Package org.keycloak.storage.ldap

Class LDAPStorageProvider

java.lang.Object

org.keycloak.storage.ldap.LDAPStorageProvider

All Implemented Interfaces:

CredentialAuthentication, CredentialInputUpdater, CredentialInputValidator, Provider, ImportedUserValidation, UserLookupProvider, UserQueryMethodsProvider, UserRegistrationProvider, UserStorageProvider, UserProfileDecorator

public class LDAPStorageProvider
extends Object
implements UserStorageProvider, CredentialInputValidator, CredentialInputUpdater, CredentialAuthentication, UserLookupProvider, UserRegistrationProvider, UserQueryMethodsProvider, ImportedUserValidation, UserProfileDecorator

Version:

$Revision: 1 $

Author:

Marek Posolda, Bill Burke

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected static enum	LDAPStorageProvider.ImportType

Nested classes/interfaces inherited from interface org.keycloak.storage.UserStorageProvider

UserStorageProvider.EditMode

Field Summary

Fields

Modifier and Type	Field	Description
protected UserStorageProvider.EditMode	editMode
protected LDAPStorageProviderFactory	factory
protected LDAPProviderKerberosConfig	kerberosConfig
protected LDAPIdentityStore	ldapIdentityStore
protected LDAPStorageMapperManager	mapperManager
protected UserStorageProviderModel	model
protected KeycloakSession	session
protected final Set<String>	supportedCredentialTypes
protected PasswordUpdateCallback	updater
protected LDAPStorageUserManager	userManager

Constructor Summary

Constructors

Constructor	Description
LDAPStorageProvider(LDAPStorageProviderFactory factory, KeycloakSession session, ComponentModel model, LDAPIdentityStore ldapIdentityStore)

Method Summary

Modifier and Type	Method	Description
UserModel	addUser(RealmModel realm, String username)	All storage providers that implement this interface will be looped through.
CredentialValidationOutput	authenticate(RealmModel realm, CredentialInput cred)
void	close()
List<AttributeMetadata>	decorateUserProfile(String providerId, UserProfileMetadata metadata)	Decorates user profile with additional metadata.
void	disableCredentialType(RealmModel realm, UserModel user, String credentialType)
protected UserModel	findOrCreateAuthenticatedUser(RealmModel realm, KerberosPrincipal kerberosPrincipal)	Called after successful kerberos authentication
Stream<String>	getDisableableCredentialTypesStream(RealmModel realm, UserModel user)	Obtains the set of credential types that can be disabled via disableCredentialType.
UserStorageProvider.EditMode	getEditMode()
Stream<UserModel>	getGroupMembersStream(RealmModel realm, GroupModel group, Integer firstResult, Integer maxResults)	Obtains users that belong to a specific group.
LDAPProviderKerberosConfig	getKerberosConfig()
LDAPIdentityStore	getLdapIdentityStore()
LDAPStorageMapperManager	getMapperManager()
UserStorageProviderModel	getModel()
Stream<UserModel>	getRoleMembersStream(RealmModel realm, RoleModel role, Integer firstResult, Integer maxResults)	Searches for users that have the specified role.
KeycloakSession	getSession()
Set<String>	getSupportedCredentialTypes()
UserModel	getUserByEmail(RealmModel realm, String email)	Returns a user with the given email belonging to the realm
UserModel	getUserById(RealmModel realm, String id)	Returns a user with the given id belonging to the realm
UserModel	getUserByUsername(RealmModel realm, String username)	Exact search for a user by its username.
LDAPStorageUserManager	getUserManager()
protected UserModel	importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser)
protected UserModel	importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser, LDAPStorageProvider.ImportType importType)
boolean	isConfiguredFor(RealmModel realm, UserModel user, String credentialType)
boolean	isValid(RealmModel realm, UserModel user, CredentialInput input)	Tests whether a credential is valid
protected LDAPObject	loadAndValidateUser(RealmModel realm, UserModel local)
LDAPObject	loadLDAPUserByDN(RealmModel realm, LDAPDn dn)
LDAPObject	loadLDAPUserByUsername(RealmModel realm, String username)
LDAPObject	loadLDAPUserByUuid(RealmModel realm, String uuid)
Stream<UserModel>	loadUsersByDNs(RealmModel realm, Collection<LDAPDn> dns, int firstResult, int maxResults)
Stream<UserModel>	loadUsersByUniqueAttribute(RealmModel realm, String uidName, Collection<String> uids, int firstResult, int maxResults)
List<UserModel>	loadUsersByUsernames(List<String> usernames, RealmModel realm)
void	preRemove(RealmModel realm)	Callback when a realm is removed.
void	preRemove(RealmModel realm, GroupModel group)	Callback when a group is removed.
void	preRemove(RealmModel realm, RoleModel role)	Callback when a role is removed.
protected UserModel	proxy(RealmModel realm, UserModel local, LDAPObject ldapObject, boolean newUser)
protected LDAPObject	queryByEmail(RealmModel realm, String email)
boolean	removeUser(RealmModel realm, UserModel user)	Called if user originated from this provider.
Stream<UserModel>	searchForUserByUserAttributeStream(RealmModel realm, String attrName, String attrValue)	Searches for users that have a specific attribute with a specific value.
Stream<UserModel>	searchForUserStream(RealmModel realm, Map<String,String> params, Integer firstResult, Integer maxResults)	LDAP search supports UserModel.SEARCH, UserModel.EXACT and all the other user attributes that are managed by a mapper (method getUserAttributes).
void	setUpdater(PasswordUpdateCallback updater)
boolean	supportsCredentialAuthenticationFor(String type)
boolean	supportsCredentialType(String credentialType)
boolean	synchronizeRegistrations()
String	toString()
boolean	updateCredential(RealmModel realm, UserModel user, CredentialInput input)
UserModel	validate(RealmModel realm, UserModel local)	If this method returns null, then the user in local storage will be removed
boolean	validPassword(RealmModel realm, UserModel user, String password)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.keycloak.storage.user.UserLookupProvider

