Merge pull request #1342 from mposolda/master
JSON migration, LDAP logging reduced to trace/debug
This commit is contained in:
commit
aabb3428a8
8 changed files with 50 additions and 40 deletions
|
@ -266,6 +266,10 @@ public class RealmRepresentation {
|
||||||
this.codeSecret = codeSecret;
|
this.codeSecret = codeSecret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public Boolean isPasswordCredentialGrantAllowed() {
|
||||||
|
return passwordCredentialGrantAllowed;
|
||||||
|
}
|
||||||
|
|
||||||
public Boolean isRegistrationAllowed() {
|
public Boolean isRegistrationAllowed() {
|
||||||
return registrationAllowed;
|
return registrationAllowed;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
package org.keycloak.federation.ldap.idm.query.internal;
|
package org.keycloak.federation.ldap.idm.query.internal;
|
||||||
|
|
||||||
import java.util.List;
|
|
||||||
|
|
||||||
import org.keycloak.federation.ldap.idm.query.Condition;
|
import org.keycloak.federation.ldap.idm.query.Condition;
|
||||||
import org.keycloak.federation.ldap.idm.query.QueryParameter;
|
import org.keycloak.federation.ldap.idm.query.QueryParameter;
|
||||||
|
|
||||||
|
|
|
@ -181,8 +181,8 @@ public class LDAPIdentityStore implements IdentityStore {
|
||||||
public boolean validatePassword(LDAPObject user, String password) {
|
public boolean validatePassword(LDAPObject user, String password) {
|
||||||
String userDN = user.getDn().toString();
|
String userDN = user.getDn().toString();
|
||||||
|
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isTraceEnabled()) {
|
||||||
logger.debugf("Using DN [%s] for authentication of user", userDN);
|
logger.tracef("Using DN [%s] for authentication of user", userDN);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (operationManager.authenticate(userDN, password)) {
|
if (operationManager.authenticate(userDN, password)) {
|
||||||
|
@ -259,7 +259,9 @@ public class LDAPIdentityStore implements IdentityStore {
|
||||||
filter.append(getObjectClassesFilter(identityQuery.getObjectClasses()));
|
filter.append(getObjectClassesFilter(identityQuery.getObjectClasses()));
|
||||||
filter.append(")");
|
filter.append(")");
|
||||||
|
|
||||||
logger.infof("Using filter for LDAP search: %s", filter);
|
if (logger.isTraceEnabled()) {
|
||||||
|
logger.tracef("Using filter for LDAP search: %s . Searching in DN: %s", filter, identityQuery.getSearchDn());
|
||||||
|
}
|
||||||
return filter;
|
return filter;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -378,10 +380,6 @@ public class LDAPIdentityStore implements IdentityStore {
|
||||||
ldapObject.setDn(dn);
|
ldapObject.setDn(dn);
|
||||||
ldapObject.setRdnAttributeName(dn.getFirstRdnAttrName());
|
ldapObject.setRdnAttributeName(dn.getFirstRdnAttrName());
|
||||||
|
|
||||||
if (logger.isTraceEnabled()) {
|
|
||||||
logger.tracef("Populating LDAP Object from DN [%s]", entryDN);
|
|
||||||
}
|
|
||||||
|
|
||||||
NamingEnumeration<? extends Attribute> ldapAttributes = attributes.getAll();
|
NamingEnumeration<? extends Attribute> ldapAttributes = attributes.getAll();
|
||||||
|
|
||||||
// Exact name of attributes might be different
|
// Exact name of attributes might be different
|
||||||
|
@ -415,9 +413,6 @@ public class LDAPIdentityStore implements IdentityStore {
|
||||||
if (ldapAttributeName.equalsIgnoreCase(LDAPConstants.OBJECT_CLASS)) {
|
if (ldapAttributeName.equalsIgnoreCase(LDAPConstants.OBJECT_CLASS)) {
|
||||||
ldapObject.setObjectClasses(attrValues);
|
ldapObject.setObjectClasses(attrValues);
|
||||||
} else {
|
} else {
|
||||||
if (logger.isTraceEnabled()) {
|
|
||||||
logger.tracef("Populating ldap attribute [%s] with value [%s] for DN [%s].", ldapAttributeName, attrValues.toString(), entryDN);
|
|
||||||
}
|
|
||||||
if (attrValues.size() == 1) {
|
if (attrValues.size() == 1) {
|
||||||
ldapObject.setAttribute(ldapAttributeName, attrValues.iterator().next());
|
ldapObject.setAttribute(ldapAttributeName, attrValues.iterator().next());
|
||||||
} else {
|
} else {
|
||||||
|
@ -431,6 +426,9 @@ public class LDAPIdentityStore implements IdentityStore {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (logger.isTraceEnabled()) {
|
||||||
|
