Package org.keycloak.storage.ldap
Class LDAPStorageProvider
java.lang.Object
org.keycloak.storage.ldap.LDAPStorageProvider
- All Implemented Interfaces:
CredentialAuthentication,CredentialInputUpdater,CredentialInputValidator,Provider,ImportedUserValidation,UserLookupProvider,UserQueryMethodsProvider,UserRegistrationProvider,UserStorageProvider,UserProfileDecorator
public class LDAPStorageProvider
extends Object
implements UserStorageProvider, CredentialInputValidator, CredentialInputUpdater, CredentialAuthentication, UserLookupProvider, UserRegistrationProvider, UserQueryMethodsProvider, ImportedUserValidation, UserProfileDecorator
- Version:
- $Revision: 1 $
- Author:
- Marek Posolda, Bill Burke
-
Nested Class Summary
Nested ClassesNested classes/interfaces inherited from interface org.keycloak.storage.UserStorageProvider
UserStorageProvider.EditMode -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected UserStorageProvider.EditModeprotected LDAPStorageProviderFactoryprotected LDAPProviderKerberosConfigprotected LDAPIdentityStoreprotected LDAPStorageMapperManagerprotected UserStorageProviderModelprotected KeycloakSessionprotected PasswordUpdateCallbackprotected LDAPStorageUserManager -
Constructor Summary
ConstructorsConstructorDescriptionLDAPStorageProvider(LDAPStorageProviderFactory factory, KeycloakSession session, ComponentModel model, LDAPIdentityStore ldapIdentityStore) -
Method Summary
Modifier and TypeMethodDescriptionaddUser(RealmModel realm, String username) All storage providers that implement this interface will be looped through.authenticate(RealmModel realm, CredentialInput cred) voidclose()decorateUserProfile(String providerId, UserProfileMetadata metadata) Decorates user profile with additional metadata.voiddisableCredentialType(RealmModel realm, UserModel user, String credentialType) protected UserModelfindOrCreateAuthenticatedUser(RealmModel realm, KerberosPrincipal kerberosPrincipal) Called after successful kerberos authenticationgetCredentials(RealmModel realm, UserModel user) Returns a stream ofCredentialModelinstances managed by this provider for the givenuser.getDisableableCredentialTypesStream(RealmModel realm, UserModel user) Obtains the set of credential types that can be disabled viadisableCredentialType.getGroupMembersStream(RealmModel realm, GroupModel group, Integer firstResult, Integer maxResults) Obtains users that belong to a specific group.getModel()getRoleMembersStream(RealmModel realm, RoleModel role, Integer firstResult, Integer maxResults) Searches for users that have the specified role.getUserByEmail(RealmModel realm, String email) Returns a user with the given email belonging to the realmgetUserById(RealmModel realm, String id) Returns a user with the given id belonging to the realmgetUserByUsername(RealmModel realm, String username) Exact search for a user by its username.protected UserModelimportUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser) protected UserModelimportUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser, LDAPStorageProvider.ImportType importType) booleanisConfiguredFor(RealmModel realm, UserModel user, String credentialType) booleanisValid(RealmModel realm, UserModel user, CredentialInput input) Tests whether a credential is validprotected LDAPObjectloadAndValidateUser(RealmModel realm, UserModel local) loadLDAPUserByDN(RealmModel realm, LDAPDn dn) loadLDAPUserByUsername(RealmModel realm, String username) loadLDAPUserByUuid(RealmModel realm, String uuid) loadUsersByDNs(RealmModel realm, Collection<LDAPDn> dns, int firstResult, int maxResults) loadUsersByUniqueAttribute(RealmModel realm, String uidName, Collection<String> uids, int firstResult, int maxResults) loadUsersByUsernames(List<String> usernames, RealmModel realm) voidpreRemove(RealmModel realm) Callback when a realm is removed.voidpreRemove(RealmModel realm, GroupModel group) Callback when a group is removed.voidpreRemove(RealmModel realm, RoleModel role) Callback when a role is removed.protected UserModelproxy(RealmModel realm, UserModel local, LDAPObject ldapObject, boolean newUser) protected LDAPObjectqueryByEmail(RealmModel realm, String email) booleanremoveUser(RealmModel realm, UserModel user) Called if user originated from this provider.searchForUserByUserAttributeStream(RealmModel realm, String attrName, String attrValue) Searches for users that have a specific attribute with a specific value.searchForUserStream(RealmModel realm, Map<String, String> params, Integer firstResult, Integer maxResults) LDAP search supportsUserModel.SEARCH,UserModel.EXACTand all the other user attributes that are managed by a mapper (method getUserAttributes).voidsetUpdater(PasswordUpdateCallback updater) booleanbooleansupportsCredentialType(String credentialType) booleantoString()booleanupdateCredential(RealmModel realm, UserModel user, CredentialInput input) validate(RealmModel realm, UserModel local) If this method returns null, then the user in local storage will be removedbooleanvalidPassword(RealmModel realm, UserModel user, String password) Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, waitMethods inherited from interface org.keycloak.storage.user.UserLookupProvider
getUserByCredentialMethods inherited from interface org.keycloak.storage.user.UserQueryMethodsProvider
