Example 1 with LDAPConfig
use of org.keycloak.storage.ldap.LDAPConfig in project keycloak by keycloak.
the class GroupLDAPStorageMapper method syncFlatGroupStructure.
private void syncFlatGroupStructure(RealmModel realm, SynchronizationResult syncResult, Map<String, LDAPObject> ldapGroupsMap) {
Set<String> visitedGroupIds = new HashSet<>();
// Just add flat structure of groups with all groups at groups path
LDAPConfig ldapConfig = ldapProvider.getLdapIdentityStore().getConfig();
final int groupsPerTransaction = ldapConfig.getBatchSizeForSync();
Set<Map.Entry<String, LDAPObject>> entries = ldapGroupsMap.entrySet();
for (Iterator<Map.Entry<String, LDAPObject>> it = entries.iterator(); it.hasNext(); ) {
KeycloakModelUtils.runJobInTransaction(ldapProvider.getSession().getKeycloakSessionFactory(), session -> {
// KEYCLOAK-8253 The retrieval of the current realm to operate at, was intentionally left
// outside the following for loop! This prevents the scenario, when LDAP group sync time
// initially improves, but during the time (after ~20K groups are synced) degrades again
// due to the realm cache being bloated with huge amount of (temporary) realm entities
RealmModel currentRealm = session.realms().getRealm(realm.getId());
// List of group path groups known to the whole transaction
Map<String, GroupModel> transactionGroupPathGroups = getKcSubGroups(currentRealm, null).collect(Collectors.toMap(GroupModel::getName, Function.identity()));
for (int i = 0; i < groupsPerTransaction && it.hasNext(); i++) {
Map.Entry<String, LDAPObject> groupEntry = it.next();
String groupName = groupEntry.getKey();
GroupModel kcExistingGroup = transactionGroupPathGroups.get(groupName);
if (kcExistingGroup != null) {
syncExistingGroup(kcExistingGroup, groupEntry, syncResult, visitedGroupIds, groupName);
} else {
syncNonExistingGroup(realm, groupEntry, syncResult, visitedGroupIds, groupName);
}
}
});
}
// Possibly remove keycloak groups, which don't exist in LDAP
if (config.isDropNonExistingGroupsDuringSync()) {
dropNonExistingKcGroups(realm, syncResult, visitedGroupIds);
}
}
Also used :
GroupModel(org.keycloak.models.GroupModel)
RealmModel(org.keycloak.models.RealmModel)
LDAPConfig(org.keycloak.storage.ldap.LDAPConfig)
LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject)
HashMap(java.util.HashMap)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 2 with LDAPConfig
use of org.keycloak.storage.ldap.LDAPConfig in project keycloak by keycloak.
the class GroupLDAPStorageMapper method getLDAPGroupMappings.
protected List<LDAPObject> getLDAPGroupMappings(LDAPObject ldapUser) {
String strategyKey = config.getUserGroupsRetrieveStrategy();
UserRolesRetrieveStrategy strategy = factory.getUserGroupsRetrieveStrategy(strategyKey);
LDAPConfig ldapConfig = ldapProvider.getLdapIdentityStore().getConfig();
return strategy.getLDAPRoleMappings(this, ldapUser, ldapConfig);
}
Also used :
UserRolesRetrieveStrategy(org.keycloak.storage.ldap.mappers.membership.UserRolesRetrieveStrategy)
LDAPConfig(org.keycloak.storage.ldap.LDAPConfig)
Example 3 with LDAPConfig
use of org.keycloak.storage.ldap.LDAPConfig in project keycloak by keycloak.
the class RoleLDAPStorageMapperFactory method getProps.
