Package org.keycloak.storage.ldap

Class LDAPStorageProvider

java.lang.Object

org.keycloak.storage.ldap.LDAPStorageProvider

All Implemented Interfaces:

CredentialAuthentication, CredentialInputUpdater, CredentialInputValidator, Provider, ImportedUserValidation, UserLookupProvider, UserQueryProvider, UserRegistrationProvider, UserStorageProvider

public class LDAPStorageProvider
extends Object
implements UserStorageProvider, CredentialInputValidator, CredentialInputUpdater, CredentialAuthentication, UserLookupProvider, UserRegistrationProvider, UserQueryProvider, ImportedUserValidation

Version:

$Revision: 1 $

Author:

Marek Posolda, Bill Burke

Nested Class Summary

Nested classes/interfaces inherited from interface org.keycloak.credential.CredentialInputUpdater

CredentialInputUpdater.Streams

Nested classes/interfaces inherited from interface org.keycloak.storage.user.UserLookupProvider

UserLookupProvider.Streams

Nested classes/interfaces inherited from interface org.keycloak.storage.user.UserQueryProvider

UserQueryProvider.Streams

Nested classes/interfaces inherited from interface org.keycloak.storage.UserStorageProvider

UserStorageProvider.EditMode

Field Summary

Fields

Modifier and Type	Field	Description
protected UserStorageProvider.EditMode	editMode
protected LDAPStorageProviderFactory	factory
protected LDAPProviderKerberosConfig	kerberosConfig
protected LDAPIdentityStore	ldapIdentityStore
protected LDAPStorageMapperManager	mapperManager
protected UserStorageProviderModel	model
protected KeycloakSession	session
protected Set<String>	supportedCredentialTypes
protected PasswordUpdateCallback	updater
protected LDAPStorageUserManager	userManager

Constructor Summary

Constructors

Constructor	Description
LDAPStorageProvider(LDAPStorageProviderFactory factory, KeycloakSession session, ComponentModel model, LDAPIdentityStore ldapIdentityStore)

