Package org.keycloak.storage.ldap
Class LDAPStorageProvider
- java.lang.Object
-
- org.keycloak.storage.ldap.LDAPStorageProvider
-
- All Implemented Interfaces:
CredentialAuthentication
,CredentialInputUpdater
,CredentialInputValidator
,Provider
,ImportedUserValidation
,UserLookupProvider
,UserQueryProvider
,UserRegistrationProvider
,UserStorageProvider
public class LDAPStorageProvider extends Object implements UserStorageProvider, CredentialInputValidator, CredentialInputUpdater, CredentialAuthentication, UserLookupProvider, UserRegistrationProvider, UserQueryProvider, ImportedUserValidation
- Version:
- $Revision: 1 $
- Author:
- Marek Posolda, Bill Burke
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface org.keycloak.credential.CredentialInputUpdater
CredentialInputUpdater.Streams
-
Nested classes/interfaces inherited from interface org.keycloak.storage.user.UserLookupProvider
UserLookupProvider.Streams
-
Nested classes/interfaces inherited from interface org.keycloak.storage.user.UserQueryProvider
UserQueryProvider.Streams
-
Nested classes/interfaces inherited from interface org.keycloak.storage.UserStorageProvider
UserStorageProvider.EditMode
-
-
Field Summary
Fields Modifier and Type Field Description protected UserStorageProvider.EditMode
editMode
protected LDAPStorageProviderFactory
factory
protected LDAPProviderKerberosConfig
kerberosConfig
protected LDAPIdentityStore
ldapIdentityStore
protected LDAPStorageMapperManager
mapperManager
protected UserStorageProviderModel
model
protected KeycloakSession
session
protected Set<String>
supportedCredentialTypes
protected PasswordUpdateCallback
updater
protected LDAPStorageUserManager
userManager
-
Constructor Summary
Constructors Constructor Description LDAPStorageProvider(LDAPStorageProviderFactory factory, KeycloakSession session, ComponentModel model, LDAPIdentityStore ldapIdentityStore)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description UserModel
addUser(RealmModel realm, String username)
All storage providers that implement this interface will be looped through.CredentialValidationOutput
authenticate(RealmModel realm, CredentialInput cred)
void
close()
void
disableCredentialType(RealmModel realm, UserModel user, String credentialType)
protected UserModel
findOrCreateAuthenticatedUser(RealmModel realm, String username)
Called after successful kerberos authenticationStream<String>
getDisableableCredentialTypesStream(RealmModel realm, UserModel user)
Obtains the set of credential types that can be disabled viadisableCredentialType
.UserStorageProvider.EditMode
getEditMode()
Stream<UserModel>
getGroupMembersStream(RealmModel realm, GroupModel group, Integer firstResult, Integer maxResults)
Obtains users that belong to a specific group.LDAPIdentityStore
getLdapIdentityStore()
LDAPStorageMapperManager
getMapperManager()
UserStorageProviderModel
getModel()
Stream<UserModel>
getRoleMembersStream(RealmModel realm, RoleModel role, Integer firstResult, Integer maxResults)
Searches for users that have the specified role.KeycloakSession
getSession()
Set<String>
getSupportedCredentialTypes()
UserModel
getUserByEmail(RealmModel realm, String email)
Returns a user with the given email belonging to the realmUserModel
getUserById(RealmModel realm, String id)
Returns a user with the given id belonging to the realmUserModel
getUserByUsername(RealmModel realm, String username)
Exact search for a user by its username.LDAPStorageUserManager
getUserManager()
int
getUsersCount(RealmModel realm)
Returns the number of users, without consider any service account.Stream<UserModel>
getUsersStream(RealmModel realm)
Searches all users in the realm.Stream<UserModel>
getUsersStream(RealmModel realm, Integer firstResult, Integer maxResults)
Searches all users in the realm, starting from thefirstResult
and containing at mostmaxResults
.protected UserModel
importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser)
boolean
isConfiguredFor(RealmModel realm, UserModel user, String credentialType)
boolean
isValid(RealmModel realm, UserModel user, CredentialInput input)
Tests whether a credential is validprotected LDAPObject
loadAndValidateUser(RealmModel realm, UserModel local)
LDAPObject
loadLDAPUserByUsername(RealmModel realm, String username)
LDAPObject
loadLDAPUserByUuid(RealmModel realm, String uuid)
List<UserModel>