private static List<ProviderConfigProperty> getProps(ComponentModel parent) {
String roleObjectClasses = LDAPConstants.GROUP_OF_NAMES;
String mode = LDAPGroupMapperMode.LDAP_ONLY.toString();
String membershipUserAttribute = LDAPConstants.UID;
boolean importEnabled = true;
boolean isActiveDirectory = false;
if (parent != null) {
LDAPConfig config = new LDAPConfig(parent.getConfig());
roleObjectClasses = config.isActiveDirectory() ? LDAPConstants.GROUP : LDAPConstants.GROUP_OF_NAMES;
mode = config.getEditMode() == UserStorageProvider.EditMode.WRITABLE ? LDAPGroupMapperMode.LDAP_ONLY.toString() : LDAPGroupMapperMode.READ_ONLY.toString();
membershipUserAttribute = config.getUsernameLdapAttribute();
importEnabled = new UserStorageProviderModel(parent).isImportEnabled();
isActiveDirectory = config.isActiveDirectory();
}
ProviderConfigurationBuilder config = ProviderConfigurationBuilder.create().property().name(RoleMapperConfig.ROLES_DN).label("LDAP Roles DN").helpText("LDAP DN where are roles of this tree saved. For example 'ou=finance,dc=example,dc=org' ").type(ProviderConfigProperty.STRING_TYPE).add().property().name(RoleMapperConfig.ROLE_NAME_LDAP_ATTRIBUTE).label("Role Name LDAP Attribute").helpText("Name of LDAP attribute, which is used in role objects for name and RDN of role. Usually it will be 'cn' . In this case typical group/role object may have DN like 'cn=role1,ou=finance,dc=example,dc=org' ").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.CN).add().property().name(RoleMapperConfig.ROLE_OBJECT_CLASSES).label("Role Object Classes").helpText("Object class (or classes) of the role object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group' ").type(ProviderConfigProperty.STRING_TYPE).defaultValue(roleObjectClasses).add().property().name(RoleMapperConfig.MEMBERSHIP_LDAP_ATTRIBUTE).label("Membership LDAP Attribute").helpText("Name of LDAP attribute on role, which is used for membership mappings. Usually it will be 'member' ." + "However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid' .").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.MEMBER).add().property().name(RoleMapperConfig.MEMBERSHIP_ATTRIBUTE_TYPE).label("Membership Attribute Type").helpText("DN means that LDAP role has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . " + "UID means that LDAP role has it's members declared in form of pure user uids. For example 'memberUid: john' .").type(ProviderConfigProperty.LIST_TYPE).options(MEMBERSHIP_TYPES).defaultValue(MembershipType.DN.toString()).add().property().name(RoleMapperConfig.MEMBERSHIP_USER_LDAP_ATTRIBUTE).label("Membership User LDAP Attribute").helpText("Used just if Membership Attribute Type is UID. It is name of LDAP attribute on user, which is used for membership mappings. Usually it will be 'uid' . For example if value of " + "'Membership User LDAP Attribute' is 'uid' and " + " LDAP group has 'memberUid: john', then it is expected that particular LDAP user will have attribute 'uid: john' .").type(ProviderConfigProperty.STRING_TYPE).defaultValue(membershipUserAttribute).add().property().name(RoleMapperConfig.ROLES_LDAP_FILTER).label("LDAP Filter").helpText("LDAP Filter adds additional custom filter to the whole query for retrieve LDAP roles. Leave this empty if no additional filtering is needed and you want to retrieve all roles from LDAP. Otherwise make sure that filter starts with '(' and ends with ')'").type(ProviderConfigProperty.STRING_TYPE).add();
if (importEnabled) {
config.property().name(RoleMapperConfig.MODE).label("Mode").helpText("LDAP_ONLY means that all role mappings are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where role mappings are " + "retrieved from both LDAP and DB and merged together. New role grants are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where role mappings are retrieved from LDAP just at the time when user is imported from LDAP and then " + "they are saved to local keycloak DB.").type(ProviderConfigProperty.LIST_TYPE).options(MODES).defaultValue(mode).add();
} else {