Method Summary

Modifier and Type	Method	Description
UserModel	addUser(RealmModel realm, String username)	All storage providers that implement this interface will be looped through.
CredentialValidationOutput	authenticate(RealmModel realm, CredentialInput cred)
void	close()
void	disableCredentialType(RealmModel realm, UserModel user, String credentialType)
protected UserModel	findOrCreateAuthenticatedUser(RealmModel realm, String username)	Called after successful kerberos authentication
Stream<String>	getDisableableCredentialTypesStream(RealmModel realm, UserModel user)	Obtains the set of credential types that can be disabled via disableCredentialType.
UserStorageProvider.EditMode	getEditMode()
Stream<UserModel>	getGroupMembersStream(RealmModel realm, GroupModel group, Integer firstResult, Integer maxResults)	Obtains users that belong to a specific group.
LDAPIdentityStore	getLdapIdentityStore()
LDAPStorageMapperManager	getMapperManager()
UserStorageProviderModel	getModel()
Stream<UserModel>	getRoleMembersStream(RealmModel realm, RoleModel role, Integer firstResult, Integer maxResults)	Searches for users that have the specified role.
KeycloakSession	getSession()
Set<String>	getSupportedCredentialTypes()
UserModel	getUserByEmail(RealmModel realm, String email)	Returns a user with the given email belonging to the realm
UserModel	getUserById(RealmModel realm, String id)	Returns a user with the given id belonging to the realm
UserModel	getUserByUsername(RealmModel realm, String username)	Exact search for a user by its username.
LDAPStorageUserManager	getUserManager()
int	getUsersCount(RealmModel realm)	Returns the number of users, without consider any service account.
Stream<UserModel>	getUsersStream(RealmModel realm)	Searches all users in the realm.
Stream<UserModel>	getUsersStream(RealmModel realm, Integer firstResult, Integer maxResults)	Searches all users in the realm, starting from the firstResult and containing at most maxResults.
protected UserModel	importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser)
boolean	isConfiguredFor(RealmModel realm, UserModel user, String credentialType)
boolean	isValid(RealmModel realm, UserModel user, CredentialInput input)	Tests whether a credential is valid
protected LDAPObject	loadAndValidateUser(RealmModel realm, UserModel local)
LDAPObject	loadLDAPUserByUsername(RealmModel realm, String username)
LDAPObject	loadLDAPUserByUuid(RealmModel realm, String uuid)
List<UserModel>	loadUsersByUsernames(List<String> usernames, RealmModel realm)
void	preRemove(RealmModel realm)	Callback when a realm is removed.
void	preRemove(RealmModel realm, GroupModel group)	Callback when a group is removed.
void	preRemove(RealmModel realm, RoleModel role)	Callback when a role is removed.
protected UserModel	proxy(RealmModel realm, UserModel local, LDAPObject ldapObject, boolean newUser)
protected LDAPObject	queryByEmail(RealmModel realm, String email)
boolean	removeUser(RealmModel realm, UserModel user)	Called if user originated from this provider.
Stream<UserModel>	searchForUserByUserAttributeStream(RealmModel realm, String attrName, String attrValue)	Searches for users that have a specific attribute with a specific value.
Stream<UserModel>	searchForUserStream(RealmModel realm, String search, Integer firstResult, Integer maxResults)	Searches for users whose username, email, first name or last name contain any of the strings in search separated by whitespace.
Stream<UserModel>	searchForUserStream(RealmModel realm, Map<String,String> params, Integer firstResult, Integer maxResults)	Searches for user by parameter.
protected List<LDAPObject>	searchLDAP(RealmModel realm, Map<String,String> attributes)
void	setUpdater(PasswordUpdateCallback updater)
boolean	supportsCredentialAuthenticationFor(String type)
boolean	supportsCredentialType(String credentialType)
boolean	synchronizeRegistrations()
boolean	updateCredential(RealmModel realm, UserModel user, CredentialInput input)
UserModel	validate(RealmModel realm, UserModel local)	If this method returns null, then the user in local storage will be removed
boolean	validPassword(RealmModel realm, UserModel user, String password)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.storage.user.UserLookupProvider

getUserByCredential

Methods inherited from interface org.keycloak.storage.user.UserQueryProvider

getGroupMembersStream, getRoleMembersStream, getUsersCount, getUsersCount, getUsersCount, getUsersCount, getUsersCount, getUsersCount, searchForUserStream, searchForUserStream

Field Detail

factory

protected LDAPStorageProviderFactory factory

session

protected KeycloakSession session

model

protected UserStorageProviderModel model

ldapIdentityStore

protected LDAPIdentityStore ldapIdentityStore

editMode

protected UserStorageProvider.EditMode editMode

kerberosConfig

protected LDAPProviderKerberosConfig kerberosConfig

updater

protected PasswordUpdateCallback updater

mapperManager

protected LDAPStorageMapperManager mapperManager

userManager

protected LDAPStorageUserManager userManager

supportedCredentialTypes

protected final Set<String> supportedCredentialTypes

Constructor Detail

LDAPStorageProvider

public LDAPStorageProvider(LDAPStorageProviderFactory factory,
                           KeycloakSession session,
                           ComponentModel model,
                           LDAPIdentityStore ldapIdentityStore)

Method Detail

setUpdater

public void setUpdater(PasswordUpdateCallback updater)

getSession

public KeycloakSession getSession()

getLdapIdentityStore

public LDAPIdentityStore getLdapIdentityStore()

getEditMode

public UserStorageProvider.EditMode getEditMode()

getModel

public UserStorageProviderModel getModel()

getMapperManager

public LDAPStorageMapperManager getMapperManager()

getUserManager

public LDAPStorageUserManager getUserManager()

validate

public UserModel validate(RealmModel realm,
                          UserModel local)