logger.tracef("Found ldap object [%s] and populated with the attributes [%s]. Read-only attributes are [%s]", ldapObject.getDn().toString(), ldapObject.getAttributes(), ldapObject.getReadOnlyAttributeNames());
|
||||||
|
}
|
||||||
return ldapObject;
|
return ldapObject;
|
||||||
|
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
|
|
|
@ -128,8 +128,8 @@ public class LDAPOperationManager {
|
||||||
execute(new LdapOperation<SearchResult>() {
|
execute(new LdapOperation<SearchResult>() {
|
||||||
@Override
|
@Override
|
||||||
public SearchResult execute(LdapContext context) throws NamingException {
|
public SearchResult execute(LdapContext context) throws NamingException {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isTraceEnabled()) {
|
||||||
logger.debugf("Removing entry with DN [%s]", entryDn);
|
logger.tracef("Removing entry with DN [%s]", entryDn);
|
||||||
}
|
}
|
||||||
destroySubcontext(context, entryDn);
|
destroySubcontext(context, entryDn);
|
||||||
return null;
|
return null;
|
||||||
|
@ -357,8 +357,8 @@ public class LDAPOperationManager {
|
||||||
|
|
||||||
public void modifyAttributes(final String dn, final ModificationItem[] mods) {
|
public void modifyAttributes(final String dn, final ModificationItem[] mods) {
|
||||||
try {
|
try {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isTraceEnabled()) {
|
||||||
logger.debugf("Modifying attributes for entry [%s]: [", dn);
|
logger.tracef("Modifying attributes for entry [%s]: [", dn);
|
||||||
|
|
||||||
for (ModificationItem item : mods) {
|
for (ModificationItem item : mods) {
|
||||||
Object values;
|
Object values;
|
||||||
|
@ -369,10 +369,10 @@ public class LDAPOperationManager {
|
||||||
values = "No values";
|
values = "No values";
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.debugf(" Op [%s]: %s = %s", item.getModificationOp(), item.getAttribute().getID(), values);
|
logger.tracef(" Op [%s]: %s = %s", item.getModificationOp(), item.getAttribute().getID(), values);
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.debugf("]");
|
logger.tracef("]");
|
||||||
}
|
}
|
||||||
|
|
||||||
execute(new LdapOperation<Void>() {
|
execute(new LdapOperation<Void>() {
|
||||||
|
@ -389,18 +389,18 @@ public class LDAPOperationManager {
|
||||||
|
|
||||||
public void createSubContext(final String name, final Attributes attributes) {
|
public void createSubContext(final String name, final Attributes attributes) {
|
||||||
try {
|
try {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isTraceEnabled()) {
|
||||||
logger.debugf("Creating entry [%s] with attributes: [", name);
|
logger.tracef("Creating entry [%s] with attributes: [", name);
|
||||||
|
|
||||||
NamingEnumeration<? extends Attribute> all = attributes.getAll();
|
NamingEnumeration<? extends Attribute> all = attributes.getAll();
|
||||||
|
|
||||||
while (all.hasMore()) {
|
while (all.hasMore()) {
|
||||||
Attribute attribute = all.next();
|
Attribute attribute = all.next();
|
||||||
|
|
||||||
logger.debugf(" %s = %s", attribute.getID(), attribute.get());
|
logger.tracef(" %s = %s", attribute.getID(), attribute.get());
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.debugf("]");
|
logger.tracef("]");
|
||||||
}
|
}
|
||||||
|
|
||||||
execute(new LdapOperation<Void>() {
|
execute(new LdapOperation<Void>() {
|
||||||
|
|
|
@ -79,8 +79,7 @@ public class RoleLDAPFederationMapper extends AbstractLDAPFederationMapper {
|
||||||
RoleContainerModel roleContainer = getTargetRoleContainer(mapperModel, realm);
|
RoleContainerModel roleContainer = getTargetRoleContainer(mapperModel, realm);
|
||||||
RoleModel role = roleContainer.getRole(roleName);
|
RoleModel role = roleContainer.getRole(roleName);
|
||||||
|
|
||||||
// TODO: debug
|
logger.debugf("Granting role [%s] to user [%s] during import from LDAP", roleName, user.getUsername());
|
||||||
logger.infof("Granting role [%s] to user [%s] during import from LDAP", roleName, user.getUsername());
|
|
||||||
user.grantRole(role);
|
user.grantRole(role);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -94,8 +93,7 @@ public class RoleLDAPFederationMapper extends AbstractLDAPFederationMapper {
|
||||||
// Sync roles from LDAP tree and create them in local Keycloak DB (if they don't exist here yet)
