org.keycloak.storage.ldap

Class LDAPStorageProvider

java.lang.Object

org.keycloak.storage.ldap.LDAPStorageProvider

All Implemented Interfaces:

CredentialAuthentication, CredentialInputUpdater, CredentialInputValidator, Provider, ImportedUserValidation, UserLookupProvider, UserQueryProvider, UserRegistrationProvider, UserStorageProvider

public class LDAPStorageProvider
extends Object
implements UserStorageProvider, CredentialInputValidator, CredentialInputUpdater, CredentialAuthentication, UserLookupProvider, UserRegistrationProvider, UserQueryProvider, ImportedUserValidation

Version:

$Revision: 1 $

Author:

Marek Posolda, Bill Burke

Nested Class Summary

Nested classes/interfaces inherited from interface org.keycloak.storage.UserStorageProvider

UserStorageProvider.EditMode

Field Summary

Fields

Modifier and Type	Field and Description
protected UserStorageProvider.EditMode	editMode
protected LDAPStorageProviderFactory	factory
protected LDAPProviderKerberosConfig	kerberosConfig
protected LDAPIdentityStore	ldapIdentityStore
protected LDAPStorageMapperManager	mapperManager
protected UserStorageProviderModel	model
protected KeycloakSession	session
protected Set<String>	supportedCredentialTypes
protected PasswordUpdateCallback	updater
protected LDAPStorageUserManager	userManager

Constructor Summary

Constructors

Constructor and Description
LDAPStorageProvider(LDAPStorageProviderFactory factory, KeycloakSession session, ComponentModel model, LDAPIdentityStore ldapIdentityStore)

Method Summary

Modifier and Type	Method and Description
UserModel	addUser(RealmModel realm, String username) All storage providers that implement this interface will be looped through.
CredentialValidationOutput	authenticate(RealmModel realm, CredentialInput cred)
void	close()
void	disableCredentialType(RealmModel realm, UserModel user, String credentialType)
protected UserModel	findOrCreateAuthenticatedUser(RealmModel realm, String username) Called after successful kerberos authentication
Set<String>	getDisableableCredentialTypes(RealmModel realm, UserModel user) Returns a set of credential types that can be disabled by disableCredentialType() method
UserStorageProvider.EditMode	getEditMode()
List<UserModel>	getGroupMembers(RealmModel realm, GroupModel group) Get users that belong to a specific group.
List<UserModel>	getGroupMembers(RealmModel realm, GroupModel group, int firstResult, int maxResults) Get users that belong to a specific group.
LDAPIdentityStore	getLdapIdentityStore()
LDAPStorageMapperManager	getMapperManager()
UserStorageProviderModel	getModel()
KeycloakSession	getSession()
Set<String>	getSupportedCredentialTypes()
UserModel	getUserByEmail(String email, RealmModel realm)
UserModel	getUserById(String id, RealmModel realm)
UserModel	getUserByUsername(String username, RealmModel realm)
LDAPStorageUserManager	getUserManager()
List<UserModel>	getUsers(RealmModel realm)
List<UserModel>	getUsers(RealmModel realm, int firstResult, int maxResults)
int	getUsersCount(RealmModel realm) Returns the number of users, without consider any service account.
protected UserModel	importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser)
boolean	isConfiguredFor(RealmModel realm, UserModel user, String credentialType)
boolean	isValid(RealmModel realm, UserModel user, CredentialInput input) Tests whether a credential is valid
protected LDAPObject	loadAndValidateUser(RealmModel realm, UserModel local)
LDAPObject	loadLDAPUserByUsername(RealmModel realm, String username)
List<UserModel>	loadUsersByUsernames(List<String> usernames, RealmModel realm)
void	preRemove(RealmModel realm) Callback when a realm is removed.
void	preRemove(RealmModel realm, GroupModel group) Callback when a group is removed.
void	preRemove(RealmModel realm, RoleModel role) Callback when a role is removed.
protected UserModel	proxy(RealmModel realm, UserModel local, LDAPObject ldapObject, boolean newUser)
protected LDAPObject	queryByEmail(RealmModel realm, String email)
boolean	removeUser(RealmModel realm, UserModel user) Called if user originated from this provider.
List<UserModel>	searchForUser(Map<String,String> params, RealmModel realm) Search for user by parameter.
List<UserModel>	searchForUser(Map<String,String> params, RealmModel realm, int firstResult, int maxResults) Search for user by parameter.
List<UserModel>	searchForUser(String search, RealmModel realm) Search for users with username, email or first + last name that is like search string.
List<UserModel>	searchForUser(String search, RealmModel realm, int firstResult, int maxResults) Search for users with username, email or first + last name that is like search string.
List<UserModel>	searchForUserByUserAttribute(String attrName, String attrValue, RealmModel realm) Search for users that have a specific attribute with a specific value.
protected List<LDAPObject>	searchLDAP(RealmModel realm, Map<String,String> attributes, int maxResults)
void	setUpdater(PasswordUpdateCallback updater)
boolean	supportsCredentialAuthenticationFor(String type)
boolean	supportsCredentialType(String credentialType)
boolean	synchronizeRegistrations()
boolean	updateCredential(RealmModel realm, UserModel user, CredentialInput input)
UserModel	validate(RealmModel realm, UserModel local) If this method returns null, then the user in local storage will be removed
boolean	validPassword(RealmModel realm, UserModel user, String password)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.storage.user.UserQueryProvider