Description copied from interface: ImportedUserValidation

If this method returns null, then the user in local storage will be removed

Specified by:

validate in interface ImportedUserValidation

Returns:

null if user no longer valid

proxy

protected UserModel proxy(RealmModel realm,
                          UserModel local,
                          LDAPObject ldapObject,
                          boolean newUser)

supportsCredentialAuthenticationFor

public boolean supportsCredentialAuthenticationFor(String type)

Specified by:

supportsCredentialAuthenticationFor in interface CredentialAuthentication

searchForUserByUserAttributeStream

public Stream<UserModel> searchForUserByUserAttributeStream(RealmModel realm,
                                                            String attrName,
                                                            String attrValue)

Description copied from interface: UserQueryProvider

Searches for users that have a specific attribute with a specific value.

Specified by:

searchForUserByUserAttributeStream in interface UserQueryProvider

Parameters:

realm - a reference to the realm.

attrName - the attribute name.

attrValue - the attribute value.

Returns:

a non-null Stream of users that match the search criteria.

synchronizeRegistrations

public boolean synchronizeRegistrations()

addUser

public UserModel addUser(RealmModel realm,
                         String username)

Description copied from interface: UserRegistrationProvider

All storage providers that implement this interface will be looped through. If this method returns null, then the next storage provider's addUser() method will be called. If no storage providers handle the add, then the user will be created in local storage. Returning null is useful when you want optional support for adding users. For example, our LDAP provider can enable and disable the ability to add users.

Specified by:

addUser in interface UserRegistrationProvider

Parameters:

realm - a reference to the realm

username - a username the created user will be assigned

Returns:

a model of created user

removeUser

public boolean removeUser(RealmModel realm,
                          UserModel user)

Description copied from interface: UserRegistrationProvider

Called if user originated from this provider. If a local user is linked to this provider, this method will be called before local storage's removeUser() method is invoked. If you are using an import strategy, and this is a local user linked to this provider, this method will be called before local storage's removeUser() method is invoked. Also, you DO NOT need to remove the imported user. The runtime will handle this for you.

Specified by:

removeUser in interface UserRegistrationProvider

Parameters:

realm - a reference to the realm

user - a reference to the user that is removed

Returns:

true if the user was removed, false otherwise

getUserById

public UserModel getUserById(RealmModel realm,
                             String id)

Description copied from interface: UserLookupProvider

Returns a user with the given id belonging to the realm

Specified by:

getUserById in interface UserLookupProvider

Parameters:

realm - the realm model

id - id of the user

Returns:

found user model, or null if no such user exists

getUsersCount

public int getUsersCount(RealmModel realm)

Description copied from interface: UserQueryProvider

Returns the number of users, without consider any service account.

Specified by:

getUsersCount in interface UserQueryProvider

Parameters:

realm - the realm

Returns:

the number of users

getUsersStream

public Stream<UserModel> getUsersStream(RealmModel realm)

Description copied from interface: UserQueryProvider

Searches all users in the realm.

Specified by:

getUsersStream in interface UserQueryProvider

Parameters:

realm - a reference to the realm.

Returns:

a non-null Stream of users.

getUsersStream

public Stream<UserModel> getUsersStream(RealmModel realm,
                                        Integer firstResult,
                                        Integer maxResults)

Description copied from interface: UserQueryProvider

Searches all users in the realm, starting from the firstResult and containing at most maxResults.

Specified by:

getUsersStream in interface UserQueryProvider

Parameters:

realm - a reference to the realm.

firstResult - first result to return. Ignored if negative or null.

maxResults - maximum number of results to return. Ignored if negative or null.

Returns:

a non-null Stream of users.

searchForUserStream

public Stream<UserModel> searchForUserStream(RealmModel realm,
                                             String search,
                                             Integer firstResult,
                                             Integer maxResults)

Description copied from interface: UserQueryProvider

Searches for users whose username, email, first name or last name contain any of the strings in search separated by whitespace.

