, ldapGroupsMap);
             }
         }
 
         return syncResult;
     }

◆ updateAttributesOfKCGroup()

void org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.updateAttributesOfKCGroup	(	GroupModel	kcGroup,
		LDAPObject	ldapGroup
	)

inlineprivate

                                                                                      {
         Collection<String> groupAttributes = config.getGroupAttributes();
 
         for (String attrName : groupAttributes) {
             Set<String> attrValues = ldapGroup.getAttributeAsSet(attrName);
             if (attrValues==null) {
                 kcGroup.removeAttribute(attrName);
             } else {
                 kcGroup.setAttribute(attrName, new LinkedList<>(attrValues));
             }
         }
     }

◆ updateKeycloakGroupTree()

void org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.updateKeycloakGroupTree	(	RealmModel	realm,
		List< GroupTreeResolver.GroupTreeEntry >	groupTrees,
		Map< String, LDAPObject >	ldapGroups,
		SynchronizationResult	syncResult
	)

inlineprivate

                                                                                                                                                                                     {
         Set<String> visitedGroupIds = new HashSet<>();
 
         for (GroupTreeResolver.GroupTreeEntry groupEntry : groupTrees) {
             updateKeycloakGroupTreeEntry(realm, groupEntry, ldapGroups, null, syncResult, visitedGroupIds);
         }
 
         // Possibly remove keycloak groups, which doesn't exists in LDAP
         if (config.isDropNonExistingGroupsDuringSync()) {
             dropNonExistingKcGroups(realm, syncResult, visitedGroupIds);
         }
     }

◆ updateKeycloakGroupTreeEntry()

void org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.updateKeycloakGroupTreeEntry	(	RealmModel	realm,
		GroupTreeResolver.GroupTreeEntry	groupTreeEntry,
		Map< String, LDAPObject >	ldapGroups,
		GroupModel	kcParent,
		SynchronizationResult	syncResult,
		Set< String >	visitedGroupIds
	)

inlineprivate

                                                                                                                                                                                                                                          {
         String groupName = groupTreeEntry.getGroupName();
 
         // Check if group already exists
         GroupModel kcGroup = null;
         Collection<GroupModel> subgroups = kcParent == null ? realm.getTopLevelGroups() : kcParent.getSubGroups();
         for (GroupModel group : subgroups) {
             if (group.getName().equals(groupName)) {
                 kcGroup = group;
                 break;
             }
         }
 
         if (kcGroup != null) {
             logger.debugf("Updated Keycloak group '%s' from LDAP", kcGroup.getName());
             updateAttributesOfKCGroup(kcGroup, ldapGroups.get(kcGroup.getName()));
             syncResult.increaseUpdated();
         } else {
             kcGroup = realm.createGroup(groupTreeEntry.getGroupName());
             if (kcParent == null) {
                 realm.moveGroup(kcGroup, null);
                 logger.debugf("Imported top-level group '%s' from LDAP", kcGroup.getName());
             } else {
                 realm.moveGroup(kcGroup, kcParent);
                 logger.debugf("Imported group '%s' from LDAP as child of group '%s'", kcGroup.getName(), kcParent.getName());
             }
 
             updateAttributesOfKCGroup(kcGroup, ldapGroups.get(kcGroup.getName()));
             syncResult.increaseAdded();
         }
 
         visitedGroupIds.add(kcGroup.getId());
 
         for (GroupTreeResolver.GroupTreeEntry childEntry : groupTreeEntry.getChildren()) {
             updateKeycloakGroupTreeEntry(realm, childEntry, ldapGroups, kcGroup, syncResult, visitedGroupIds);
         }
     }

メンバ詳解

◆ config

final GroupMapperConfig org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.config

private

◆ factory

final GroupLDAPStorageMapperFactory org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.factory

private

◆ ldapProvider

final LDAPStorageProvider org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.ldapProvider

protectedinherited

◆ logger

final Logger org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.logger = Logger.getLogger(GroupLDAPStorageMapper.class)

staticprivate

◆ mapperModel

final ComponentModel org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.mapperModel

protectedinherited

◆ session

final KeycloakSession org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper.session

protectedinherited

◆ syncFromLDAPPerformedInThisTransaction

boolean org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.syncFromLDAPPerformedInThisTransaction = false

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java

クラス

公開メンバ関数

静的公開メンバ関数

限定公開メンバ関数

限定公開変数類

非公開メンバ関数

非公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ GroupLDAPStorageMapper()

関数詳解

◆ addGroupMappingInLDAP()

◆ beforeLDAPQuery()

◆ close()

◆ createGroupQuery()

◆ createLDAPGroup()

◆ createLDAPGroupQuery()

◆ deleteGroupMappingInLDAP()

◆ dropNonExistingKcGroups()

◆ findKcGroupByLDAPGroup()

◆ findKcGroupOrSyncFromLDAP()

◆ getAllLDAPGroups()

◆ getConfig()

◆ getGroupMembers()

◆ getHighestPredecessorNotExistentInLdap()

◆ getLDAPGroupMappings()

◆ getLdapProvider()

◆ getLDAPSubgroups()

◆ getMembershipUserLdapAttribute()

◆ loadLDAPGroupByName()

◆ onAuthenticationFailure()

◆ onImportUserFromLDAP()

◆ onRegisterUserToLDAP()

◆ parseBooleanParameter()

◆ processKeycloakGroupMembershipsSyncToLDAP()

◆ processKeycloakGroupSyncToLDAP()

◆ proxy()

◆ syncDataFromFederationProviderToKeycloak()

◆ syncDataFromKeycloakToFederationProvider()

◆ updateAttributesOfKCGroup()

◆ updateKeycloakGroupTree()

◆ updateKeycloakGroupTreeEntry()

メンバ詳解

◆ config

◆ factory

◆ ldapProvider

◆ logger

◆ mapperModel

◆ session

◆ syncFromLDAPPerformedInThisTransaction