countUsersInGroups, getRoleMembers, getRoleMembers, getUsersCount, getUsersCount, getUsersCount, getUsersCount, getUsersCount, getUsersCount

Field Detail

factory

protected LDAPStorageProviderFactory factory

session

protected KeycloakSession session

model

protected UserStorageProviderModel model

ldapIdentityStore

protected LDAPIdentityStore ldapIdentityStore

editMode

protected UserStorageProvider.EditMode editMode

kerberosConfig

protected LDAPProviderKerberosConfig kerberosConfig

updater

protected PasswordUpdateCallback updater

mapperManager

protected LDAPStorageMapperManager mapperManager

userManager

protected LDAPStorageUserManager userManager

supportedCredentialTypes

protected final Set<String> supportedCredentialTypes

Constructor Detail

LDAPStorageProvider

public LDAPStorageProvider(LDAPStorageProviderFactory factory,
                           KeycloakSession session,
                           ComponentModel model,
                           LDAPIdentityStore ldapIdentityStore)

Method Detail

setUpdater

public void setUpdater(PasswordUpdateCallback updater)

getSession

public KeycloakSession getSession()

getLdapIdentityStore

public LDAPIdentityStore getLdapIdentityStore()

getEditMode

public UserStorageProvider.EditMode getEditMode()

getModel

public UserStorageProviderModel getModel()

getMapperManager

public LDAPStorageMapperManager getMapperManager()

getUserManager

public LDAPStorageUserManager getUserManager()

validate

public UserModel validate(RealmModel realm,
                          UserModel local)

Description copied from interface: ImportedUserValidation

If this method returns null, then the user in local storage will be removed

Specified by:

validate in interface ImportedUserValidation

Returns:

null if user no longer valid

proxy

protected UserModel proxy(RealmModel realm,
                          UserModel local,
                          LDAPObject ldapObject,
                          boolean newUser)

supportsCredentialAuthenticationFor

public boolean supportsCredentialAuthenticationFor(String type)

Specified by:

supportsCredentialAuthenticationFor in interface CredentialAuthentication

searchForUserByUserAttribute

public List<UserModel> searchForUserByUserAttribute(String attrName,
                                                    String attrValue,
                                                    RealmModel realm)

Description copied from interface: UserQueryProvider

Search for users that have a specific attribute with a specific value. Implementations do not have to search in UserFederatedStorageProvider as this is done automatically.

Specified by:

searchForUserByUserAttribute in interface UserQueryProvider

Returns:

See Also:

UserFederatedStorageProvider

synchronizeRegistrations

public boolean synchronizeRegistrations()

addUser

public UserModel addUser(RealmModel realm,
                         String username)

Description copied from interface: UserRegistrationProvider

All storage providers that implement this interface will be looped through. If this method returns null, then the next storage provider's addUser() method will be called. If no storage providers handle the add, then the user will be created in local storage. Returning null is useful when you want optional support for adding users. For example, our LDAP provider can enable and disable the ability to add users.

