Search in sources :

Example 1 with ProviderConfigurationBuilder

use of org.keycloak.provider.ProviderConfigurationBuilder in project keycloak by keycloak.

the class RoleLDAPStorageMapperFactory method getProps.

private static List<ProviderConfigProperty> getProps(ComponentModel parent) {
    String roleObjectClasses = LDAPConstants.GROUP_OF_NAMES;
    String mode = LDAPGroupMapperMode.LDAP_ONLY.toString();
    String membershipUserAttribute = LDAPConstants.UID;
    boolean importEnabled = true;
    boolean isActiveDirectory = false;
    if (parent != null) {
        LDAPConfig config = new LDAPConfig(parent.getConfig());
        roleObjectClasses = config.isActiveDirectory() ? LDAPConstants.GROUP : LDAPConstants.GROUP_OF_NAMES;
        mode = config.getEditMode() == UserStorageProvider.EditMode.WRITABLE ? LDAPGroupMapperMode.LDAP_ONLY.toString() : LDAPGroupMapperMode.READ_ONLY.toString();
        membershipUserAttribute = config.getUsernameLdapAttribute();
        importEnabled = new UserStorageProviderModel(parent).isImportEnabled();
        isActiveDirectory = config.isActiveDirectory();
    }
    ProviderConfigurationBuilder config = ProviderConfigurationBuilder.create().property().name(RoleMapperConfig.ROLES_DN).label("LDAP Roles DN").helpText("LDAP DN where are roles of this tree saved. For example 'ou=finance,dc=example,dc=org' ").type(ProviderConfigProperty.STRING_TYPE).add().property().name(RoleMapperConfig.ROLE_NAME_LDAP_ATTRIBUTE).label("Role Name LDAP Attribute").helpText("Name of LDAP attribute, which is used in role objects for name and RDN of role. Usually it will be 'cn' . In this case typical group/role object may have DN like 'cn=role1,ou=finance,dc=example,dc=org' ").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.CN).add().property().name(RoleMapperConfig.ROLE_OBJECT_CLASSES).label("Role Object Classes").helpText("Object class (or classes) of the role object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group' ").type(ProviderConfigProperty.STRING_TYPE).defaultValue(roleObjectClasses).add().property().name(RoleMapperConfig.MEMBERSHIP_LDAP_ATTRIBUTE).label("Membership LDAP Attribute").helpText("Name of LDAP attribute on role, which is used for membership mappings. Usually it will be 'member' ." + "However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid' .").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.MEMBER).add().property().name(RoleMapperConfig.MEMBERSHIP_ATTRIBUTE_TYPE).label("Membership Attribute Type").helpText("DN means that LDAP role has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . " + "UID means that LDAP role has it's members declared in form of pure user uids. For example 'memberUid: john' .").type(ProviderConfigProperty.LIST_TYPE).options(MEMBERSHIP_TYPES).defaultValue(MembershipType.DN.toString()).add().property().name(RoleMapperConfig.MEMBERSHIP_USER_LDAP_ATTRIBUTE).label("Membership User LDAP Attribute").helpText("Used just if Membership Attribute Type is UID. It is name of LDAP attribute on user, which is used for membership mappings. Usually it will be 'uid' . For example if value of " + "'Membership User LDAP Attribute' is 'uid' and " + " LDAP group has  'memberUid: john', then it is expected that particular LDAP user will have attribute 'uid: john' .").type(ProviderConfigProperty.STRING_TYPE).defaultValue(membershipUserAttribute).add().property().name(RoleMapperConfig.ROLES_LDAP_FILTER).label("LDAP Filter").helpText("LDAP Filter adds additional custom filter to the whole query for retrieve LDAP roles. Leave this empty if no additional filtering is needed and you want to retrieve all roles from LDAP. Otherwise make sure that filter starts with '(' and ends with ')'").type(ProviderConfigProperty.STRING_TYPE).add();