|
// Sync roles from LDAP tree and create them in local Keycloak DB (if they don't exist here yet)
|
||||||
protected void syncRolesFromLDAP(UserFederationMapperModel mapperModel, LDAPFederationProvider ldapProvider, RealmModel realm) {
|
protected void syncRolesFromLDAP(UserFederationMapperModel mapperModel, LDAPFederationProvider ldapProvider, RealmModel realm) {
|
||||||
if (!rolesSyncedModels.contains(mapperModel.getId())) {
|
if (!rolesSyncedModels.contains(mapperModel.getId())) {
|
||||||
// TODO: debug
|
logger.debugf("Syncing roles from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getDisplayName());
|
||||||
logger.infof("Syncing roles from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getDisplayName());
|
|
||||||
|
|
||||||
LDAPIdentityQuery ldapQuery = createRoleQuery(mapperModel, ldapProvider);
|
LDAPIdentityQuery ldapQuery = createRoleQuery(mapperModel, ldapProvider);
|
||||||
|
|
||||||
|
@ -108,7 +106,6 @@ public class RoleLDAPFederationMapper extends AbstractLDAPFederationMapper {
|
||||||
String roleName = ldapRole.getAttributeAsString(rolesRdnAttr);
|
String roleName = ldapRole.getAttributeAsString(rolesRdnAttr);
|
||||||
|
|
||||||
if (roleContainer.getRole(roleName) == null) {
|
if (roleContainer.getRole(roleName) == null) {
|
||||||
// TODO: debug
|
|
||||||
logger.infof("Syncing role [%s] from LDAP to keycloak DB", roleName);
|
logger.infof("Syncing role [%s] from LDAP to keycloak DB", roleName);
|
||||||
roleContainer.addRole(roleName);
|
roleContainer.addRole(roleName);
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,6 +5,7 @@ import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.LDAPConstants;
|
import org.keycloak.models.LDAPConstants;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.UserFederationEventAwareProviderFactory;
|
import org.keycloak.models.UserFederationEventAwareProviderFactory;
|
||||||
|
import org.keycloak.models.UserFederationMapperModel;
|
||||||
import org.keycloak.models.UserFederationProvider;
|
import org.keycloak.models.UserFederationProvider;
|
||||||
import org.keycloak.models.UserFederationProviderFactory;
|
import org.keycloak.models.UserFederationProviderFactory;
|
||||||
import org.keycloak.models.UserFederationProviderModel;
|
import org.keycloak.models.UserFederationProviderModel;
|
||||||
|
@ -12,6 +13,7 @@ import org.keycloak.models.utils.DefaultAuthenticationFlows;
|
||||||
|
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
import javax.naming.directory.SearchControls;
|
import javax.naming.directory.SearchControls;
|
||||||
|
|
||||||
|
@ -43,29 +45,38 @@ public class MigrateTo1_3_0_Beta1 {
|
||||||
Map<String, String> config = fedProvider.getConfig();
|
Map<String, String> config = fedProvider.getConfig();
|
||||||
|
|
||||||
// Update config properties for LDAP federation provider
|
// Update config properties for LDAP federation provider
|
||||||
config.put(LDAPConstants.SEARCH_SCOPE, String.valueOf(SearchControls.SUBTREE_SCOPE));
|
if (config.get(LDAPConstants.SEARCH_SCOPE) == null) {
|
||||||
|
config.put(LDAPConstants.SEARCH_SCOPE, String.valueOf(SearchControls.SUBTREE_SCOPE));
|
||||||
|
}
|
||||||
|
|
||||||
String usersDn = config.remove("userDnSuffix");
|
String usersDn = config.remove("userDnSuffix");
|
||||||
config.put(LDAPConstants.USERS_DN, usersDn);
|
if (usersDn != null && config.get(LDAPConstants.USERS_DN) == null) {
|
||||||
|
config.put(LDAPConstants.USERS_DN, usersDn);
|
||||||
|
}
|
||||||
|
|
||||||
String rdnLdapAttribute = config.get(LDAPConstants.USERNAME_LDAP_ATTRIBUTE);
|
String usernameLdapAttribute = config.get(LDAPConstants.USERNAME_LDAP_ATTRIBUTE);
|
||||||
if (rdnLdapAttribute != null) {
|
if (usernameLdapAttribute != null && config.get(LDAPConstants.RDN_LDAP_ATTRIBUTE) == null) {
|
||||||
if (rdnLdapAttribute.equalsIgnoreCase(LDAPConstants.SAM_ACCOUNT_NAME)) {
|
if (usernameLdapAttribute.equalsIgnoreCase(LDAPConstants.SAM_ACCOUNT_NAME)) {
|
||||||
config.put(LDAPConstants.RDN_LDAP_ATTRIBUTE, LDAPConstants.CN);
|
config.put(LDAPConstants.RDN_LDAP_ATTRIBUTE, LDAPConstants.CN);
|
||||||
} else {
|
} else {
|
||||||
config.put(LDAPConstants.RDN_LDAP_ATTRIBUTE, rdnLdapAttribute);
|