getUserByCredential

Methods inherited from interface org.keycloak.storage.user.UserQueryMethodsProvider

getGroupMembersStream, getGroupMembersStream, getRoleMembersStream, searchForUserStream, searchForUserStream, searchForUserStream

Field Details

factory

protected LDAPStorageProviderFactory factory

session

protected KeycloakSession session

model

protected UserStorageProviderModel model

ldapIdentityStore

protected LDAPIdentityStore ldapIdentityStore

editMode

protected UserStorageProvider.EditMode editMode

kerberosConfig

protected LDAPProviderKerberosConfig kerberosConfig

updater

protected PasswordUpdateCallback updater

mapperManager

protected LDAPStorageMapperManager mapperManager

userManager

protected LDAPStorageUserManager userManager

supportedCredentialTypes

protected final Set<String> supportedCredentialTypes

Constructor Details

LDAPStorageProvider

public LDAPStorageProvider(LDAPStorageProviderFactory factory,
 KeycloakSession session,
 ComponentModel model,
 LDAPIdentityStore ldapIdentityStore)

Method Details

setUpdater

public void setUpdater(PasswordUpdateCallback updater)

getSession

public KeycloakSession getSession()

getLdapIdentityStore

public LDAPIdentityStore getLdapIdentityStore()

getEditMode

public UserStorageProvider.EditMode getEditMode()

getModel

public UserStorageProviderModel getModel()

getKerberosConfig

public LDAPProviderKerberosConfig getKerberosConfig()

getMapperManager

public LDAPStorageMapperManager getMapperManager()

getUserManager

public LDAPStorageUserManager getUserManager()

validate

public UserModel validate(RealmModel realm,
 UserModel local)

Description copied from interface: ImportedUserValidation

If this method returns null, then the user in local storage will be removed

Specified by:

validate in interface ImportedUserValidation

Returns:

null if user no longer valid

proxy

protected UserModel proxy(RealmModel realm,
 UserModel local,
 LDAPObject ldapObject,
 boolean newUser)

supportsCredentialAuthenticationFor

public boolean supportsCredentialAuthenticationFor(String type)

Specified by:

supportsCredentialAuthenticationFor in interface CredentialAuthentication

searchForUserByUserAttributeStream

public Stream<UserModel> searchForUserByUserAttributeStream(RealmModel realm,
 String attrName,
 String attrValue)

Description copied from interface: UserQueryMethodsProvider

Searches for users that have a specific attribute with a specific value.

Specified by:

searchForUserByUserAttributeStream in interface UserQueryMethodsProvider

Parameters:

realm - a reference to the realm.

attrName - the attribute name.

attrValue - the attribute value.

Returns:

a non-null Stream of users that match the search criteria.

synchronizeRegistrations

public boolean synchronizeRegistrations()

addUser

public UserModel addUser(RealmModel realm,
 String username)

Description copied from interface: UserRegistrationProvider

All storage providers that implement this interface will be looped through. If this method returns null, then the next storage provider's addUser() method will be called. If no storage providers handle the add, then the user will be created in local storage. Returning null is useful when you want optional support for adding users. For example, our LDAP provider can enable and disable the ability to add users.