loadUsersByUsernames(List<String> usernames, RealmModel realm)
void
preRemove(RealmModel realm)
Callback when a realm is removed.void
preRemove(RealmModel realm, GroupModel group)
Callback when a group is removed.void
preRemove(RealmModel realm, RoleModel role)
Callback when a role is removed.protected UserModel
proxy(RealmModel realm, UserModel local, LDAPObject ldapObject, boolean newUser)
protected LDAPObject
queryByEmail(RealmModel realm, String email)
boolean
removeUser(RealmModel realm, UserModel user)
Called if user originated from this provider.Stream<UserModel>
searchForUserByUserAttributeStream(RealmModel realm, String attrName, String attrValue)
Searches for users that have a specific attribute with a specific value.Stream<UserModel>
searchForUserStream(RealmModel realm, String search, Integer firstResult, Integer maxResults)
Searches for users whose username, email, first name or last name contain any of the strings insearch
separated by whitespace.Stream<UserModel>
searchForUserStream(RealmModel realm, Map<String,String> params, Integer firstResult, Integer maxResults)
Searches for user by parameter.protected List<LDAPObject>
searchLDAP(RealmModel realm, Map<String,String> attributes)
void
setUpdater(PasswordUpdateCallback updater)
boolean
supportsCredentialAuthenticationFor(String type)
boolean
supportsCredentialType(String credentialType)
boolean
synchronizeRegistrations()
boolean
updateCredential(RealmModel realm, UserModel user, CredentialInput input)
UserModel
validate(RealmModel realm, UserModel local)
If this method returns null, then the user in local storage will be removedboolean
validPassword(RealmModel realm, UserModel user, String password)
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.keycloak.storage.user.UserLookupProvider
getUserByCredential
-
Methods inherited from interface org.keycloak.storage.user.UserQueryProvider
getGroupMembersStream, getRoleMembersStream, getUsersCount, getUsersCount, getUsersCount, getUsersCount, getUsersCount, getUsersCount, searchForUserStream, searchForUserStream
-
-
-
-
Field Detail
-
factory
protected LDAPStorageProviderFactory factory
-
session
protected KeycloakSession session
-
model
protected UserStorageProviderModel model
-
ldapIdentityStore
protected LDAPIdentityStore ldapIdentityStore
-
editMode
protected UserStorageProvider.EditMode editMode
-
kerberosConfig
protected LDAPProviderKerberosConfig kerberosConfig
-
updater
protected PasswordUpdateCallback updater
-
mapperManager
protected LDAPStorageMapperManager mapperManager
-
userManager
protected LDAPStorageUserManager userManager
-
-
Constructor Detail
-
LDAPStorageProvider
public LDAPStorageProvider(LDAPStorageProviderFactory factory, KeycloakSession session, ComponentModel model, LDAPIdentityStore ldapIdentityStore)
-
-
Method Detail
-
setUpdater
public void setUpdater(PasswordUpdateCallback updater)
-
getSession
public KeycloakSession getSession()
-
getLdapIdentityStore
public LDAPIdentityStore getLdapIdentityStore()
-
getEditMode
public UserStorageProvider.EditMode getEditMode()
-
getModel
public UserStorageProviderModel getModel()
-
getMapperManager
public LDAPStorageMapperManager getMapperManager()
-
getUserManager
public LDAPStorageUserManager getUserManager()
-
validate
public UserModel validate(RealmModel realm, UserModel local)
Description copied from interface:ImportedUserValidation
If this method returns null, then the user in local storage will be removed- Specified by:
validate
in interfaceImportedUserValidation
- Returns:
- null if user no longer valid
-
proxy
protected UserModel proxy(RealmModel realm, UserModel local, LDAPObject ldapObject, boolean newUser)
-
supportsCredentialAuthenticationFor
public boolean supportsCredentialAuthenticationFor(String type)
- Specified by:
supportsCredentialAuthenticationFor
in interfaceCredentialAuthentication
-
searchForUserByUserAttributeStream
public Stream<UserModel> searchForUserByUserAttributeStream(RealmModel realm, String attrName, String attrValue)
Description copied from interface:UserQueryProvider
Searches for users that have a specific attribute with a specific value.- Specified by:
searchForUserByUserAttributeStream
in interfaceUserQueryProvider
- Parameters:
realm
- a reference to the realm.attrName
- the attribute name.attrValue
- the attribute value.- Returns:
- a non-null
Stream
of users that match the search criteria.
