libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-11582 Fix ldap groups sync which fails when syncing back to MSAD (#6348)

Browse source 
* KEYCLOAK-11582 Fix sync which fails when syncing to MSAD
This commit is contained in:
Felix Borchers 2019-10-03 20:13:12 +02:00 committed by Marek Posolda
parent bc5b4de79e
commit 3d175dbe0c
1 changed files with 32 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

65
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java
View file

@ -450,43 +450,42 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
logger.debugf("Syncing groups from Keycloak into LDAP. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName()); logger.debugf("Syncing groups from Keycloak into LDAP. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getName());
// Query existing LDAP groups // Query existing LDAP groups
try (LDAPQuery ldapQuery = createGroupQuery(config.isPreserveGroupsInheritance())) {
List<LDAPObject> ldapGroups = ldapQuery.getResultList();
// Convert them to Map<String, LDAPObject> List<LDAPObject> ldapGroups = getAllLDAPGroups(config.isPreserveGroupsInheritance());
Map<String, LDAPObject> ldapGroupsMap = new HashMap<>();
String groupsRdnAttr = config.getGroupNameLdapAttribute(); // Convert them to Map<String, LDAPObject>
for (LDAPObject ldapGroup : ldapGroups) { Map<String, LDAPObject> ldapGroupsMap = new HashMap<>();
String groupName = ldapGroup.getAttributeAsString(groupsRdnAttr); String groupsRdnAttr = config.getGroupNameLdapAttribute();
ldapGroupsMap.put(groupName, ldapGroup); for (LDAPObject ldapGroup : ldapGroups) {
String groupName = ldapGroup.getAttributeAsString(groupsRdnAttr);
ldapGroupsMap.put(groupName, ldapGroup);
}
// Map to track all LDAP groups also exists in Keycloak
Set<String> ldapGroupNames = new HashSet<>();
// Create or update KC groups to LDAP including their attributes
for (GroupModel kcGroup : realm.getTopLevelGroups()) {
processKeycloakGroupSyncToLDAP(kcGroup, ldapGroupsMap, ldapGroupNames, syncResult);
}
// If dropNonExisting, then drop all groups, which doesn't exist in KC from LDAP as well
if (config.isDropNonExistingGroupsDuringSync()) {
Set<String> copy = new HashSet<>(ldapGroupsMap.keySet());
for (String groupName : copy) {
if (!ldapGroupNames.contains(groupName)) {
LDAPObject ldapGroup = ldapGroupsMap.remove(groupName);
ldapProvider.getLdapIdentityStore().remove(ldapGroup);
syncResult.increaseRemoved();
}
} }
}
// Finally process memberships,
// Map to track all LDAP groups also exists in Keycloak if (config.isPreserveGroupsInheritance()) {
Set<String> ldapGroupNames = new HashSet<>();
// Create or update KC groups to LDAP including their attributes
for (GroupModel kcGroup : realm.getTopLevelGroups()) { for (GroupModel kcGroup : realm.getTopLevelGroups()) {
processKeycloakGroupSyncToLDAP(kcGroup, ldapGroupsMap, ldapGroupNames, syncResult); processKeycloakGroupMembershipsSyncToLDAP(kcGroup, ldapGroupsMap);
}
// If dropNonExisting, then drop all groups, which doesn't exist in KC from LDAP as well
if (config.isDropNonExistingGroupsDuringSync()) {
Set<String> copy = new HashSet<>(ldapGroupsMap.keySet());
for (String groupName : copy) {
if (!ldapGroupNames.contains(groupName)) {
LDAPObject ldapGroup = ldapGroupsMap.remove(groupName);
ldapProvider.getLdapIdentityStore().remove(ldapGroup);
syncResult.increaseRemoved();
}
}
}
// Finally process memberships,
if (config.isPreserveGroupsInheritance()) {
for (GroupModel kcGroup : realm.getTopLevelGroups()) {
processKeycloakGroupMembershipsSyncToLDAP(kcGroup, ldapGroupsMap);
}
} }
} }