java.lang.Object

org.keycloak.storage.ldap.LDAPStorageProvider

All Implemented Interfaces:: CredentialAuthentication, CredentialInputUpdater, CredentialInputValidator, Provider, ImportedUserValidation, UserLookupProvider, UserQueryMethodsProvider, UserRegistrationProvider, UserStorageProvider

public class LDAPStorageProvider extends Object implements UserStorageProvider, CredentialInputValidator, CredentialInputUpdater, CredentialAuthentication, UserLookupProvider, UserRegistrationProvider, UserQueryMethodsProvider, ImportedUserValidation

Version:: $Revision: 1 $
Author:: Marek Posolda, Bill Burke

Nested Class Summary

Nested classes/interfaces inherited from interface org.keycloak.storage.UserStorageProvider
UserStorageProvider.EditMode
Field Summary

Fields

Modifier and Type

Field

Description

protected UserStorageProvider.EditMode

editMode

protected LDAPStorageProviderFactory

factory

protected LDAPProviderKerberosConfig

kerberosConfig

protected LDAPIdentityStore

ldapIdentityStore

protected LDAPStorageMapperManager

mapperManager

protected UserStorageProviderModel

model

protected KeycloakSession

session

protected final Set<String>

supportedCredentialTypes

protected PasswordUpdateCallback

updater

protected LDAPStorageUserManager

userManager
Constructor Summary

Constructors

Constructor

Description

LDAPStorageProvider(LDAPStorageProviderFactory factory, KeycloakSession session, ComponentModel model, LDAPIdentityStore ldapIdentityStore)
Method Summary

Modifier and Type

Method

Description

UserModel

addUser(RealmModel realm, String username)

All storage providers that implement this interface will be looped through.

CredentialValidationOutput

authenticate(RealmModel realm, CredentialInput cred)

void

close()

void

disableCredentialType(RealmModel realm, UserModel user, String credentialType)

protected UserModel

findOrCreateAuthenticatedUser(RealmModel realm, KerberosPrincipal kerberosPrincipal)

Called after successful kerberos authentication

Stream<String>

getDisableableCredentialTypesStream(RealmModel realm, UserModel user)

Obtains the set of credential types that can be disabled via disableCredentialType.

UserStorageProvider.EditMode

getEditMode()

Stream<UserModel>

getGroupMembersStream(RealmModel realm, GroupModel group, Integer firstResult, Integer maxResults)

Obtains users that belong to a specific group.

LDAPProviderKerberosConfig

getKerberosConfig()

LDAPIdentityStore

getLdapIdentityStore()

LDAPStorageMapperManager

getMapperManager()

UserStorageProviderModel

getModel()

Stream<UserModel>

getRoleMembersStream(RealmModel realm, RoleModel role, Integer firstResult, Integer maxResults)

Searches for users that have the specified role.

KeycloakSession

getSession()

Set<String>

getSupportedCredentialTypes()

UserModel

getUserByEmail(RealmModel realm, String email)

Returns a user with the given email belonging to the realm

UserModel

getUserById(RealmModel realm, String id)

Returns a user with the given id belonging to the realm

UserModel

getUserByUsername(RealmModel realm, String username)

Exact search for a user by its username.

LDAPStorageUserManager

getUserManager()

protected UserModel

importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser)

boolean

isConfiguredFor(RealmModel realm, UserModel user, String credentialType)

boolean

isValid(RealmModel realm, UserModel user, CredentialInput input)

Tests whether a credential is valid

protected LDAPObject

loadAndValidateUser(RealmModel realm, UserModel local)

LDAPObject

loadLDAPUserByUsername(RealmModel realm, String username)

LDAPObject

loadLDAPUserByUuid(RealmModel realm, String uuid)

List<UserModel>

loadUsersByUsernames(List<String> usernames, RealmModel realm)

void

preRemove(RealmModel realm)

Callback when a realm is removed.

void

preRemove(RealmModel realm, GroupModel group)

Callback when a group is removed.

void

preRemove(RealmModel realm, RoleModel role)

Callback when a role is removed.

protected UserModel

proxy(RealmModel realm, UserModel local, LDAPObject ldapObject, boolean newUser)

protected LDAPObject

queryByEmail(RealmModel realm, String email)

boolean

removeUser(RealmModel realm, UserModel user)

Called if user originated from this provider.

Stream<UserModel>

searchForUserByUserAttributeStream(RealmModel realm, String attrName, String attrValue)

Searches for users that have a specific attribute with a specific value.