-
synchronizeRegistrations
public boolean synchronizeRegistrations()
-
addUser
public UserModel addUser(RealmModel realm, String username)
Description copied from interface:UserRegistrationProvider
All storage providers that implement this interface will be looped through. If this method returns null, then the next storage provider's addUser() method will be called. If no storage providers handle the add, then the user will be created in local storage. Returning null is useful when you want optional support for adding users. For example, our LDAP provider can enable and disable the ability to add users.- Specified by:
addUser
in interfaceUserRegistrationProvider
- Parameters:
realm
- a reference to the realmusername
- a username the created user will be assigned- Returns:
- a model of created user
-
removeUser
public boolean removeUser(RealmModel realm, UserModel user)
Description copied from interface:UserRegistrationProvider
Called if user originated from this provider. If a local user is linked to this provider, this method will be called before local storage's removeUser() method is invoked. If you are using an import strategy, and this is a local user linked to this provider, this method will be called before local storage's removeUser() method is invoked. Also, you DO NOT need to remove the imported user. The runtime will handle this for you.- Specified by:
removeUser
in interfaceUserRegistrationProvider
- Parameters:
realm
- a reference to the realmuser
- a reference to the user that is removed- Returns:
- true if the user was removed, false otherwise
-
getUserById
public UserModel getUserById(RealmModel realm, String id)
Description copied from interface:UserLookupProvider
Returns a user with the given id belonging to the realm- Specified by:
getUserById
in interfaceUserLookupProvider
- Parameters:
realm
- the realm modelid
- id of the user- Returns:
- found user model, or
null
if no such user exists
-
getUsersCount
public int getUsersCount(RealmModel realm)
Description copied from interface:UserQueryProvider
Returns the number of users, without consider any service account.- Specified by:
getUsersCount
in interfaceUserQueryProvider
- Parameters:
realm
- the realm- Returns:
- the number of users
-
getUsersStream
public Stream<UserModel> getUsersStream(RealmModel realm)
Description copied from interface:UserQueryProvider
Searches all users in the realm.- Specified by:
getUsersStream
in interfaceUserQueryProvider
- Parameters:
realm
- a reference to the realm.- Returns:
- a non-null
Stream
of users.
-
getUsersStream
public Stream<UserModel> getUsersStream(RealmModel realm, Integer firstResult, Integer maxResults)
Description copied from interface:UserQueryProvider
Searches all users in the realm, starting from thefirstResult
and containing at mostmaxResults
.- Specified by:
getUsersStream
in interfaceUserQueryProvider
- Parameters:
realm
- a reference to the realm.firstResult
- first result to return. Ignored if negative ornull
.maxResults
- maximum number of results to return. Ignored if negative ornull
.- Returns:
- a non-null
Stream
of users.