config.property().name(RoleMapperConfig.MODE).label("Mode").helpText("LDAP_ONLY means that specified role mappings are writable to LDAP. READ_ONLY means LDAP is readonly.").type(ProviderConfigProperty.LIST_TYPE).options(NO_IMPORT_MODES).defaultValue(mode).add();
}
List<String> roleRetrievers = new LinkedList<>(userRolesStrategies.keySet());
String roleRetrieveHelpText = "Specify how to retrieve roles of user. LOAD_ROLES_BY_MEMBER_ATTRIBUTE means that roles of user will be retrieved by sending LDAP query to retrieve all roles where 'member' is our user. " + "GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE means that roles of user will be retrieved from 'memberOf' attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute' . ";
if (isActiveDirectory) {
roleRetrieveHelpText = roleRetrieveHelpText + "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY is applicable just in Active Directory and it means that roles of user will be retrieved recursively with usage of LDAP_MATCHING_RULE_IN_CHAIN Ldap extension.";
} else {
// Option should be available just for the Active Directory
roleRetrievers.remove(RoleMapperConfig.LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY);
}
config.property().name(RoleMapperConfig.USER_ROLES_RETRIEVE_STRATEGY).label("User Roles Retrieve Strategy").helpText(roleRetrieveHelpText).type(ProviderConfigProperty.LIST_TYPE).options(roleRetrievers).defaultValue(RoleMapperConfig.LOAD_ROLES_BY_MEMBER_ATTRIBUTE).add().property().name(GroupMapperConfig.MEMBEROF_LDAP_ATTRIBUTE).label("Member-Of LDAP Attribute").helpText("Used just when 'User Roles Retrieve Strategy' is GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE . " + "It specifies the name of the LDAP attribute on the LDAP user, which contains the roles (LDAP Groups), which the user is member of. " + "Usually it will be 'memberOf' and that's also the default value.").type(ProviderConfigProperty.STRING_TYPE).defaultValue(LDAPConstants.MEMBER_OF).add().property().name(RoleMapperConfig.USE_REALM_ROLES_MAPPING).label("Use Realm Roles Mapping").helpText("If true, then LDAP role mappings will be mapped to realm role mappings in Keycloak. Otherwise it will be mapped to client role mappings").type(ProviderConfigProperty.BOOLEAN_TYPE).defaultValue("true").add().property().name(RoleMapperConfig.CLIENT_ID).label("Client ID").helpText("Client ID of client to which LDAP role mappings will be mapped. Applicable just if 'Use Realm Roles Mapping' is false").type(ProviderConfigProperty.CLIENT_LIST_TYPE).add();
return config.build();
}
Also used :
ProviderConfigurationBuilder(org.keycloak.provider.ProviderConfigurationBuilder)
LDAPConfig(org.keycloak.storage.ldap.LDAPConfig)
UserStorageProviderModel(org.keycloak.storage.UserStorageProviderModel)
LinkedList(java.util.LinkedList)
Example 4 with LDAPConfig
use of org.keycloak.storage.ldap.LDAPConfig in project keycloak by keycloak.
the class LDAPMappersComparatorTest method testCompareWithCNUsername.
@Test
public void testCompareWithCNUsername() {
MultivaluedHashMap<String, String> cfg = new MultivaluedHashMap<>();
cfg.add(LDAPConstants.USERNAME_LDAP_ATTRIBUTE, LDAPConstants.CN);
LDAPMappersComparator ldapMappersComparator = new LDAPMappersComparator(new LDAPConfig(cfg));
List<ComponentModel> mappers = getMappers();
Collections.sort(mappers, ldapMappersComparator.sortAsc());
assertOrder(mappers, "username-cn", "sAMAccountName", "first name", "full name");
Collections.sort(mappers, ldapMappersComparator.sortDesc());
assertOrder(mappers, "full name", "first name", "sAMAccountName", "username-cn");
}
Also used :
MultivaluedHashMap(org.keycloak.common.util.MultivaluedHashMap)
LDAPMappersComparator(org.keycloak.storage.ldap.mappers.LDAPMappersComparator)
LDAPConfig(org.keycloak.storage.ldap.LDAPConfig)
ComponentModel(org.keycloak.component.ComponentModel)
Test(org.junit.Test)
Example 5 with LDAPConfig
use of org.keycloak.storage.ldap.LDAPConfig in project keycloak by keycloak.
the class LDAPGroupMapperTest method test08_ldapOnlyGroupMappingsRanged.