config.put(LDAPConstants.RDN_LDAP_ATTRIBUTE, usernameLdapAttribute);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
String uuidAttrName = LDAPConstants.getUuidAttributeName(config.get(LDAPConstants.VENDOR));
|
if (config.get(LDAPConstants.UUID_LDAP_ATTRIBUTE) == null) {
|
||||||
config.put(LDAPConstants.UUID_LDAP_ATTRIBUTE, uuidAttrName);
|
String uuidAttrName = LDAPConstants.getUuidAttributeName(config.get(LDAPConstants.VENDOR));
|
||||||
|
config.put(LDAPConstants.UUID_LDAP_ATTRIBUTE, uuidAttrName);
|
||||||
|
}
|
||||||
|
|
||||||
realm.updateUserFederationProvider(fedProvider);
|
realm.updateUserFederationProvider(fedProvider);
|
||||||
|
|
||||||
// Create default mappers for LDAP
|
// Create default mappers for LDAP
|
||||||
UserFederationProviderFactory ldapFactory = (UserFederationProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(UserFederationProvider.class, LDAPConstants.LDAP_PROVIDER);
|
Set<UserFederationMapperModel> mappers = realm.getUserFederationMappersByFederationProvider(fedProvider.getId());
|
||||||
if (ldapFactory != null) {
|
if (mappers.isEmpty()) {
|
||||||
((UserFederationEventAwareProviderFactory) ldapFactory).onProviderModelCreated(realm, fedProvider);
|
UserFederationProviderFactory ldapFactory = (UserFederationProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(UserFederationProvider.class, LDAPConstants.LDAP_PROVIDER);
|
||||||
|
if (ldapFactory != null) {
|
||||||
|
((UserFederationEventAwareProviderFactory) ldapFactory).onProviderModelCreated(realm, fedProvider);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,7 +20,7 @@ public class UserFederationManager implements UserProvider {
|
||||||
|
|
||||||
protected KeycloakSession session;
|
protected KeycloakSession session;
|
||||||
|
|
||||||
// Set of already validated/proxied users during this session. Key is user ID
|
// Set of already validated/proxied federation users during this session. Key is user ID
|
||||||
private Map<String, UserModel> managedUsers = new HashMap<>();
|
private Map<String, UserModel> managedUsers = new HashMap<>();
|
||||||
|
|
||||||
public UserFederationManager(KeycloakSession session) {
|
public UserFederationManager(KeycloakSession session) {
|
||||||
|
|
|
@ -44,11 +44,12 @@ public interface UserFederationProvider extends Provider {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gives the provider an option to validate if user still exists in federation backend and then proxy UserModel loaded from local storage.
|
* Gives the provider an option to validate if user still exists in federation backend and then proxy UserModel loaded from local storage.
|
||||||
* This method is called whenever a UserModel is pulled from local storage.
|
* This method is called whenever a UserModel is pulled from Keycloak local storage.
|
||||||
* For example, the LDAP provider proxies the UserModel and does on-demand synchronization with
|
* For example, the LDAP provider proxies the UserModel and does on-demand synchronization with
|
||||||
* LDAP whenever UserModel update methods are invoked. It also overrides UserModel.updateCredential for the
|
* LDAP whenever UserModel update methods are invoked. It also overrides UserModel.updateCredential for the
|
||||||
* credential types it supports
|
* credential types it supports
|
||||||
*
|
*
|
||||||
|
* @param realm
|
||||||
* @param local
|
* @param local
|
||||||
* @return null if user is no longer valid or proxy object otherwise
|
* @return null if user is no longer valid or proxy object otherwise
|
||||||
*/
|
*/
|
||||||
|
@ -122,6 +123,7 @@ public interface UserFederationProvider extends Provider {
|
||||||
* Is the Keycloak UserModel still valid and/or existing in federated storage? Keycloak may call this method
|
* Is the Keycloak UserModel still valid and/or existing in federated storage? Keycloak may call this method
|
||||||
* in various user operations. The local storage may be deleted if this method returns false.
|
* in various user operations. The local storage may be deleted if this method returns false.
|
||||||
*
|
*
|
||||||
|
* @param realm
|
||||||
* @param local
|
* @param local
|
||||||
* @return
|
* @return
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in a new issue