-
searchForUserStream
public Stream<UserModel> searchForUserStream(RealmModel realm, String search, Integer firstResult, Integer maxResults)
Description copied from interface:UserQueryProvider
Searches for users whose username, email, first name or last name contain any of the strings insearch
separated by whitespace. If possible, implementations should treat the parameter values as partial match patterns (i.e. in RDMBS terms use LIKE). This method is used by the admin console search box- Specified by:
searchForUserStream
in interfaceUserQueryProvider
- Parameters:
realm
- a reference to the realm.search
- case insensitive list of string separated by whitespaces.firstResult
- first result to return. Ignored if negative, zero, ornull
.maxResults
- maximum number of results to return. Ignored if negative ornull
.- Returns:
- a non-null
Stream
of users that match the search criteria.
-
searchForUserStream
public Stream<UserModel> searchForUserStream(RealmModel realm, Map<String,String> params, Integer firstResult, Integer maxResults)
Description copied from interface:UserQueryProvider
Searches for user by parameter. If possible, implementations should treat the parameter values as partial match patterns (i.e. in RDMBS terms use LIKE). Valid parameters are:UserModel.FIRST_NAME
- first name (case insensitive string)UserModel.LAST_NAME
- last name (case insensitive string)UserModel.EMAIL
- email (case insensitive string)UserModel.USERNAME
- username (case insensitive string)UserModel.EMAIL_VERIFIED
- search only for users with verified/non-verified email (true/false)UserModel.ENABLED
- search only for enabled/disabled users (true/false)UserModel.IDP_ALIAS
- search only for users that have a federated identity from idp with the given alias configured (case sensitive string)UserModel.IDP_USER_ID
- search for users with federated identity with the given userId (case sensitive string)
- Specified by:
searchForUserStream
in interfaceUserQueryProvider
- Parameters:
realm
- a reference to the realm.params
- a map containing the search parameters.firstResult
- first result to return. Ignored if negative, zero, ornull
.maxResults
- maximum number of results to return. Ignored if negative ornull
.- Returns:
- a non-null
Stream
of users that match the search criteria.
-
getGroupMembersStream
public Stream<UserModel> getGroupMembersStream(RealmModel realm, GroupModel group, Integer firstResult, Integer maxResults)
Description copied from interface:UserQueryProvider
Obtains users that belong to a specific group.- Specified by:
getGroupMembersStream
in interfaceUserQueryProvider
- Parameters:
realm
- a reference to the realm.group
- a reference to the group.firstResult
- first result to return. Ignored if negative, zero, ornull
.maxResults
- maximum number of results to return. Ignored if negative ornull
.- Returns:
- a non-null
Stream
of users that belong to the group.
-
getRoleMembersStream
public Stream<UserModel> getRoleMembersStream(RealmModel realm, RoleModel role, Integer firstResult, Integer maxResults)
Description copied from interface:UserQueryProvider
Searches for users that have the specified role.- Specified by:
getRoleMembersStream
in interfaceUserQueryProvider
- Parameters:
realm
- a reference to the realm.role
- a reference to the role.firstResult
- first result to return. Ignored if negative ornull
.maxResults
- maximum number of results to return. Ignored if negative ornull
.- Returns:
- a non-null
Stream
of users that have the specified role.