getGroupMembersStream, getGroupMembersStream, getRoleMembersStream, searchForUserStream, searchForUserStream, searchForUserStream
-
Field Details
-
INTERNAL_ATTRIBUTES
-
factory
-
session
-
model
-
ldapIdentityStore
-
editMode
-
kerberosConfig
-
updater
-
mapperManager
-
userManager
-
supportedCredentialTypes
-
-
Constructor Details
-
LDAPStorageProvider
public LDAPStorageProvider(LDAPStorageProviderFactory factory, KeycloakSession session, ComponentModel model, LDAPIdentityStore ldapIdentityStore)
-
-
Method Details
-
setUpdater
-
getSession
-
getLdapIdentityStore
-
getEditMode
-
getModel
-
getKerberosConfig
-
getMapperManager
-
getUserManager
-
validate
Description copied from interface:ImportedUserValidationIf this method returns null, then the user in local storage will be removed- Specified by:
validatein interfaceImportedUserValidation- Returns:
- null if user no longer valid
-
proxy
protected UserModel proxy(RealmModel realm, UserModel local, LDAPObject ldapObject, boolean newUser) -
supportsCredentialAuthenticationFor
- Specified by:
supportsCredentialAuthenticationForin interfaceCredentialAuthentication
-
searchForUserByUserAttributeStream
public Stream<UserModel> searchForUserByUserAttributeStream(RealmModel realm, String attrName, String attrValue) Description copied from interface:UserQueryMethodsProviderSearches for users that have a specific attribute with a specific value.- Specified by:
searchForUserByUserAttributeStreamin interfaceUserQueryMethodsProvider- Parameters:
realm- a reference to the realm.attrName- the attribute name.attrValue- the attribute value.- Returns:
- a non-null
Streamof users that match the search criteria.
-
synchronizeRegistrations
public boolean synchronizeRegistrations() -
addUser
Description copied from interface:UserRegistrationProviderAll storage providers that implement this interface will be looped through. If this method returns null, then the next storage provider's addUser() method will be called. If no storage providers handle the add, then the user will be created in local storage. Returning null is useful when you want optional support for adding users. For example, our LDAP provider can enable and disable the ability to add users.- Specified by:
addUserin interfaceUserRegistrationProvider- Parameters:
realm- a reference to the realmusername- a username the created user will be assigned- Returns:
- a model of created user
-
removeUser
Description copied from interface:UserRegistrationProviderCalled if user originated from this provider. If a local user is linked to this provider, this method will be called before local storage's removeUser() method is invoked. If you are using an import strategy, and this is a local user linked to this provider, this method will be called before local storage's removeUser() method is invoked. Also, you DO NOT need to remove the imported user. The runtime will handle this for you.- Specified by:
removeUserin interfaceUserRegistrationProvider- Parameters:
realm- a reference to the realmuser- a reference to the user that is removed- Returns:
- true if the user was removed, false otherwise
-
getUserById
Description copied from interface:UserLookupProviderReturns a user with the given id belonging to the realm- Specified by:
getUserByIdin interfaceUserLookupProvider- Parameters:
realm- the realm modelid- id of the user- Returns:
- found user model, or
nullif no such user exists
-
searchForUserStream
public Stream<UserModel> searchForUserStream(RealmModel realm, Map<String, String> params, Integer firstResult, Integer maxResults) LDAP search supportsUserModel.SEARCH,UserModel.EXACTand all the other user attributes that are managed by a mapper (method getUserAttributes).- Specified by:
searchForUserStreamin interfaceUserQueryMethodsProvider- Parameters:
realm- a reference to the realm.params- a map containing the search parameters.firstResult- first result to return. Ignored if negative, zero, ornull.maxResults- maximum number of results to return. Ignored if negative ornull.- Returns:
- a non-null
Streamof users that match the search criteria.
-
getGroupMembersStream
public Stream<UserModel> getGroupMembersStream(RealmModel realm, GroupModel group, Integer firstResult, Integer maxResults) Description copied from interface:UserQueryMethodsProviderObtains users that belong to a specific group.- Specified by:
getGroupMembersStreamin interfaceUserQueryMethodsProvider- Parameters:
realm- a reference to the realm.group- a reference to the group.firstResult- first result to return. Ignored if negative, zero, ornull.maxResults- maximum number of results to return. Ignored if negative ornull.- Returns:
- a non-null
Streamof users that belong to the group.
-
getRoleMembersStream
public Stream<UserModel> getRoleMembersStream(RealmModel realm, RoleModel role, Integer firstResult, Integer maxResults) Description copied from interface:UserQueryMethodsProviderSearches for users that have the specified role.- Specified by:
getRoleMembersStreamin interfaceUserQueryMethodsProvider- Parameters:
realm- a reference to the realm.role- a reference to the role.firstResult- first result to return. Ignored if negative ornull.maxResults- maximum number of results to return. Ignored if negative ornull.- Returns:
- a non-null
Streamof users that have the specified role.