Stream<UserModel>

searchForUserStream(RealmModel realm, Map<String,String> params, Integer firstResult, Integer maxResults)

It supports UserModel.FIRST_NAME UserModel.LAST_NAME UserModel.EMAIL UserModel.USERNAME Other fields are not supported.

void

setUpdater(PasswordUpdateCallback updater)

boolean

supportsCredentialAuthenticationFor(String type)

boolean

supportsCredentialType(String credentialType)

boolean

synchronizeRegistrations()

String

toString()

boolean

updateCredential(RealmModel realm, UserModel user, CredentialInput input)

UserModel

validate(RealmModel realm, UserModel local)

If this method returns null, then the user in local storage will be removed

boolean

validPassword(RealmModel realm, UserModel user, String password)

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.keycloak.storage.user.UserLookupProvider
getUserByCredential

Methods inherited from interface org.keycloak.storage.user.UserQueryMethodsProvider
getGroupMembersStream, getRoleMembersStream, searchForUserStream, searchForUserStream, searchForUserStream

Field Details
- factory
  
  protected LDAPStorageProviderFactory factory
- session
  
  protected KeycloakSession session
- model
  
  protected UserStorageProviderModel model
- ldapIdentityStore
  
  protected LDAPIdentityStore ldapIdentityStore
- editMode
  
  protected UserStorageProvider.EditMode editMode
- kerberosConfig
  
  protected LDAPProviderKerberosConfig kerberosConfig
- updater
  
  protected PasswordUpdateCallback updater
- mapperManager
  
  protected LDAPStorageMapperManager mapperManager
- userManager
  
  protected LDAPStorageUserManager userManager
- supportedCredentialTypes
  
  protected final Set<String> supportedCredentialTypes
Constructor Details
- LDAPStorageProvider
  
  public LDAPStorageProvider(LDAPStorageProviderFactory factory, KeycloakSession session, ComponentModel model, LDAPIdentityStore ldapIdentityStore)
Method Details
- setUpdater
  
  public void setUpdater(PasswordUpdateCallback updater)
- getSession
  
  public KeycloakSession getSession()
- getLdapIdentityStore
  
  public LDAPIdentityStore getLdapIdentityStore()
- getEditMode
  
  public UserStorageProvider.EditMode getEditMode()
- getModel
  
  public UserStorageProviderModel getModel()
- getKerberosConfig
  
  public LDAPProviderKerberosConfig getKerberosConfig()
- getMapperManager
  
  public LDAPStorageMapperManager getMapperManager()
- getUserManager
  
  public LDAPStorageUserManager getUserManager()
- validate
  
  public UserModel validate(RealmModel realm, UserModel local)
  
  Description copied from interface: ImportedUserValidation
  
  If this method returns null, then the user in local storage will be removed
  
  Specified by:
  
  validate in interface ImportedUserValidation
  
  Returns:
  
  null if user no longer valid
- proxy
  
  protected UserModel proxy(RealmModel realm, UserModel local, LDAPObject ldapObject, boolean newUser)
- supportsCredentialAuthenticationFor
  
  public boolean supportsCredentialAuthenticationFor(String type)
  
  Specified by:
  
  supportsCredentialAuthenticationFor in interface CredentialAuthentication
- searchForUserByUserAttributeStream
  
  public Stream<UserModel> searchForUserByUserAttributeStream(RealmModel realm, String attrName, String attrValue)
  
  Description copied from interface: UserQueryMethodsProvider
  
  Searches for users that have a specific attribute with a specific value.
  
  Specified by:
  
  searchForUserByUserAttributeStream in interface UserQueryMethodsProvider
  
  Parameters:
  
  realm - a reference to the realm.
  
  attrName - the attribute name.
  
  attrValue - the attribute value.
  
  Returns:
  
  a non-null Stream of users that match the search criteria.
- synchronizeRegistrations
  
  public boolean synchronizeRegistrations()
- addUser
  
  public UserModel addUser(RealmModel realm, String username)
  
  Description copied from interface: UserRegistrationProvider
  
  All storage providers that implement this interface will be looped through. If this method returns null, then the next storage provider's addUser() method will be called. If no storage providers handle the add, then the user will be created in local storage. Returning null is useful when you want optional support for adding users. For example, our LDAP provider can enable and disable the ability to add users.
  
  Specified by:
  
  addUser in interface UserRegistrationProvider
  
  Parameters:
  
  realm - a reference to the realm
  
  username - a username the created user will be assigned
  
  Returns:
  
  a model of created user
- removeUser
  
  public boolean removeUser(RealmModel realm, UserModel user)
  
  Description copied from interface: UserRegistrationProvider
  
  Called if user originated from this provider. If a local user is linked to this provider, this method will be called before local storage's removeUser() method is invoked. If you are using an import strategy, and this is a local user linked to this provider, this method will be called before local storage's removeUser() method is invoked. Also, you DO NOT need to remove the imported user. The runtime will handle this for you.
  
