KEYCLOAK-2379 Fix possible error during sycnchronization changed users with Active Directory

federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/query/Condition.java

@@ -1,7 +1,7 @@
 package org.keycloak.federation.ldap.idm.query;
 
 /**
- * <p>A {@link Condition} is used to specify how a specific {@link QueryParameter}
+ * <p>A {@link Condition} is used to specify how a specific query parameter
  * is defined in order to filter query results.</p>
  *
  * @author Pedro Igor
@@ -11,6 +11,15 @@ public interface Condition {
     String getParameterName();
     void setParameterName(String parameterName);
 
+    /**
+     * Will change the parameter name if it is "modelParamName" to "ldapParamName" . Implementation can apply this to subconditions as well.
+     *
+     * It is used to update LDAP queries, which were created with model parameter name ( for example "firstName" ) and rewrite them to use real
+     * LDAP mapped attribute (for example "givenName" )
+     */
+    void updateParameterName(String modelParamName, String ldapParamName);
+
+
     void applyCondition(StringBuilder filter);
 
 }

federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/query/internal/CustomLDAPFilter.java

@@ -22,6 +22,11 @@ class CustomLDAPFilter implements Condition {
     public void setParameterName(String parameterName) {
     }
 
+    @Override
+    public void updateParameterName(String modelParamName, String ldapParamName) {
+
+    }
+
     @Override
     public void applyCondition(StringBuilder filter) {
         filter.append(customFilter);

federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/query/internal/NamedParameterCondition.java

@@ -22,4 +22,12 @@ public abstract class NamedParameterCondition implements Condition {
     public void setParameterName(String parameterName) {
         this.parameterName = parameterName;
     }
+
+
+    @Override
+    public void updateParameterName(String modelParamName, String ldapParamName) {
+        if (parameterName.equalsIgnoreCase(modelParamName)) {
+            this.parameterName = ldapParamName;
+        }
+    }
 }

federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/query/internal/OrCondition.java

@@ -22,6 +22,13 @@ class OrCondition implements Condition {
     public void setParameterName(String parameterName) {
     }
 
+    @Override
+    public void updateParameterName(String modelParamName, String ldapParamName) {
+        for (Condition innerCondition : innerConditions) {
+            innerCondition.updateParameterName(modelParamName, ldapParamName);
+        }
+    }
+
     @Override
     public void applyCondition(StringBuilder filter) {
         filter.append("(|");

federation/ldap/src/main/java/org/keycloak/federation/ldap/mappers/UserAttributeLDAPFederationMapper.java

@@ -324,10 +324,7 @@ public class UserAttributeLDAPFederationMapper extends AbstractLDAPFederationMap
 
         // Change conditions and use ldapAttribute instead of userModel
         for (Condition condition : query.getConditions()) {
-            String paramName = condition.getParameterName();
+            condition.updateParameterName(userModelAttrName, ldapAttrName);
-            if (paramName != null && paramName.equalsIgnoreCase(userModelAttrName)) {
-                condition.setParameterName(ldapAttrName);
-            }
         }
     }
 

themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js

@@ -752,6 +752,25 @@ module.controller('GenericUserFederationCtrl', function($scope, $location, Notif
 
 module.controller('LDAPCtrl', function($scope, $location, $route, Notifications, Dialog, realm, instance, UserFederationInstances, UserFederationSync, RealmLDAPConnectionTester) {
     console.log('LDAPCtrl');
+
+    $scope.ldapVendors = [
+        { "id": "ad", "name": "Active Directory" },
+        { "id": "rhds", "name": "Red Hat Directory Server" },
+        { "id": "tivoli", "name": "Tivoli" },
+        { "id": "edirectory", "name": "Novell eDirectory" },
+        { "id": "other", "name": "Other" }
+    ];
+
+    $scope.authTypes = [
+        { "id": "none", "name": "none" },
+        { "id": "simple", "name": "simple" }
+    ];
+
+    $scope.searchScopes = [
+        { "id": "1", "name": "One Level" },
+        { "id": "2", "name": "Subtree" }
+    ];
+
     var DEFAULT_BATCH_SIZE = "1000";
 
     $scope.create = !instance.providerName;
@@ -799,6 +818,12 @@ module.controller('LDAPCtrl', function($scope, $location, $route, Notifications,
 
             $scope.fullSyncEnabled = (instance.fullSyncPeriod && instance.fullSyncPeriod > 0);
             $scope.changedSyncEnabled = (instance.changedSyncPeriod && instance.changedSyncPeriod > 0);
+
+            for (var i=0 ; i<$scope.ldapVendors.length ; i++) {
+                if ($scope.ldapVendors[i].id === instance.config.vendor) {
+                    $scope.vendorName = $scope.ldapVendors[i].name;
+                }
+            };
         }
 
         $scope.changed = false;
@@ -808,24 +833,6 @@ module.controller('LDAPCtrl', function($scope, $location, $route, Notifications,
     initFederationSettings();
     $scope.instance = angular.copy(instance);
 
-    $scope.ldapVendors = [
-        { "id": "ad", "name": "Active Directory" },
-        { "id": "rhds", "name": "Red Hat Directory Server" },
-        { "id": "tivoli", "name": "Tivoli" },
-        { "id": "edirectory", "name": "Novell eDirectory" },
-        { "id": "other", "name": "Other" }
-    ];
-
-    $scope.authTypes = [
-        { "id": "none", "name": "none" },
-        { "id": "simple", "name": "simple" }
-    ];
-
-    $scope.searchScopes = [
-        { "id": "1", "name": "One Level" },
-        { "id": "2", "name": "Subtree" }
-    ];
-
     $scope.realm = realm;
 
     $scope.$watch('fullSyncEnabled', function(newVal, oldVal) {

themes/src/main/resources/theme/base/admin/resources/partials/federated-ldap.html

@@ -55,13 +55,16 @@
             <div class="form-group clearfix">
                 <label class="col-md-2 control-label" for="vendor"><span class="required">*</span> Vendor</label>
                 <div class="col-md-6">
-                    <div>
+                    <div data-ng-show="create">
                         <select class="form-control" id="vendor"
                                 ng-model="instance.config.vendor"
                                 ng-options="vendor.id as vendor.name for vendor in ldapVendors"
                                 required>
                         </select>
                     </div>
+                    <div data-ng-show="!create">
+                        <input class="form-control" id="vendor-ro" type="text" ng-model="vendorName" readonly>
+                    </div>
                 </div>
                 <kc-tooltip>LDAP vendor (provider)</kc-tooltip>
             </div>