    if (importEnabled) {
        config.property().name(RoleMapperConfig.MODE).label("Mode").helpText("LDAP_ONLY means that all role mappings are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where role mappings are " + "retrieved from both LDAP and DB and merged together. New role grants are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where role mappings are retrieved from LDAP just at the time when user is imported from LDAP and then " + "they are saved to local keycloak DB.").type(ProviderConfigProperty.LIST_TYPE).options(MODES).defaultValue(mode).add();
    } else {
        config.property().name(RoleMapperConfig.MODE).label("Mode").helpText("LDAP_ONLY means that specified role mappings are writable to LDAP. READ_ONLY means LDAP is readonly.").type(ProviderConfigProperty.LIST_TYPE).options(NO_IMPORT_MODES).defaultValue(mode).add();
    }
    List<String> roleRetrievers = new LinkedList<>(userRolesStrategies.keySet());
    String roleRetrieveHelpText = "Specify how to retrieve roles of user. LOAD_ROLES_BY_MEMBER_ATTRIBUTE means that roles of user will be retrieved by sending LDAP query to retrieve all roles where 'member' is our user. " + "GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE means that roles of user will be retrieved from 'memberOf' attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute' . ";
    if (isActiveDirectory) {
        roleRetrieveHelpText = roleRetrieveHelpText + "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY is applicable just in Active Directory and it means that roles of user will be retrieved recursively with usage of LDAP_MATCHING_RULE_IN_CHAIN Ldap extension.";
    } else {
        // Option should be available just for the Active Directory
        roleRetrievers.remove(RoleMapperConfig.LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY);
    }
    config.property().name(RoleMapperConfig.USER_ROLES_RETRIEVE_STRATEGY).label("User Roles Retrieve Strategy").helpText(roleRetrieveHelpText).type(ProviderConfigProperty.LIST_TYPE).options(roleRetrievers).defaultValue(RoleMapperConfig.LOAD_ROLES_BY_MEMBER_ATTRIBUTE).add().property().name(GroupMapperConfig.MEMBEROF_LDAP_ATTRIBUTE).label("Member-Of LDAP Attribute").helpText("Used just when 'User Roles Retrieve Strategy' is GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE . " + "It specifies the name of the LDAP attribute on the LDAP user, which contains the roles (LDAP Groups), which the user is member of. " + "Usually it will be 'memberOf' and that's also the default value.").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.MEMBER_OF).add().property().name(RoleMapperConfig.USE_REALM_ROLES_MAPPING).label("Use Realm Roles Mapping").helpText("If true, then LDAP role mappings will be mapped to realm role mappings in Keycloak. Otherwise it will be mapped to client role mappings").type(ProviderConfigProperty.BOOLEAN_TYPE).defaultValue("true").add().property().name(RoleMapperConfig.CLIENT_ID).label("Client ID").helpText("Client ID of client to which LDAP role mappings will be mapped. Applicable just if 'Use Realm Roles Mapping' is false").type(ProviderConfigProperty.CLIENT_LIST_TYPE).add();
    return config.build();
}
Also used : ProviderConfigurationBuilder(org.keycloak.provider.ProviderConfigurationBuilder) LDAPConfig(org.keycloak.storage.ldap.LDAPConfig) UserStorageProviderModel(org.keycloak.storage.UserStorageProviderModel) LinkedList(java.util.LinkedList)