-
loadUsersByUsernames
public List<UserModel> loadUsersByUsernames(List<String> usernames, RealmModel realm)
-
searchLDAP
protected List<LDAPObject> searchLDAP(RealmModel realm, Map<String,String> attributes)
-
loadAndValidateUser
protected LDAPObject loadAndValidateUser(RealmModel realm, UserModel local)
- Parameters:
local
-- Returns:
- ldapUser corresponding to local user or null if user is no longer in LDAP
-
getUserByUsername
public UserModel getUserByUsername(RealmModel realm, String username)
Description copied from interface:UserLookupProvider
Exact search for a user by its username. Returns a user with the given username belonging to the realm- Specified by:
getUserByUsername
in interfaceUserLookupProvider
- Parameters:
realm
- the realm modelusername
- (case-sensitivity is controlled by storage)- Returns:
- found user model, or
null
if no such user exists
-
importUserFromLDAP
protected UserModel importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser)
-
queryByEmail
protected LDAPObject queryByEmail(RealmModel realm, String email)
-
getUserByEmail
public UserModel getUserByEmail(RealmModel realm, String email)
Description copied from interface:UserLookupProvider
Returns a user with the given email belonging to the realm- Specified by:
getUserByEmail
in interfaceUserLookupProvider
- Parameters:
realm
- the realm modelemail
- email address- Returns:
- found user model, or
null
if no such user exists
-
preRemove
public void preRemove(RealmModel realm)
Description copied from interface:UserStorageProvider
Callback when a realm is removed. Implement this if, for example, you want to do some cleanup in your user storage when a realm is removed- Specified by:
preRemove
in interfaceUserStorageProvider
-
preRemove
public void preRemove(RealmModel realm, RoleModel role)
Description copied from interface:UserStorageProvider
Callback when a role is removed. Allows you to do things like remove a user role mapping in your external store if appropriate- Specified by:
preRemove
in interfaceUserStorageProvider
-
preRemove
public void preRemove(RealmModel realm, GroupModel group)
Description copied from interface:UserStorageProvider
Callback when a group is removed. Allows you to do things like remove a user group mapping in your external store if appropriate- Specified by:
preRemove
in interfaceUserStorageProvider
-
validPassword
public boolean validPassword(RealmModel realm, UserModel user, String password)
-
updateCredential
public boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input)
- Specified by:
updateCredential
in interfaceCredentialInputUpdater
-
disableCredentialType
public void disableCredentialType(RealmModel realm, UserModel user, String credentialType)
- Specified by:
disableCredentialType
in interfaceCredentialInputUpdater
-
getDisableableCredentialTypesStream
public Stream<String> getDisableableCredentialTypesStream(RealmModel realm, UserModel user)
Description copied from interface:CredentialInputUpdater
Obtains the set of credential types that can be disabled viadisableCredentialType
.- Specified by:
getDisableableCredentialTypesStream
in interfaceCredentialInputUpdater
- Parameters:
realm
- a reference to the realm.user
- the user whose credentials are being searched.- Returns:
- a non-null
Stream
of credential types.
-
supportsCredentialType
public boolean supportsCredentialType(String credentialType)
- Specified by:
supportsCredentialType
in interfaceCredentialInputUpdater
- Specified by:
supportsCredentialType
in interfaceCredentialInputValidator
-
isConfiguredFor
public boolean isConfiguredFor(RealmModel realm, UserModel user, String credentialType)
- Specified by:
isConfiguredFor
in interfaceCredentialInputValidator
-
isValid
public boolean isValid(RealmModel realm, UserModel user, CredentialInput input)
Description copied from interface:CredentialInputValidator
Tests whether a credential is valid- Specified by:
isValid
in interfaceCredentialInputValidator
- Parameters:
realm
- The realm in which to which the credential belongs touser
- The user for which to test the credentialinput
- the credential details to verify- Returns:
- true if the passed secret is correct
-
authenticate
public CredentialValidationOutput authenticate(RealmModel realm, CredentialInput cred)
- Specified by:
authenticate
in interfaceCredentialAuthentication
-
findOrCreateAuthenticatedUser
protected UserModel findOrCreateAuthenticatedUser(RealmModel realm, String username)
Called after successful kerberos authentication- Parameters:
realm
- realmusername
- username without realm prefix- Returns:
- finded or newly created user
-
loadLDAPUserByUsername
public LDAPObject loadLDAPUserByUsername(RealmModel realm, String username)
-
loadLDAPUserByUuid
public LDAPObject loadLDAPUserByUuid(RealmModel realm, String uuid)
-
-