From 0d07342649a1001181f678d42e19cc2b658734eb Mon Sep 17 00:00:00 2001 From: Alexi Vandevoorde Date: Mon, 28 Oct 2024 20:40:20 +0100 Subject: [PATCH] Implement pagination for getLDAPRoleMappings (#34043) * Implement pagination for getLDAPRoleMappings On Active Directory, allow to retrieve more groups than the MaxPageSize (default to 1000). Without this patch, we need to increase the MaxPageSize which does not really scale. Implemented only for the LoadRolesByMember startegy. Closes #34042 Signed-off-by: Alexi Vandevoorde --- .../java/org/keycloak/storage/ldap/LDAPUtils.java | 13 +++++++++++++ .../membership/UserRolesRetrieveStrategy.java | 3 ++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java index 17a582f459..def88e599b 100755 --- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java +++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java @@ -42,6 +42,7 @@ import org.keycloak.models.UserModel; import org.keycloak.models.utils.reflection.Property; import org.keycloak.models.utils.reflection.PropertyCriteria; import org.keycloak.models.utils.reflection.PropertyQueries; +import org.keycloak.storage.ldap.LDAPConfig; import org.keycloak.storage.ldap.idm.model.LDAPDn; import org.keycloak.storage.ldap.idm.model.LDAPObject; import org.keycloak.storage.ldap.idm.query.Condition; @@ -288,6 +289,18 @@ public class LDAPUtils { */ public static List loadAllLDAPObjects(LDAPQuery ldapQuery, LDAPStorageProvider ldapProvider) { LDAPConfig ldapConfig = ldapProvider.getLdapIdentityStore().getConfig(); + return loadAllLDAPObjects(ldapQuery, ldapConfig); + } + + /** + * Load all LDAP objects corresponding to given query. We will load them paginated, so we allow to bypass the limitation of 1000 + * maximum loaded objects in single query in MSAD + * + * @param ldapQuery LDAP query to be used. The caller should close it after calling this method + * @param ldapConfig + * @return + */ + public static List loadAllLDAPObjects(LDAPQuery ldapQuery, LDAPConfig ldapConfig) { boolean pagination = ldapConfig.isPagination(); if (pagination) { // For now reuse globally configured batch size in LDAP provider page diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/UserRolesRetrieveStrategy.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/UserRolesRetrieveStrategy.java index ab51078249..06f53e15a7 100644 --- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/UserRolesRetrieveStrategy.java +++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/UserRolesRetrieveStrategy.java @@ -62,7 +62,8 @@ public interface UserRolesRetrieveStrategy { Condition membershipCondition = getMembershipCondition(membershipAttr, userMembership); ldapQuery.addWhereCondition(membershipCondition); - return ldapQuery.getResultList(); + + return LDAPUtils.loadAllLDAPObjects(ldapQuery, ldapConfig); } }