Example 2 with ProviderConfigurationBuilder

use of org.keycloak.provider.ProviderConfigurationBuilder in project keycloak by keycloak.

the class GroupLDAPStorageMapperFactory method getProps.

private static List<ProviderConfigProperty> getProps(ComponentModel parent) {
    String roleObjectClasses = LDAPConstants.GROUP_OF_NAMES;
    String mode = LDAPGroupMapperMode.LDAP_ONLY.toString();
    String membershipUserAttribute = LDAPConstants.UID;
    boolean importEnabled = true;
    boolean isActiveDirectory = false;
    if (parent != null) {
        LDAPConfig config = new LDAPConfig(parent.getConfig());
        roleObjectClasses = config.isActiveDirectory() ? LDAPConstants.GROUP : LDAPConstants.GROUP_OF_NAMES;
        mode = config.getEditMode() == UserStorageProvider.EditMode.WRITABLE ? LDAPGroupMapperMode.LDAP_ONLY.toString() : LDAPGroupMapperMode.READ_ONLY.toString();
        membershipUserAttribute = config.getUsernameLdapAttribute();
        importEnabled = new UserStorageProviderModel(parent).isImportEnabled();
        isActiveDirectory = config.isActiveDirectory();
    }
    ProviderConfigurationBuilder config = ProviderConfigurationBuilder.create().property().name(GroupMapperConfig.GROUPS_DN).label("LDAP Groups DN").helpText("LDAP DN where are groups of this tree saved. For example 'ou=groups,dc=example,dc=org' ").type(ProviderConfigProperty.STRING_TYPE).add().property().name(GroupMapperConfig.GROUP_NAME_LDAP_ATTRIBUTE).label("Group Name LDAP Attribute").helpText("Name of LDAP attribute, which is used in group objects for name and RDN of group. Usually it will be 'cn' . In this case typical group/role object may have DN like 'cn=Group1,ou=groups,dc=example,dc=org' ").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.CN).add().property().name(GroupMapperConfig.GROUP_OBJECT_CLASSES).label("Group Object Classes").helpText("Object class (or classes) of the group object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group' ").type(ProviderConfigProperty.STRING_TYPE).defaultValue(roleObjectClasses).add().property().name(GroupMapperConfig.PRESERVE_GROUP_INHERITANCE).label("Preserve Group Inheritance").helpText("Flag whether group inheritance from LDAP should be propagated to Keycloak. If false, then all LDAP groups will be mapped as flat top-level groups in Keycloak. Otherwise group inheritance is " + "preserved into Keycloak, but the group sync might fail if LDAP structure contains recursions or multiple parent groups per child groups").type(ProviderConfigProperty.BOOLEAN_TYPE).defaultValue("true").add().property().name(GroupMapperConfig.IGNORE_MISSING_GROUPS).label("Ignore Missing Groups").helpText("Ignore missing groups in the group hierarchy").type(ProviderConfigProperty.BOOLEAN_TYPE).defaultValue("false").add().property().name(GroupMapperConfig.MEMBERSHIP_LDAP_ATTRIBUTE).label("Membership LDAP Attribute").helpText("Name of LDAP attribute on group, which is used for membership mappings. Usually it will be 'member' ." + "However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid' .").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.MEMBER).add().property().name(GroupMapperConfig.MEMBERSHIP_ATTRIBUTE_TYPE).label("Membership Attribute Type").helpText("DN means that LDAP group has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . " + "UID means that LDAP group has it's members declared in form of pure user uids. For example 'memberUid: john' .").type(ProviderConfigProperty.LIST_TYPE).options(MEMBERSHIP_TYPES).defaultValue(MembershipType.DN.toString()).add().property().name(RoleMapperConfig.MEMBERSHIP_USER_LDAP_ATTRIBUTE).label("Membership User LDAP Attribute").helpText("Used just if Membership Attribute Type is UID. It is name of LDAP attribute on user, which is used for membership mappings. Usually it will be 'uid' . For example if value of " + "'Membership User LDAP Attribute' is 'uid' and " + " LDAP group has  'memberUid: john', then it is expected that particular LDAP user will have attribute 'uid: john' .").type(ProviderConfigProperty.STRING_TYPE).defaultValue(membershipUserAttribute).add().property().name(GroupMapperConfig.GROUPS_LDAP_FILTER).label("LDAP Filter").helpText("LDAP Filter adds additional custom filter to the whole query for retrieve LDAP groups. Leave this empty if no additional filtering is needed and you want to retrieve all groups from LDAP. Otherwise make sure that filter starts with '(' and ends with ')'").type(ProviderConfigProperty.STRING_TYPE).add();
