libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Merge pull request #2248 from mposolda/master

Browse source 
LDAP fixes
This commit is contained in:
Marek Posolda 2016-02-19 22:05:56 +01:00
commit b991ba44d3
12 changed files with 103 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
docbook/auth-server-docs/reference/en/en-US/modules/user-federation.xml
View file

@ -135,6 +135,23 @@
</variablelist> </variablelist>
</para> </para>
</section> </section>
<section>
<title>Connect to LDAP over SSL</title>
<para>
When you configure secured connection URL to LDAP (for example <literal>ldaps://myhost.com:636</literal> ) the Keycloak will
use SSL for the communication with LDAP server. The important thing is to properly configure truststore on the Keycloak server side,
because SSL won't work if Keycloak can't trust the SSL connection with LDAP (Keycloak acts as the <literal>client</literal> here, when LDAP acts as server).
</para>
<para>
The global truststore for the Keycloak can be configured with Truststore SPI in the <literal>keycloak-server.json</literal> file and it's described in the details <link linkend="truststore">here</link>.
If you don't configure truststore SPI, the truststore will fallback to the default mechanism provided by Java (either the file provided by system property <literal>javax.net.ssl.trustStore</literal> or finally
the cacerts file from JDK if even the system property is not set).
</para>
<para>There is configuration property <literal>Use Truststore SPI</literal> in the LDAP federation provider configuration, where you can choose
whether Truststore SPI is used. By default, the value is <literal>ldaps only</literal>, which is fine for most of deployments, because attempt
to use Truststore SPI is done just if connection to LDAP starts with <literal>ldaps</literal> .
</para>
</section>
</section> </section>
<section> <section>
<title>Sync of LDAP users to Keycloak</title> <title>Sync of LDAP users to Keycloak</title>

5
federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPConfig.java
View file

@ -58,9 +58,8 @@ public class LDAPConfig {
} }
} }
public String getSecurityProtocol() { public String getUseTruststoreSpi() {
// hardcoded for now return config.get(LDAPConstants.USE_TRUSTSTORE_SPI);
return config.get(LDAPConstants.SECURITY_PROTOCOL);
} }
public String getUsersDn() { public String getUsersDn() {

24
federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/model/LDAPDn.java
View file

@ -23,6 +23,8 @@ import java.util.LinkedList;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import javax.naming.ldap.Rdn;
/** /**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a> * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/ */
@ -127,7 +129,7 @@ public class LDAPDn {
} }
public void addFirst(String rdnName, String rdnValue) { public void addFirst(String rdnName, String rdnValue) {
rdnValue = escape(rdnValue); rdnValue = Rdn.escapeValue(rdnValue);
entries.addFirst(new Entry(rdnName, rdnValue)); entries.addFirst(new Entry(rdnName, rdnValue));
} }
@ -135,26 +137,6 @@ public class LDAPDn {
entries.addLast(new Entry(rdnName, rdnValue)); entries.addLast(new Entry(rdnName, rdnValue));
} }
// Need to escape "john,dot" to be "john\,dot"
private String escape(String rdnValue) {
if (rdnValue.contains(",")) {
StringBuilder result = new StringBuilder();
boolean first = true;
for (String split : rdnValue.split(",")) {
if (!first) {
result.append("\\,");
} else {
first = false;
}
result.append(split);
}
return result.toString();
} else {
return rdnValue;
}
}
private static class Entry { private static class Entry {
private final String attrName; private final String attrName;
private final String attrValue; private final String attrValue;

12
federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/store/ldap/LDAPOperationManager.java
View file

@ -480,15 +480,6 @@ public class LDAPOperationManager {
env.put(Context.INITIAL_CONTEXT_FACTORY, this.config.getFactoryName()); env.put(Context.INITIAL_CONTEXT_FACTORY, this.config.getFactoryName());
env.put(Context.SECURITY_AUTHENTICATION, authType); env.put(Context.SECURITY_AUTHENTICATION, authType);
String protocol = this.config.getSecurityProtocol();
if (protocol != null) {
env.put(Context.SECURITY_PROTOCOL, protocol);
if ("ssl".equals(protocol)) {
env.put("java.naming.ldap.factory.socket", "org.keycloak.connections.truststore.SSLSocketFactory");
}
}
String bindDN = this.config.getBindDN(); String bindDN = this.config.getBindDN();
char[] bindCredential = null; char[] bindCredential = null;
@ -510,6 +501,9 @@ public class LDAPOperationManager {
logger.warn("LDAP URL is null. LDAPOperationManager won't work correctly"); logger.warn("LDAP URL is null. LDAPOperationManager won't work correctly");
} }
String useTruststoreSpi = this.config.getUseTruststoreSpi();
LDAPConstants.setTruststoreSpiIfNeeded(useTruststoreSpi, url, env);
String connectionPooling = this.config.getConnectionPooling(); String connectionPooling = this.config.getConnectionPooling();
if (connectionPooling != null) { if (connectionPooling != null) {
env.put("com.sun.jndi.ldap.connect.pool", connectionPooling); env.put("com.sun.jndi.ldap.connect.pool", connectionPooling);

8
federation/ldap/src/test/java/org/keycloak/federation/ldap/idm/model/LDAPDnTest.java
View file