  Specified by:
  
  removeUser in interface UserRegistrationProvider
  
  Parameters:
  
  realm - a reference to the realm
  
  user - a reference to the user that is removed
  
  Returns:
  
  true if the user was removed, false otherwise
- getUserById
  
  public UserModel getUserById(RealmModel realm, String id)
  
  Description copied from interface: UserLookupProvider
  
  Returns a user with the given id belonging to the realm
  
  Specified by:
  
  getUserById in interface UserLookupProvider
  
  Parameters:
  
  realm - the realm model
  
  id - id of the user
  
  Returns:
  
  found user model, or null if no such user exists
- searchForUserStream
  
  public Stream<UserModel> searchForUserStream(RealmModel realm, Map<String,String> params, Integer firstResult, Integer maxResults)
  It supports
  
  UserModel.FIRST_NAME
  
  UserModel.LAST_NAME
  
  UserModel.EMAIL
  
  UserModel.USERNAME
  
  Other fields are not supported. The search for LDAP REST endpoints is done in the context of fields which are stored in LDAP (above).
  Specified by:
  
  searchForUserStream in interface UserQueryMethodsProvider
  
  Parameters:
  
  realm - a reference to the realm.
  
  params - a map containing the search parameters.
  
  firstResult - first result to return. Ignored if negative, zero, or null.
  
  maxResults - maximum number of results to return. Ignored if negative or null.
  
  Returns:
  
  a non-null Stream of users that match the search criteria.
- getGroupMembersStream
  
  public Stream<UserModel> getGroupMembersStream(RealmModel realm, GroupModel group, Integer firstResult, Integer maxResults)
  
  Description copied from interface: UserQueryMethodsProvider
  
  Obtains users that belong to a specific group.
  
  Specified by:
  
  getGroupMembersStream in interface UserQueryMethodsProvider
  
  Parameters:
  
  realm - a reference to the realm.
  
  group - a reference to the group.
  
  firstResult - first result to return. Ignored if negative, zero, or null.
  
  maxResults - maximum number of results to return. Ignored if negative or null.
  
  Returns:
  
  a non-null Stream of users that belong to the group.
- getRoleMembersStream
  
  public Stream<UserModel> getRoleMembersStream(RealmModel realm, RoleModel role, Integer firstResult, Integer maxResults)
  
  Description copied from interface: UserQueryMethodsProvider
  
  Searches for users that have the specified role.
  
  Specified by:
  
  getRoleMembersStream in interface UserQueryMethodsProvider
  
  Parameters:
  
  realm - a reference to the realm.
  
  role - a reference to the role.
  
  firstResult - first result to return. Ignored if negative or null.
  
  maxResults - maximum number of results to return. Ignored if negative or null.
  
  Returns:
  
  a non-null Stream of users that have the specified role.
- loadUsersByUsernames
  
  public List<UserModel> loadUsersByUsernames(List<String> usernames, RealmModel realm)
- loadAndValidateUser
  
  protected LDAPObject loadAndValidateUser(RealmModel realm, UserModel local)
  
  Parameters:
  
  local -
  
  Returns:
  
  ldapUser corresponding to local user or null if user is no longer in LDAP
- getUserByUsername
  
  public UserModel getUserByUsername(RealmModel realm, String username)
  
  Description copied from interface: UserLookupProvider
  
  Exact search for a user by its username. Returns a user with the given username belonging to the realm
  
  Specified by:
  
  getUserByUsername in interface UserLookupProvider
  
  Parameters:
  
  realm - the realm model
  
  username - (case-sensitivity is controlled by storage)
  
  Returns:
  
  found user model, or null if no such user exists
- importUserFromLDAP
  
  protected UserModel importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser)
- queryByEmail
  
  protected LDAPObject queryByEmail(RealmModel realm, String email)
- getUserByEmail
  
  public UserModel getUserByEmail(RealmModel realm, String email)
  
  Description copied from interface: UserLookupProvider
  
  Returns a user with the given email belonging to the realm
  
  Specified by:
  
  getUserByEmail in interface UserLookupProvider
  
  Parameters:
  
  realm - the realm model
  
  email - email address
  
  Returns:
  
  found user model, or null if no such user exists
- preRemove
  
  public void preRemove(RealmModel realm)
  
  Description copied from interface: UserStorageProvider
  
  Callback when a realm is removed. Implement this if, for example, you want to do some cleanup in your user storage when a realm is removed
  
  Specified by:
  
  preRemove in interface UserStorageProvider
- preRemove
  
  public void preRemove(RealmModel realm, RoleModel role)
  
  Description copied from interface: UserStorageProvider
  
  Callback when a role is removed. Allows you to do things like remove a user role mapping in your external store if appropriate
  