    if (importEnabled) {
        config.property().name(GroupMapperConfig.MODE).label("Mode").helpText("LDAP_ONLY means that all group mappings of users are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where group mappings are " + "retrieved from both LDAP and DB and merged together. New group joins are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where group mappings are " + "retrieved from LDAP just at the time when user is imported from LDAP and then " + "they are saved to local keycloak DB.").type(ProviderConfigProperty.LIST_TYPE).options(MODES).defaultValue(mode).add();
    } else {
        config.property().name(GroupMapperConfig.MODE).label("Mode").helpText("LDAP_ONLY means that specified group mappings are writable to LDAP. " + "READ_ONLY means that group mappings are not writable to LDAP.").type(ProviderConfigProperty.LIST_TYPE).options(NO_IMPORT_MODES).defaultValue(mode).add();
    }
    List<String> groupRetrievers = new LinkedList<>(userGroupsStrategies.keySet());
    String groupRetrieversHelpText = "Specify how to retrieve groups of user. LOAD_GROUPS_BY_MEMBER_ATTRIBUTE means that roles of user will be retrieved by sending LDAP query to retrieve all groups where 'member' is our user. " + "GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE means that groups of user will be retrieved from 'memberOf' attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute' . ";
    if (isActiveDirectory) {
        groupRetrieversHelpText = groupRetrieversHelpText + "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY is applicable just in Active Directory and it means that groups of user will be retrieved recursively with usage of LDAP_MATCHING_RULE_IN_CHAIN Ldap extension.";
    } else {
        // Option should be available just for the Active Directory
        groupRetrievers.remove(GroupMapperConfig.LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY);
    }
    config.property().name(GroupMapperConfig.USER_ROLES_RETRIEVE_STRATEGY).label("User Groups Retrieve Strategy").helpText(groupRetrieversHelpText).type(ProviderConfigProperty.LIST_TYPE).options(groupRetrievers).defaultValue(GroupMapperConfig.LOAD_GROUPS_BY_MEMBER_ATTRIBUTE).add().property().name(GroupMapperConfig.MEMBEROF_LDAP_ATTRIBUTE).label("Member-Of LDAP Attribute").helpText("Used just when 'User Roles Retrieve Strategy' is GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE . " + "It specifies the name of the LDAP attribute on the LDAP user, which contains the groups, which the user is member of. " + "Usually it will be 'memberOf' and that's also the default value.").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.MEMBER_OF).add().property().name(GroupMapperConfig.MAPPED_GROUP_ATTRIBUTES).label("Mapped Group Attributes").helpText("List of names of attributes divided by comma. This points to the list of attributes on LDAP group, which will be mapped as attributes of Group in Keycloak. " + "Leave this empty if no additional group attributes are required to be mapped in Keycloak. ").type(ProviderConfigProperty.STRING_TYPE).add().property().name(GroupMapperConfig.DROP_NON_EXISTING_GROUPS_DURING_SYNC).label("Drop non-existing groups during sync").helpText("If this flag is true, then during sync of groups from LDAP to Keycloak, we will keep just those Keycloak groups, which still exists in LDAP. Rest will be deleted").type(ProviderConfigProperty.BOOLEAN_TYPE).defaultValue("false").add().property().name(GroupMapperConfig.LDAP_GROUPS_PATH).label("Groups Path").helpText("Keycloak group path the LDAP groups are added to. For example if value '/Applications/App1' is used, " + "then LDAP groups will be available in Keycloak under group 'App1', which is child of top level group 'Applications'. " + "The default value is '/' so LDAP groups will be mapped to the Keycloak groups at the top level. " + "The configured group path must already exists in the Keycloak when creating this mapper.").type(ProviderConfigProperty.STRING_TYPE).defaultValue("/").add();
    return config.build();
}
Also used : ProviderConfigurationBuilder(org.keycloak.provider.ProviderConfigurationBuilder) LDAPConfig(org.keycloak.storage.ldap.LDAPConfig) UserStorageProviderModel(org.keycloak.storage.UserStorageProviderModel) LinkedList(java.util.LinkedList)