@Test
public void test08_ldapOnlyGroupMappingsRanged() {
testingClient.server().run(session -> {
// try to do 3 pages (30+30+1)
int membersToTest = 61;
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel appRealm = ctx.getRealm();
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "groupsMapper");
LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.MODE, LDAPGroupMapperMode.LDAP_ONLY.toString());
appRealm.updateComponent(mapperModel);
// Ignoring this test on ActiveDirectory and rhds as it's currently impossible to import more than 60 users without timeout
LDAPConfig ldapConfig = ctx.getLdapProvider().getLdapIdentityStore().getConfig();
if (ldapConfig.isActiveDirectory() || LDAPConstants.VENDOR_RHDS.equals(ldapConfig.getVendor())) {
return;
}
// create big grups that use ranged search
String descriptionAttrName = getGroupDescriptionLDAPAttrName(ctx.getLdapProvider());
LDAPObject bigGroup = LDAPTestUtils.createLDAPGroup(session, appRealm, ctx.getLdapModel(), "biggroup", descriptionAttrName, "biggroup - description");
// create the users to use range search and add them to the group
for (int i = 0; i < membersToTest; i++) {
String username = String.format("user%02d", i);
LDAPObject user = LDAPTestUtils.addLDAPUser(ctx.getLdapProvider(), appRealm, username, username, username, username + "@email.org", null, "1234");
LDAPUtils.addMember(ctx.getLdapProvider(), MembershipType.DN, LDAPConstants.MEMBER, "not-used", bigGroup, user);
}
// check if ranged intercetor is in place and working
GroupMapperConfig config = new GroupMapperConfig(mapperModel);
bigGroup = LDAPGroupMapperTest.searchObjectInBase(ctx.getLdapProvider(), bigGroup.getDn().toString(), config.getMembershipLdapAttribute());
Assert.assertNotNull(bigGroup.getAttributes().get(config.getMembershipLdapAttribute()));
Assert.assertFalse(bigGroup.isRangeComplete(config.getMembershipLdapAttribute()));
Assert.assertTrue(membersToTest > bigGroup.getAttributeAsSet(config.getMembershipLdapAttribute()).size());
Assert.assertEquals(bigGroup.getCurrentRange(config.getMembershipLdapAttribute()), bigGroup.getAttributeAsSet(config.getMembershipLdapAttribute()).size() - 1);
// now check the population of ranged attributes is OK
LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, appRealm);
groupMapper.syncDataFromFederationProviderToKeycloak(appRealm);
GroupModel kcBigGroup = KeycloakModelUtils.findGroupByPath(appRealm, "/biggroup");
// check all the users have the group assigned
for (int i = 0; i < membersToTest; i++) {
UserModel kcUser = session.users().getUserByUsername(appRealm, String.format("user%02d", i));
Assert.assertTrue("User contains biggroup " + i, kcUser.getGroupsStream().collect(Collectors.toSet()).contains(kcBigGroup));
}
// check the group contains all the users as member
List<UserModel> groupMembers = session.users().getGroupMembersStream(appRealm, kcBigGroup, 0, membersToTest).collect(Collectors.toList());
Assert.assertEquals(membersToTest, groupMembers.size());
Set<String> usernames = groupMembers.stream().map(u -> u.getUsername()).collect(Collectors.toSet());
for (int i = 0; i < membersToTest; i++) {
Assert.assertTrue("Group contains user " + i, usernames.contains(String.format("user%02d", i)));
}
});
}
Also used :