  Specified by:
  
  preRemove in interface UserStorageProvider
- preRemove
  
  public void preRemove(RealmModel realm, GroupModel group)
  
  Description copied from interface: UserStorageProvider
  
  Callback when a group is removed. Allows you to do things like remove a user group mapping in your external store if appropriate
  
  Specified by:
  
  preRemove in interface UserStorageProvider
- validPassword
  
  public boolean validPassword(RealmModel realm, UserModel user, String password)
- updateCredential
  
  public boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input)
  
  Specified by:
  
  updateCredential in interface CredentialInputUpdater
- disableCredentialType
  
  public void disableCredentialType(RealmModel realm, UserModel user, String credentialType)
  
  Specified by:
  
  disableCredentialType in interface CredentialInputUpdater
- getDisableableCredentialTypesStream
  
  public Stream<String> getDisableableCredentialTypesStream(RealmModel realm, UserModel user)
  
  Description copied from interface: CredentialInputUpdater
  
  Obtains the set of credential types that can be disabled via disableCredentialType.
  
  Specified by:
  
  getDisableableCredentialTypesStream in interface CredentialInputUpdater
  
  Parameters:
  
  realm - a reference to the realm.
  
  user - the user whose credentials are being searched.
  
  Returns:
  
  a non-null Stream of credential types.
- getSupportedCredentialTypes
  
  public Set<String> getSupportedCredentialTypes()
- supportsCredentialType
  
  public boolean supportsCredentialType(String credentialType)
  
  Specified by:
  
  supportsCredentialType in interface CredentialInputUpdater
  
  Specified by:
  
  supportsCredentialType in interface CredentialInputValidator
- isConfiguredFor
  
  public boolean isConfiguredFor(RealmModel realm, UserModel user, String credentialType)
  
  Specified by:
  
  isConfiguredFor in interface CredentialInputValidator
- isValid
  
  public boolean isValid(RealmModel realm, UserModel user, CredentialInput input)
  
  Description copied from interface: CredentialInputValidator
  
  Tests whether a credential is valid
  
  Specified by:
  
  isValid in interface CredentialInputValidator
  
  Parameters:
  
  realm - The realm in which to which the credential belongs to
  
  user - The user for which to test the credential
  
  input - the credential details to verify
  
  Returns:
  
  true if the passed secret is correct
- authenticate
  
  public CredentialValidationOutput authenticate(RealmModel realm, CredentialInput cred)
  
  Specified by:
  
  authenticate in interface CredentialAuthentication
- close
  
  public void close()
  
  Specified by:
  
  close in interface Provider
- findOrCreateAuthenticatedUser
  
  protected UserModel findOrCreateAuthenticatedUser(RealmModel realm, KerberosPrincipal kerberosPrincipal)
  
  Called after successful kerberos authentication
  
  Parameters:
  
  realm - realm
  
  kerberosPrincipal - kerberos principal of the authenticated user
  
  Returns:
  
  finded or newly created user
- loadLDAPUserByUsername
  
  public LDAPObject loadLDAPUserByUsername(RealmModel realm, String username)
- loadLDAPUserByUuid
  
  public LDAPObject loadLDAPUserByUuid(RealmModel realm, String uuid)
- toString
  
  public String toString()
  
  Overrides:
  
  toString in class Object

Class LDAPStorageProvider

Nested Class Summary

Nested classes/interfaces inherited from interface org.keycloak.storage.UserStorageProvider

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Methods inherited from interface org.keycloak.storage.user.UserLookupProvider

Methods inherited from interface org.keycloak.storage.user.UserQueryMethodsProvider

Field Details

factory

session

model

ldapIdentityStore

editMode

kerberosConfig

updater

mapperManager

userManager

supportedCredentialTypes

Constructor Details

LDAPStorageProvider

Method Details

setUpdater

getSession

getLdapIdentityStore

getEditMode

getModel

getKerberosConfig

getMapperManager

getUserManager

validate

proxy

supportsCredentialAuthenticationFor

searchForUserByUserAttributeStream

synchronizeRegistrations

addUser

removeUser

getUserById

searchForUserStream

getGroupMembersStream

getRoleMembersStream

loadUsersByUsernames

loadAndValidateUser

getUserByUsername

importUserFromLDAP

queryByEmail

getUserByEmail

preRemove

preRemove

preRemove

validPassword

updateCredential

disableCredentialType

getDisableableCredentialTypesStream

getSupportedCredentialTypes

supportsCredentialType

isConfiguredFor

isValid

authenticate

close

findOrCreateAuthenticatedUser

loadLDAPUserByUsername

loadLDAPUserByUuid

toString