Specified by:

addUser in interface UserRegistrationProvider

Parameters:

realm - a reference to the realm

username - a username the created user will be assigned

Returns:

a model of created user

removeUser

public boolean removeUser(RealmModel realm,
 UserModel user)

Description copied from interface: UserRegistrationProvider

Called if user originated from this provider. If a local user is linked to this provider, this method will be called before local storage's removeUser() method is invoked. If you are using an import strategy, and this is a local user linked to this provider, this method will be called before local storage's removeUser() method is invoked. Also, you DO NOT need to remove the imported user. The runtime will handle this for you.

Specified by:

removeUser in interface UserRegistrationProvider

Parameters:

realm - a reference to the realm

user - a reference to the user that is removed

Returns:

true if the user was removed, false otherwise

getUserById

public UserModel getUserById(RealmModel realm,
 String id)

Description copied from interface: UserLookupProvider

Returns a user with the given id belonging to the realm

Specified by:

getUserById in interface UserLookupProvider

Parameters:

realm - the realm model

id - id of the user

Returns:

found user model, or null if no such user exists

searchForUserStream

public Stream<UserModel> searchForUserStream(RealmModel realm,
 Map<String,String> params,
 Integer firstResult,
 Integer maxResults)

LDAP search supports UserModel.SEARCH, UserModel.EXACT and all the other user attributes that are managed by a mapper (method getUserAttributes).

Specified by:

searchForUserStream in interface UserQueryMethodsProvider

Parameters:

realm - a reference to the realm.

params - a map containing the search parameters.

firstResult - first result to return. Ignored if negative, zero, or null.

maxResults - maximum number of results to return. Ignored if negative or null.

Returns:

a non-null Stream of users that match the search criteria.

getGroupMembersStream

public Stream<UserModel> getGroupMembersStream(RealmModel realm,
 GroupModel group,
 Integer firstResult,
 Integer maxResults)

Description copied from interface: UserQueryMethodsProvider

Obtains users that belong to a specific group.

Specified by:

getGroupMembersStream in interface UserQueryMethodsProvider

Parameters:

realm - a reference to the realm.

group - a reference to the group.

firstResult - first result to return. Ignored if negative, zero, or null.

maxResults - maximum number of results to return. Ignored if negative or null.

Returns:

a non-null Stream of users that belong to the group.

getRoleMembersStream

public Stream<UserModel> getRoleMembersStream(RealmModel realm,
 RoleModel role,
 Integer firstResult,
 Integer maxResults)

Description copied from interface: UserQueryMethodsProvider

Searches for users that have the specified role.

Specified by:

getRoleMembersStream in interface UserQueryMethodsProvider

Parameters:

realm - a reference to the realm.

role - a reference to the role.

firstResult - first result to return. Ignored if negative or null.

maxResults - maximum number of results to return. Ignored if negative or null.

Returns:

a non-null Stream of users that have the specified role.

loadUsersByUsernames

public List<UserModel> loadUsersByUsernames(List<String> usernames,
 RealmModel realm)

loadUsersByDNs

public Stream<UserModel> loadUsersByDNs(RealmModel realm,
 Collection<LDAPDn> dns,
 int firstResult,
 int maxResults)

loadUsersByUniqueAttribute

public Stream<UserModel> loadUsersByUniqueAttribute(RealmModel realm,
 String uidName,
 Collection<String> uids,
 int firstResult,
 int maxResults)

loadAndValidateUser

protected LDAPObject loadAndValidateUser(RealmModel realm,
 UserModel local)

Parameters:

local -

Returns:

ldapUser corresponding to local user or null if user is no longer in LDAP

getUserByUsername

public UserModel getUserByUsername(RealmModel realm,
 String username)

Description copied from interface: UserLookupProvider

Exact search for a user by its username. Returns a user with the given username belonging to the realm

Specified by:

getUserByUsername in interface UserLookupProvider

Parameters:

realm - the realm model

username - (case-sensitivity is controlled by storage)

Returns:

found user model, or null if no such user exists

importUserFromLDAP

protected UserModel importUserFromLDAP(KeycloakSession session,
 RealmModel realm,
 LDAPObject ldapUser)

importUserFromLDAP

protected UserModel importUserFromLDAP(KeycloakSession session,
 RealmModel realm,
 LDAPObject ldapUser,
 LDAPStorageProvider.ImportType importType)

queryByEmail

protected LDAPObject queryByEmail(RealmModel realm,
 String email)

getUserByEmail

public UserModel getUserByEmail(RealmModel realm,
 String email)

