From 3d175dbe0c81748718f4c1fbbaa7621106a619c4 Mon Sep 17 00:00:00 2001 From: Felix Borchers Date: Thu, 3 Oct 2019 20:13:12 +0200 Subject: [PATCH] KEYCLOAK-11582 Fix ldap groups sync which fails when syncing back to MSAD (#6348) * KEYCLOAK-11582 Fix sync which fails when syncing to MSAD --- .../group/GroupLDAPStorageMapper.java | 65 +++++++++---------- 1 file changed, 32 insertions(+), 33 deletions(-) diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java index 282cd06012..3cb6c2292e 100644 --- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java +++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java @@ -450,43 +450,42 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements logger.debugf("Syncing groups from Keycloak into LDAP. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName()); // Query existing LDAP groups - try (LDAPQuery ldapQuery = createGroupQuery(config.isPreserveGroupsInheritance())) { - List ldapGroups = ldapQuery.getResultList(); - // Convert them to Map - Map ldapGroupsMap = new HashMap<>(); - String groupsRdnAttr = config.getGroupNameLdapAttribute(); - for (LDAPObject ldapGroup : ldapGroups) { - String groupName = ldapGroup.getAttributeAsString(groupsRdnAttr); - ldapGroupsMap.put(groupName, ldapGroup); + List ldapGroups = getAllLDAPGroups(config.isPreserveGroupsInheritance()); + + // Convert them to Map + Map ldapGroupsMap = new HashMap<>(); + String groupsRdnAttr = config.getGroupNameLdapAttribute(); + for (LDAPObject ldapGroup : ldapGroups) { + String groupName = ldapGroup.getAttributeAsString(groupsRdnAttr); + ldapGroupsMap.put(groupName, ldapGroup); + } + + + // Map to track all LDAP groups also exists in Keycloak + Set ldapGroupNames = new HashSet<>(); + + // Create or update KC groups to LDAP including their attributes + for (GroupModel kcGroup : realm.getTopLevelGroups()) { + processKeycloakGroupSyncToLDAP(kcGroup, ldapGroupsMap, ldapGroupNames, syncResult); + } + + // If dropNonExisting, then drop all groups, which doesn't exist in KC from LDAP as well + if (config.isDropNonExistingGroupsDuringSync()) { + Set copy = new HashSet<>(ldapGroupsMap.keySet()); + for (String groupName : copy) { + if (!ldapGroupNames.contains(groupName)) { + LDAPObject ldapGroup = ldapGroupsMap.remove(groupName); + ldapProvider.getLdapIdentityStore().remove(ldapGroup); + syncResult.increaseRemoved(); + } } + } - - // Map to track all LDAP groups also exists in Keycloak - Set ldapGroupNames = new HashSet<>(); - - // Create or update KC groups to LDAP including their attributes + // Finally process memberships, + if (config.isPreserveGroupsInheritance()) { for (GroupModel kcGroup : realm.getTopLevelGroups()) { - processKeycloakGroupSyncToLDAP(kcGroup, ldapGroupsMap, ldapGroupNames, syncResult); - } - - // If dropNonExisting, then drop all groups, which doesn't exist in KC from LDAP as well - if (config.isDropNonExistingGroupsDuringSync()) { - Set copy = new HashSet<>(ldapGroupsMap.keySet()); - for (String groupName : copy) { - if (!ldapGroupNames.contains(groupName)) { - LDAPObject ldapGroup = ldapGroupsMap.remove(groupName); - ldapProvider.getLdapIdentityStore().remove(ldapGroup); - syncResult.increaseRemoved(); - } - } - } - - // Finally process memberships, - if (config.isPreserveGroupsInheritance()) { - for (GroupModel kcGroup : realm.getTopLevelGroups()) { - processKeycloakGroupMembershipsSyncToLDAP(kcGroup, ldapGroupsMap); - } + processKeycloakGroupMembershipsSyncToLDAP(kcGroup, ldapGroupsMap); } }