If possible, implementations should treat the parameter values as partial match patterns (i.e. in RDMBS terms use LIKE).

This method is used by the admin console search box

Specified by:

searchForUserStream in interface UserQueryProvider

Parameters:

realm - a reference to the realm.

search - case insensitive list of string separated by whitespaces.

firstResult - first result to return. Ignored if negative, zero, or null.

maxResults - maximum number of results to return. Ignored if negative or null.

Returns:

a non-null Stream of users that match the search criteria.

searchForUserStream

public Stream<UserModel> searchForUserStream(RealmModel realm,
                                             Map<String,String> params,
                                             Integer firstResult,
                                             Integer maxResults)

Description copied from interface: UserQueryProvider

Searches for user by parameter. If possible, implementations should treat the parameter values as partial match patterns (i.e. in RDMBS terms use LIKE).

Valid parameters are:

• UserModel.FIRST_NAME - first name (case insensitive string)
• UserModel.LAST_NAME - last name (case insensitive string)
• UserModel.EMAIL - email (case insensitive string)
• UserModel.USERNAME - username (case insensitive string)
• UserModel.EMAIL_VERIFIED - search only for users with verified/non-verified email (true/false)
• UserModel.ENABLED - search only for enabled/disabled users (true/false)
• UserModel.IDP_ALIAS - search only for users that have a federated identity from idp with the given alias configured (case sensitive string)
• UserModel.IDP_USER_ID - search for users with federated identity with the given userId (case sensitive string)

Any other parameters will be treated as custom user attributes. This method is used by the REST API when querying users.

Specified by:

searchForUserStream in interface UserQueryProvider

Parameters:

realm - a reference to the realm.

params - a map containing the search parameters.

firstResult - first result to return. Ignored if negative, zero, or null.

maxResults - maximum number of results to return. Ignored if negative or null.

Returns:

a non-null Stream of users that match the search criteria.

getGroupMembersStream

public Stream<UserModel> getGroupMembersStream(RealmModel realm,
                                               GroupModel group,
                                               Integer firstResult,
                                               Integer maxResults)

Description copied from interface: UserQueryProvider

Obtains users that belong to a specific group.

Specified by:

getGroupMembersStream in interface UserQueryProvider

Parameters:

realm - a reference to the realm.

group - a reference to the group.

firstResult - first result to return. Ignored if negative, zero, or null.

maxResults - maximum number of results to return. Ignored if negative or null.

Returns:

a non-null Stream of users that belong to the group.

getRoleMembersStream

public Stream<UserModel> getRoleMembersStream(RealmModel realm,
                                              RoleModel role,
                                              Integer firstResult,
                                              Integer maxResults)

Description copied from interface: UserQueryProvider

Searches for users that have the specified role.

Specified by:

getRoleMembersStream in interface UserQueryProvider

Parameters:

realm - a reference to the realm.

role - a reference to the role.

firstResult - first result to return. Ignored if negative or null.

maxResults - maximum number of results to return. Ignored if negative or null.

Returns:

a non-null Stream of users that have the specified role.

loadUsersByUsernames

public List<UserModel> loadUsersByUsernames(List<String> usernames,
                                            RealmModel realm)

searchLDAP

protected List<LDAPObject> searchLDAP(RealmModel realm,
                                      Map<String,String> attributes)

loadAndValidateUser

protected LDAPObject loadAndValidateUser(RealmModel realm,
                                         UserModel local)

Parameters:

local -

Returns:

ldapUser corresponding to local user or null if user is no longer in LDAP

getUserByUsername

public UserModel getUserByUsername(RealmModel realm,
                                   String username)

Description copied from interface: UserLookupProvider

Exact search for a user by its username. Returns a user with the given username belonging to the realm

Specified by:

getUserByUsername in interface UserLookupProvider

Parameters:

realm - the realm model

username - (case-sensitivity is controlled by storage)