MethodSorters(org.junit.runners.MethodSorters)
LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider)
KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils)
SearchControls(javax.naming.directory.SearchControls)
LDAPConstants(org.keycloak.models.LDAPConstants)
ComponentRepresentation(org.keycloak.representations.idm.ComponentRepresentation)
UserModel(org.keycloak.models.UserModel)
LDAPRule(org.keycloak.testsuite.util.LDAPRule)
ComponentModel(org.keycloak.component.ComponentModel)
GroupModel(org.keycloak.models.GroupModel)
ClassRule(org.junit.ClassRule)
LDAPGroupMapperMode(org.keycloak.storage.ldap.mappers.membership.LDAPGroupMapperMode)
LDAPDn(org.keycloak.storage.ldap.idm.model.LDAPDn)
MembershipType(org.keycloak.storage.ldap.mappers.membership.MembershipType)
RealmModel(org.keycloak.models.RealmModel)
LDAPConfig(org.keycloak.storage.ldap.LDAPConfig)
LDAPTestUtils(org.keycloak.testsuite.util.LDAPTestUtils)
Set(java.util.Set)
LDAPTestUtils.getGroupDescriptionLDAPAttrName(org.keycloak.testsuite.util.LDAPTestUtils.getGroupDescriptionLDAPAttrName)
Test(org.junit.Test)
LDAPQuery(org.keycloak.storage.ldap.idm.query.internal.LDAPQuery)
Collectors(java.util.stream.Collectors)
GroupLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper)
LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject)
List(java.util.List)
Stream(java.util.stream.Stream)
LDAPUtils(org.keycloak.storage.ldap.LDAPUtils)
ModelException(org.keycloak.models.ModelException)
Assert(org.junit.Assert)
FixMethodOrder(org.junit.FixMethodOrder)
GroupMapperConfig(org.keycloak.storage.ldap.mappers.membership.group.GroupMapperConfig)
LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider)
GroupModel(org.keycloak.models.GroupModel)
GroupMapperConfig(org.keycloak.storage.ldap.mappers.membership.group.GroupMapperConfig)
RealmModel(org.keycloak.models.RealmModel)
UserModel(org.keycloak.models.UserModel)
LDAPConfig(org.keycloak.storage.ldap.LDAPConfig)
ComponentModel(org.keycloak.component.ComponentModel)
LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject)
GroupLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper)
Test(org.junit.Test)
Aggregations
LDAPConfig (org.keycloak.storage.ldap.LDAPConfig)15
Test (org.junit.Test)7
ComponentModel (org.keycloak.component.ComponentModel)6
LDAPObject (org.keycloak.storage.ldap.idm.model.LDAPObject)6
GroupModel (org.keycloak.models.GroupModel)4
RealmModel (org.keycloak.models.RealmModel)4
UserModel (org.keycloak.models.UserModel)3
ProviderConfigurationBuilder (org.keycloak.provider.ProviderConfigurationBuilder)3
UserStorageProviderModel (org.keycloak.storage.UserStorageProviderModel)3
LDAPStorageProvider (org.keycloak.storage.ldap.LDAPStorageProvider)3
GroupLDAPStorageMapper (org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper)3
LinkedList (java.util.LinkedList)2
MultivaluedHashMap (org.keycloak.common.util.MultivaluedHashMap)2
LDAPDn (org.keycloak.storage.ldap.idm.model.LDAPDn)2
LDAPMappersComparator (org.keycloak.storage.ldap.mappers.LDAPMappersComparator)2
UserRolesRetrieveStrategy (org.keycloak.storage.ldap.mappers.membership.UserRolesRetrieveStrategy)2
AbstractAuthTest (org.keycloak.testsuite.AbstractAuthTest)2
HashMap (java.util.HashMap)1
HashSet (java.util.HashSet)1
List (java.util.List)1