Description copied from interface: UserLookupProvider

Returns a user with the given email belonging to the realm

Specified by:

getUserByEmail in interface UserLookupProvider

Parameters:

realm - the realm model

email - email address

Returns:

found user model, or null if no such user exists

preRemove

public void preRemove(RealmModel realm)

Description copied from interface: UserStorageProvider

Callback when a realm is removed. Implement this if, for example, you want to do some cleanup in your user storage when a realm is removed

Specified by:

preRemove in interface UserStorageProvider

preRemove

public void preRemove(RealmModel realm,
 RoleModel role)

Description copied from interface: UserStorageProvider

Callback when a role is removed. Allows you to do things like remove a user role mapping in your external store if appropriate

Specified by:

preRemove in interface UserStorageProvider

preRemove

public void preRemove(RealmModel realm,
 GroupModel group)

Description copied from interface: UserStorageProvider

Callback when a group is removed. Allows you to do things like remove a user group mapping in your external store if appropriate

Specified by:

preRemove in interface UserStorageProvider

validPassword

public boolean validPassword(RealmModel realm,
 UserModel user,
 String password)

updateCredential

public boolean updateCredential(RealmModel realm,
 UserModel user,
 CredentialInput input)

Specified by:

updateCredential in interface CredentialInputUpdater

disableCredentialType

public void disableCredentialType(RealmModel realm,
 UserModel user,
 String credentialType)

Specified by:

disableCredentialType in interface CredentialInputUpdater

getDisableableCredentialTypesStream

public Stream<String> getDisableableCredentialTypesStream(RealmModel realm,
 UserModel user)

Description copied from interface: CredentialInputUpdater

Obtains the set of credential types that can be disabled via disableCredentialType.

Specified by:

getDisableableCredentialTypesStream in interface CredentialInputUpdater

Parameters:

realm - a reference to the realm.

user - the user whose credentials are being searched.

Returns:

a non-null Stream of credential types.

getSupportedCredentialTypes

public Set<String> getSupportedCredentialTypes()

supportsCredentialType

public boolean supportsCredentialType(String credentialType)

Specified by:

supportsCredentialType in interface CredentialInputUpdater

Specified by:

supportsCredentialType in interface CredentialInputValidator

isConfiguredFor

public boolean isConfiguredFor(RealmModel realm,
 UserModel user,
 String credentialType)

Specified by:

isConfiguredFor in interface CredentialInputValidator

isValid

public boolean isValid(RealmModel realm,
 UserModel user,
 CredentialInput input)

Description copied from interface: CredentialInputValidator

Tests whether a credential is valid

Specified by:

isValid in interface CredentialInputValidator

Parameters:

realm - The realm in which to which the credential belongs to

user - The user for which to test the credential

input - the credential details to verify

Returns:

true if the passed secret is correct

authenticate

public CredentialValidationOutput authenticate(RealmModel realm,
 CredentialInput cred)

Specified by:

authenticate in interface CredentialAuthentication

close

public void close()

Specified by:

close in interface Provider

findOrCreateAuthenticatedUser

protected UserModel findOrCreateAuthenticatedUser(RealmModel realm,
 KerberosPrincipal kerberosPrincipal)

Called after successful kerberos authentication

Parameters:

realm - realm

kerberosPrincipal - kerberos principal of the authenticated user

Returns:

found or newly created user

loadLDAPUserByUsername

public LDAPObject loadLDAPUserByUsername(RealmModel realm,
 String username)

loadLDAPUserByUuid

public LDAPObject loadLDAPUserByUuid(RealmModel realm,
 String uuid)

loadLDAPUserByDN

public LDAPObject loadLDAPUserByDN(RealmModel realm,
 LDAPDn dn)

toString

public String toString()

Overrides:

toString in class Object

decorateUserProfile

public List<AttributeMetadata> decorateUserProfile(String providerId,
 UserProfileMetadata metadata)

Description copied from interface: UserProfileDecorator

Decorates user profile with additional metadata. For instance, metadata attributes, which are available just for your user-storage provider can be added there, so they are available just for the users coming from your provider.

This method is invoked every time a user is being managed through a user profile provider.

Specified by:

decorateUserProfile in interface UserProfileDecorator

Parameters:

providerId - the id of the user storage provider to which the user is associated with

metadata - the current UserProfileMetadata for the current realm

Returns:

a list of attribute metadata.The AttributeMetadata returned from this method overrides any other metadata already set in metadata for a given attribute.