Returns:

found user model, or null if no such user exists

importUserFromLDAP

protected UserModel importUserFromLDAP(KeycloakSession session,
                                       RealmModel realm,
                                       LDAPObject ldapUser)

queryByEmail

protected LDAPObject queryByEmail(RealmModel realm,
                                  String email)

getUserByEmail

public UserModel getUserByEmail(RealmModel realm,
                                String email)

Description copied from interface: UserLookupProvider

Returns a user with the given email belonging to the realm

Specified by:

getUserByEmail in interface UserLookupProvider

Parameters:

realm - the realm model

email - email address

Returns:

found user model, or null if no such user exists

preRemove

public void preRemove(RealmModel realm)

Description copied from interface: UserStorageProvider

Callback when a realm is removed. Implement this if, for example, you want to do some cleanup in your user storage when a realm is removed

Specified by:

preRemove in interface UserStorageProvider

preRemove

public void preRemove(RealmModel realm,
                      RoleModel role)

Description copied from interface: UserStorageProvider

Callback when a role is removed. Allows you to do things like remove a user role mapping in your external store if appropriate

Specified by:

preRemove in interface UserStorageProvider

preRemove

public void preRemove(RealmModel realm,
                      GroupModel group)

Description copied from interface: UserStorageProvider

Callback when a group is removed. Allows you to do things like remove a user group mapping in your external store if appropriate

Specified by:

preRemove in interface UserStorageProvider

validPassword

public boolean validPassword(RealmModel realm,
                             UserModel user,
                             String password)

updateCredential

public boolean updateCredential(RealmModel realm,
                                UserModel user,
                                CredentialInput input)

Specified by:

updateCredential in interface CredentialInputUpdater

disableCredentialType

public void disableCredentialType(RealmModel realm,
                                  UserModel user,
                                  String credentialType)

Specified by:

disableCredentialType in interface CredentialInputUpdater

getDisableableCredentialTypesStream

public Stream<String> getDisableableCredentialTypesStream(RealmModel realm,
                                                          UserModel user)

Description copied from interface: CredentialInputUpdater

Obtains the set of credential types that can be disabled via disableCredentialType.

Specified by:

getDisableableCredentialTypesStream in interface CredentialInputUpdater

Parameters:

realm - a reference to the realm.

user - the user whose credentials are being searched.

Returns:

a non-null Stream of credential types.

getSupportedCredentialTypes

public Set<String> getSupportedCredentialTypes()

supportsCredentialType

public boolean supportsCredentialType(String credentialType)

Specified by:

supportsCredentialType in interface CredentialInputUpdater

Specified by:

supportsCredentialType in interface CredentialInputValidator

isConfiguredFor

public boolean isConfiguredFor(RealmModel realm,
                               UserModel user,
                               String credentialType)

Specified by:

isConfiguredFor in interface CredentialInputValidator

isValid

public boolean isValid(RealmModel realm,
                       UserModel user,
                       CredentialInput input)

Description copied from interface: CredentialInputValidator

Tests whether a credential is valid

Specified by:

isValid in interface CredentialInputValidator

Parameters:

realm - The realm in which to which the credential belongs to

user - The user for which to test the credential

input - the credential details to verify

Returns:

true if the passed secret is correct

authenticate

public CredentialValidationOutput authenticate(RealmModel realm,
                                               CredentialInput cred)

Specified by:

authenticate in interface CredentialAuthentication

close

public void close()

Specified by:

close in interface Provider

findOrCreateAuthenticatedUser

protected UserModel findOrCreateAuthenticatedUser(RealmModel realm,
                                                  String username)

Called after successful kerberos authentication

Parameters:

realm - realm

username - username without realm prefix

Returns:

finded or newly created user

loadLDAPUserByUsername

public LDAPObject loadLDAPUserByUsername(RealmModel realm,
                                         String username)

loadLDAPUserByUuid

public LDAPObject loadLDAPUserByUuid(RealmModel realm,
                                     String uuid)