libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-2397 LDAP_ENTRY_DN attribute in LDAP user storage is not updated on changes in LDAP

Browse source
This commit is contained in:
mposolda 2016-12-15 21:12:29 +01:00
parent 9be9d3f580
commit 7453e96f5c
1 changed files with 18 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java
View file

@ -39,6 +39,7 @@ import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel; import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserManager; import org.keycloak.models.UserManager;
import org.keycloak.models.cache.UserCache;
import org.keycloak.storage.StorageId; import org.keycloak.storage.StorageId;
import org.keycloak.storage.UserStorageProvider; import org.keycloak.storage.UserStorageProvider;
import org.keycloak.storage.ldap.idm.model.LDAPObject; import org.keycloak.storage.ldap.idm.model.LDAPObject;
@ -138,6 +139,9 @@ public class LDAPStorageProvider implements UserStorageProvider,
protected UserModel proxy(RealmModel realm, UserModel local, LDAPObject ldapObject) { protected UserModel proxy(RealmModel realm, UserModel local, LDAPObject ldapObject) {
UserModel proxied = local; UserModel proxied = local;
checkDNChanged(realm, local, ldapObject);
switch (editMode) { switch (editMode) {
case READ_ONLY: case READ_ONLY:
proxied = new ReadonlyLDAPUserModelDelegate(local, this); proxied = new ReadonlyLDAPUserModelDelegate(local, this);
@ -159,6 +163,20 @@ public class LDAPStorageProvider implements UserStorageProvider,
return proxied; return proxied;
} }
private void checkDNChanged(RealmModel realm, UserModel local, LDAPObject ldapObject) {
String dnFromDB = local.getFirstAttribute(LDAPConstants.LDAP_ENTRY_DN);
String ldapDn = ldapObject.getDn().toString();
if (!ldapDn.equals(dnFromDB)) {
logger.debugf("Updated LDAP DN of user '%s' to '%s'", local.getUsername(), ldapDn);
local.setSingleAttribute(LDAPConstants.LDAP_ENTRY_DN, ldapDn);
UserCache userCache = session.userCache();
if (userCache != null) {
userCache.evict(realm, local);
}
}
}
@Override @Override
public boolean supportsCredentialAuthenticationFor(String type) { public boolean supportsCredentialAuthenticationFor(String type) {
return type.equals(CredentialModel.KERBEROS) && kerberosConfig.isAllowKerberosAuthentication(); return type.equals(CredentialModel.KERBEROS) && kerberosConfig.isAllowKerberosAuthentication();
@ -183,7 +201,6 @@ public class LDAPStorageProvider implements UserStorageProvider,
LDAPObject ldapUser = LDAPUtils.addUserToLDAP(this, realm, user); LDAPObject ldapUser = LDAPUtils.addUserToLDAP(this, realm, user);
LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig()); LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig());
user.setSingleAttribute(LDAPConstants.LDAP_ID, ldapUser.getUuid()); user.setSingleAttribute(LDAPConstants.LDAP_ID, ldapUser.getUuid());
user.setSingleAttribute(LDAPConstants.LDAP_ENTRY_DN, ldapUser.getDn().toString());
return proxy(realm, user, ldapUser); return proxy(realm, user, ldapUser);
} }
@ -404,7 +421,6 @@ public class LDAPStorageProvider implements UserStorageProvider,
String userDN = ldapUser.getDn().toString(); String userDN = ldapUser.getDn().toString();
imported.setFederationLink(model.getId()); imported.setFederationLink(model.getId());
imported.setSingleAttribute(LDAPConstants.LDAP_ID, ldapUser.getUuid()); imported.setSingleAttribute(LDAPConstants.LDAP_ID, ldapUser.getUuid());
imported.setSingleAttribute(LDAPConstants.LDAP_ENTRY_DN, userDN);
logger.debugf("Imported new user from LDAP to Keycloak DB. Username: [%s], Email: [%s], LDAP_ID: [%s], LDAP Entry DN: [%s]", imported.getUsername(), imported.getEmail(), logger.debugf("Imported new user from LDAP to Keycloak DB. Username: [%s], Email: [%s], LDAP_ID: [%s], LDAP Entry DN: [%s]", imported.getUsername(), imported.getEmail(),
ldapUser.getUuid(), userDN); ldapUser.getUuid(), userDN);