-
loadUsersByUsernames
-
loadUsersByDNs
public Stream<UserModel> loadUsersByDNs(RealmModel realm, Collection<LDAPDn> dns, int firstResult, int maxResults) -
loadUsersByUniqueAttribute
public Stream<UserModel> loadUsersByUniqueAttribute(RealmModel realm, String uidName, Collection<String> uids, int firstResult, int maxResults) -
loadAndValidateUser
- Parameters:
local-- Returns:
- ldapUser corresponding to local user or null if user is no longer in LDAP
-
getUserByUsername
Description copied from interface:UserLookupProviderExact search for a user by its username. Returns a user with the given username belonging to the realm- Specified by:
getUserByUsernamein interfaceUserLookupProvider- Parameters:
realm- the realm modelusername- (case-sensitivity is controlled by storage)- Returns:
- found user model, or
nullif no such user exists
-
importUserFromLDAP
protected UserModel importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser) -
importUserFromLDAP
protected UserModel importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser, LDAPStorageProvider.ImportType importType) -
queryByEmail
-
getUserByEmail
Description copied from interface:UserLookupProviderReturns a user with the given email belonging to the realm- Specified by:
getUserByEmailin interfaceUserLookupProvider- Parameters:
realm- the realm modelemail- email address- Returns:
- found user model, or
nullif no such user exists
-
preRemove
Description copied from interface:UserStorageProviderCallback when a realm is removed. Implement this if, for example, you want to do some cleanup in your user storage when a realm is removed- Specified by:
preRemovein interfaceUserStorageProvider
-
preRemove
Description copied from interface:UserStorageProviderCallback when a role is removed. Allows you to do things like remove a user role mapping in your external store if appropriate- Specified by:
preRemovein interfaceUserStorageProvider
-
preRemove
Description copied from interface:UserStorageProviderCallback when a group is removed. Allows you to do things like remove a user group mapping in your external store if appropriate- Specified by:
preRemovein interfaceUserStorageProvider
-
validPassword
-
updateCredential
- Specified by:
updateCredentialin interfaceCredentialInputUpdater
-
disableCredentialType
- Specified by:
disableCredentialTypein interfaceCredentialInputUpdater
-
getDisableableCredentialTypesStream
Description copied from interface:CredentialInputUpdaterObtains the set of credential types that can be disabled viadisableCredentialType.- Specified by:
getDisableableCredentialTypesStreamin interfaceCredentialInputUpdater- Parameters:
realm- a reference to the realm.user- the user whose credentials are being searched.- Returns:
- a non-null
Streamof credential types.
-
getSupportedCredentialTypes
-
supportsCredentialType
- Specified by:
supportsCredentialTypein interfaceCredentialInputUpdater- Specified by:
supportsCredentialTypein interfaceCredentialInputValidator
-
isConfiguredFor
- Specified by:
isConfiguredForin interfaceCredentialInputValidator
-
isValid
Description copied from interface:CredentialInputValidatorTests whether a credential is valid- Specified by:
isValidin interfaceCredentialInputValidator- Parameters:
realm- The realm in which to which the credential belongs touser- The user for which to test the credentialinput- the credential details to verify- Returns:
- true if the passed secret is correct
-
authenticate
- Specified by:
authenticatein interfaceCredentialAuthentication
-
close
public void close() -
findOrCreateAuthenticatedUser
protected UserModel findOrCreateAuthenticatedUser(RealmModel realm, KerberosPrincipal kerberosPrincipal) Called after successful kerberos authentication- Parameters:
realm- realmkerberosPrincipal- kerberos principal of the authenticated user- Returns:
- found or newly created user
-
loadLDAPUserByUsername
-
loadLDAPUserByUuid
-
loadLDAPUserByDN
-
toString
-
decorateUserProfile
Description copied from interface:UserProfileDecoratorDecorates user profile with additional metadata. For instance, metadata attributes, which are available just for your user-storage provider can be added there, so they are available just for the users coming from your provider.
This method is invoked every time a user is being managed through a user profile provider.
- Specified by:
decorateUserProfilein interfaceUserProfileDecorator- Parameters:
providerId- the id of the user storage provider to which the user is associated withmetadata- the currentUserProfileMetadatafor the current realm- Returns:
- a list of attribute metadata.The
AttributeMetadatareturned from this method overrides any other metadata already set inmetadatafor a given attribute.
-
getCredentials
Description copied from interface:CredentialInputUpdaterReturns a stream ofCredentialModelinstances managed by this provider for the givenuser.- Specified by:
getCredentialsin interfaceCredentialInputUpdater- Parameters:
realm- the realmuser- the user- Returns:
- the credentials managed by this provider for the given
user
-