Example 3 with ProviderConfigurationBuilder

use of org.keycloak.provider.ProviderConfigurationBuilder in project keycloak by keycloak.

the class UserAttributeLDAPStorageMapperFactory method getConfigProps.

static List<ProviderConfigProperty> getConfigProps(ComponentModel p) {
    String readOnly = "false";
    UserStorageProviderModel parent = new UserStorageProviderModel();
    if (p != null) {
        parent = new UserStorageProviderModel(p);
        LDAPConfig ldapConfig = new LDAPConfig(parent.getConfig());
        readOnly = ldapConfig.getEditMode() == UserStorageProvider.EditMode.WRITABLE ? "false" : "true";
    }
    ProviderConfigurationBuilder config = ProviderConfigurationBuilder.create().property().name(UserAttributeLDAPStorageMapper.USER_MODEL_ATTRIBUTE).label("User Model Attribute").helpText("Name of the UserModel property or attribute you want to map the LDAP attribute into. For example 'firstName', 'lastName, 'email', 'street' etc.").type(ProviderConfigProperty.STRING_TYPE).add().property().name(UserAttributeLDAPStorageMapper.LDAP_ATTRIBUTE).label("LDAP Attribute").helpText("Name of mapped attribute on LDAP object. For example 'cn', 'sn, 'mail', 'street' etc.").type(ProviderConfigProperty.STRING_TYPE).add().property().name(UserAttributeLDAPStorageMapper.READ_ONLY).label("Read Only").helpText("Read-only attribute is imported from LDAP to UserModel, but it's not saved back to LDAP when user is updated in Keycloak.").type(ProviderConfigProperty.BOOLEAN_TYPE).defaultValue(readOnly).add();
    if (parent.isImportEnabled()) {
        config.property().name(UserAttributeLDAPStorageMapper.ALWAYS_READ_VALUE_FROM_LDAP).label("Always Read Value From LDAP").helpText("If on, then during reading of the LDAP attribute value will always used instead of the value from Keycloak DB").type(ProviderConfigProperty.BOOLEAN_TYPE).defaultValue("false").add();
    }
    config.property().name(UserAttributeLDAPStorageMapper.IS_MANDATORY_IN_LDAP).label("Is Mandatory In LDAP").helpText("If true, attribute is mandatory in LDAP. Hence if there is no value in Keycloak DB, the default or empty value will be set to be propagated to LDAP").type(ProviderConfigProperty.BOOLEAN_TYPE).defaultValue("false").add().property().name(UserAttributeLDAPStorageMapper.ATTRIBUTE_DEFAULT_VALUE).label("Attribute default value").helpText("If there is no value in Keycloak DB and attribute is mandatory in LDAP, this value will be propagated to LDAP").type(ProviderConfigProperty.STRING_TYPE).defaultValue("").add().property().name(UserAttributeLDAPStorageMapper.IS_BINARY_ATTRIBUTE).label("Is Binary Attribute").helpText("Should be true for binary LDAP attributes").type(ProviderConfigProperty.BOOLEAN_TYPE).defaultValue("false").add();
    return config.build();
}
Also used : ProviderConfigurationBuilder(org.keycloak.provider.ProviderConfigurationBuilder) LDAPConfig(org.keycloak.storage.ldap.LDAPConfig) UserStorageProviderModel(org.keycloak.storage.UserStorageProviderModel)

Example 4 with ProviderConfigurationBuilder

use of org.keycloak.provider.ProviderConfigurationBuilder in project keycloak by keycloak.

the class CertificateLDAPStorageMapperFactory method getCertificateConfigProperties.

private static List<ProviderConfigProperty> getCertificateConfigProperties(ComponentModel p) {
    List<ProviderConfigProperty> configProps = new ArrayList<>(getConfigProps(null));
    ProviderConfigurationBuilder config = ProviderConfigurationBuilder.create().property().name(CertificateLDAPStorageMapper.IS_DER_FORMATTED).label("DER Formatted").helpText("Activate this if the certificate is DER formatted in LDAP and not PEM formatted.").type(ProviderConfigProperty.BOOLEAN_TYPE).add();
    configProps.addAll(config.build());
    return configProps;
}
Also used : ProviderConfigurationBuilder(org.keycloak.provider.ProviderConfigurationBuilder) ProviderConfigProperty(org.keycloak.provider.ProviderConfigProperty) ArrayList(java.util.ArrayList)

Aggregations

ProviderConfigurationBuilder (org.keycloak.provider.ProviderConfigurationBuilder)4 UserStorageProviderModel (org.keycloak.storage.UserStorageProviderModel)3 LDAPConfig (org.keycloak.storage.ldap.LDAPConfig)3 LinkedList (java.util.LinkedList)2 ArrayList (java.util.ArrayList)1 ProviderConfigProperty (org.keycloak.provider.ProviderConfigProperty)1