Specified by:

addUser in interface UserRegistrationProvider

Returns:

removeUser

public boolean removeUser(RealmModel realm,
                          UserModel user)

Description copied from interface: UserRegistrationProvider

Called if user originated from this provider. If a local user is linked to this provider, this method will be called before local storage's removeUser() method is invoked. If you are using an import strategy, and this is a local user linked to this provider, this method will be called before local storage's removeUser() method is invoked. Also, you DO NOT need to remove the imported user. The runtime will handle this for you.

Specified by:

removeUser in interface UserRegistrationProvider

Returns:

getUserById

public UserModel getUserById(String id,
                             RealmModel realm)

Specified by:

getUserById in interface UserLookupProvider

getUsersCount

public int getUsersCount(RealmModel realm)

Description copied from interface: UserQueryProvider

Returns the number of users, without consider any service account.

Specified by:

getUsersCount in interface UserQueryProvider

Parameters:

realm - the realm

Returns:

the number of users

getUsers

public List<UserModel> getUsers(RealmModel realm)

Specified by:

getUsers in interface UserQueryProvider

getUsers

public List<UserModel> getUsers(RealmModel realm,
                                int firstResult,
                                int maxResults)

Specified by:

getUsers in interface UserQueryProvider

searchForUser

public List<UserModel> searchForUser(String search,
                                     RealmModel realm)

Description copied from interface: UserQueryProvider

Search for users with username, email or first + last name that is like search string. If possible, implementations should treat the parameter values as partial match patterns i.e. in RDMBS terms use LIKE. This method is used by the admin console search box

Specified by:

searchForUser in interface UserQueryProvider

Returns:

searchForUser

public List<UserModel> searchForUser(String search,
                                     RealmModel realm,
                                     int firstResult,
                                     int maxResults)

Description copied from interface: UserQueryProvider

Search for users with username, email or first + last name that is like search string. If possible, implementations should treat the parameter values as partial match patterns i.e. in RDMBS terms use LIKE. This method is used by the admin console search box

Specified by:

searchForUser in interface UserQueryProvider

Returns:

searchForUser

public List<UserModel> searchForUser(Map<String,String> params,
                                     RealmModel realm)

Description copied from interface: UserQueryProvider

Search for user by parameter. Valid parameters are: "first" - first name "last" - last name "email" - email "username" - username If possible, implementations should treat the parameter values as partial match patterns i.e. in RDMBS terms use LIKE. This method is used by the REST API when querying users.

Specified by:

searchForUser in interface UserQueryProvider

Returns:

searchForUser

public List<UserModel> searchForUser(Map<String,String> params,
                                     RealmModel realm,
                                     int firstResult,
                                     int maxResults)

Description copied from interface: UserQueryProvider

Search for user by parameter. Valid parameters are: "first" - first name "last" - last name "email" - email "username" - username "enabled" - is user enabled (true/false) If possible, implementations should treat the parameter values as patterns i.e. in RDMBS terms use LIKE. This method is used by the REST API when querying users.

Specified by:

searchForUser in interface UserQueryProvider

Returns:

getGroupMembers

public List<UserModel> getGroupMembers(RealmModel realm,
                                       GroupModel group)

Description copied from interface: UserQueryProvider

Get users that belong to a specific group. Implementations do not have to search in UserFederatedStorageProvider as this is done automatically.

Specified by:

getGroupMembers in interface UserQueryProvider

Returns:

See Also:

UserFederatedStorageProvider

getGroupMembers

public List<UserModel> getGroupMembers(RealmModel realm,
                                       GroupModel group,
                                       int firstResult,
                                       int maxResults)

Description copied from interface: UserQueryProvider

Get users that belong to a specific group. Implementations do not have to search in UserFederatedStorageProvider as this is done automatically.

Specified by:

getGroupMembers in interface UserQueryProvider

Returns:

See Also:

UserFederatedStorageProvider

loadUsersByUsernames

public List<UserModel> loadUsersByUsernames(List<String> usernames,
                                            RealmModel realm)

searchLDAP

protected List<LDAPObject> searchLDAP(RealmModel realm,
                                      Map<String,String> attributes,
                                      int maxResults)

loadAndValidateUser

protected LDAPObject loadAndValidateUser(RealmModel realm,
                                         UserModel local)

Parameters:

local -

Returns:

ldapUser corresponding to local user or null if user is no longer in LDAP

getUserByUsername

public UserModel getUserByUsername(String username,
                                   RealmModel realm)

Specified by:

getUserByUsername in interface UserLookupProvider

importUserFromLDAP

protected UserModel importUserFromLDAP(KeycloakSession session,
                                       RealmModel realm,
                                       LDAPObject ldapUser)

queryByEmail

protected LDAPObject queryByEmail(RealmModel realm,
                                  String email)

getUserByEmail

public UserModel getUserByEmail(String email,
                                RealmModel realm)

Specified by:

getUserByEmail in interface UserLookupProvider

preRemove

public void preRemove(RealmModel realm)

Description copied from interface: UserStorageProvider

Callback when a realm is removed. Implement this if, for example, you want to do some cleanup in your user storage when a realm is removed

Specified by:

preRemove in interface UserStorageProvider

preRemove

public void preRemove(RealmModel realm,
                      RoleModel role)

Description copied from interface: UserStorageProvider

Callback when a role is removed. Allows you to do things like remove a user role mapping in your external store if appropriate

Specified by:

preRemove in interface UserStorageProvider

preRemove

public void preRemove(RealmModel realm,
                      GroupModel group)

Description copied from interface: UserStorageProvider

Callback when a group is removed. Allows you to do things like remove a user group mapping in your external store if appropriate

Specified by:

preRemove in interface UserStorageProvider

validPassword

public boolean validPassword(RealmModel realm,
                             UserModel user,
                             String password)

updateCredential

public boolean updateCredential(RealmModel realm,
                                UserModel user,
                                CredentialInput input)

Specified by:

updateCredential in interface CredentialInputUpdater

disableCredentialType

public void disableCredentialType(RealmModel realm,
                                  UserModel user,
                                  String credentialType)

Specified by:

disableCredentialType in interface CredentialInputUpdater

getDisableableCredentialTypes

public Set<String> getDisableableCredentialTypes(RealmModel realm,
                                                 UserModel user)

Description copied from interface: CredentialInputUpdater

Returns a set of credential types that can be disabled by disableCredentialType() method

Specified by:

getDisableableCredentialTypes in interface CredentialInputUpdater

Returns:

getSupportedCredentialTypes

public Set<String> getSupportedCredentialTypes()

supportsCredentialType

public boolean supportsCredentialType(String credentialType)

Specified by:

supportsCredentialType in interface CredentialInputUpdater

Specified by:

supportsCredentialType in interface CredentialInputValidator

isConfiguredFor

public boolean isConfiguredFor(RealmModel realm,
                               UserModel user,
                               String credentialType)

Specified by:

isConfiguredFor in interface CredentialInputValidator

isValid

public boolean isValid(RealmModel realm,
                       UserModel user,
                       CredentialInput input)

Description copied from interface: CredentialInputValidator

Tests whether a credential is valid

Specified by:

isValid in interface CredentialInputValidator

Parameters:

realm - The realm in which to which the credential belongs to

user - The user for which to test the credential

input - the credential details to verify

Returns:

true if the passed secret is correct

authenticate

public CredentialValidationOutput authenticate(RealmModel realm,
                                               CredentialInput cred)

Specified by:

authenticate in interface CredentialAuthentication

close

public void close()

Specified by:

close in interface Provider

findOrCreateAuthenticatedUser

protected UserModel findOrCreateAuthenticatedUser(RealmModel realm,
                                                  String username)

Called after successful kerberos authentication

Parameters:

realm - realm

username - username without realm prefix

Returns:

finded or newly created user

loadLDAPUserByUsername

public LDAPObject loadLDAPUserByUsername(RealmModel realm,
                                         String username)