@ -31,9 +31,9 @@ public class LDAPDnTest {
dn.addFirst("ou", "People"); dn.addFirst("ou", "People");
Assert.assertEquals("ou=People,dc=keycloak,dc=org", dn.toString()); Assert.assertEquals("ou=People,dc=keycloak,dc=org", dn.toString());
dn.addFirst("uid", "Johny,Depp"); dn.addFirst("uid", "Johny,Depp+Pepp");
Assert.assertEquals("uid=Johny\\,Depp,ou=People,dc=keycloak,dc=org", dn.toString()); Assert.assertEquals("uid=Johny\\,Depp\\+Pepp,ou=People,dc=keycloak,dc=org", dn.toString());
Assert.assertEquals(LDAPDn.fromString("uid=Johny\\,Depp,ou=People,dc=keycloak,dc=org"), dn); Assert.assertEquals(LDAPDn.fromString("uid=Johny\\,Depp\\+Pepp,ou=People,dc=keycloak,dc=org"), dn);
Assert.assertEquals("ou=People,dc=keycloak,dc=org", dn.getParentDn()); Assert.assertEquals("ou=People,dc=keycloak,dc=org", dn.getParentDn());
@ -44,6 +44,6 @@ public class LDAPDnTest {
Assert.assertFalse(dn.isDescendantOf(dn)); Assert.assertFalse(dn.isDescendantOf(dn));
Assert.assertEquals("uid", dn.getFirstRdnAttrName()); Assert.assertEquals("uid", dn.getFirstRdnAttrName());
Assert.assertEquals("Johny\\,Depp", dn.getFirstRdnAttrValue()); Assert.assertEquals("Johny\\,Depp\\+Pepp", dn.getFirstRdnAttrValue());
} }
} }

25
server-spi/src/main/java/org/keycloak/models/LDAPConstants.java
View file

@ -17,6 +17,8 @@
package org.keycloak.models; package org.keycloak.models;
import java.util.Map;
/** /**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a> * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/ */
@ -38,7 +40,6 @@ public class LDAPConstants {
public static final String USER_OBJECT_CLASSES = "userObjectClasses"; public static final String USER_OBJECT_CLASSES = "userObjectClasses";
public static final String CONNECTION_URL = "connectionUrl"; public static final String CONNECTION_URL = "connectionUrl";
public static final String SECURITY_PROTOCOL = "securityProtocol";
public static final String BASE_DN = "baseDn"; // used for tests only public static final String BASE_DN = "baseDn"; // used for tests only
public static final String USERS_DN = "usersDn"; public static final String USERS_DN = "usersDn";
public static final String BIND_DN = "bindDn"; public static final String BIND_DN = "bindDn";
@ -48,6 +49,11 @@ public class LDAPConstants {
public static final String AUTH_TYPE_NONE = "none"; public static final String AUTH_TYPE_NONE = "none";
public static final String AUTH_TYPE_SIMPLE = "simple"; public static final String AUTH_TYPE_SIMPLE = "simple";
public static final String USE_TRUSTSTORE_SPI = "useTruststoreSpi";
public static final String USE_TRUSTSTORE_ALWAYS = "always";
public static final String USE_TRUSTSTORE_NEVER = "never";
public static final String USE_TRUSTSTORE_LDAPS_ONLY = "ldapsOnly";
public static final String SEARCH_SCOPE = "searchScope"; public static final String SEARCH_SCOPE = "searchScope";
public static final String CONNECTION_POOLING = "connectionPooling"; public static final String CONNECTION_POOLING = "connectionPooling";
public static final String PAGINATION = "pagination"; public static final String PAGINATION = "pagination";
@ -119,4 +125,21 @@ public class LDAPConstants {
return ENTRY_UUID; return ENTRY_UUID;
} }
public static void setTruststoreSpiIfNeeded(String useTruststoreSpi, String url, Map<String, Object> env) {
boolean shouldSetTruststore;
if (useTruststoreSpi != null && useTruststoreSpi.equals(LDAPConstants.USE_TRUSTSTORE_ALWAYS)) {
shouldSetTruststore = true;
} else if (useTruststoreSpi != null && useTruststoreSpi.equals(LDAPConstants.USE_TRUSTSTORE_NEVER)) {
shouldSetTruststore = false;
} else {
shouldSetTruststore = (url != null && url.startsWith("ldaps"));
}
if (shouldSetTruststore) {
env.put("java.naming.ldap.factory.socket", "org.keycloak.truststore.SSLSocketFactory");
}
}
} }

19
services/src/main/java/org/keycloak/services/managers/LDAPConnectionTestManager.java
View file

@ -16,13 +16,14 @@
*/ */
package org.keycloak.services.managers; package org.keycloak.services.managers;
import org.keycloak.services.ServicesLogger;
import javax.naming.Context; import javax.naming.Context;
import javax.naming.NamingException; import javax.naming.NamingException;
import javax.naming.ldap.InitialLdapContext; import javax.naming.ldap.InitialLdapContext;
import java.util.Hashtable; import java.util.Hashtable;
import org.keycloak.models.LDAPConstants;
import org.keycloak.services.ServicesLogger;
/** /**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a> * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/ */
@ -33,7 +34,7 @@ public class LDAPConnectionTestManager {
public static final String TEST_CONNECTION = "testConnection"; public static final String TEST_CONNECTION = "testConnection";
public static final String TEST_AUTHENTICATION = "testAuthentication"; public static final String TEST_AUTHENTICATION = "testAuthentication";
public boolean testLDAP(String action, String connectionUrl, String bindDn, String bindCredential) { public boolean testLDAP(String action, String connectionUrl, String bindDn, String bindCredential, String useTruststoreSpi) {
if (!TEST_CONNECTION.equals(action) && !TEST_AUTHENTICATION.equals(action)) { if (!TEST_CONNECTION.equals(action) && !TEST_AUTHENTICATION.equals(action)) {
logger.unknownAction(action); logger.unknownAction(action);
return false; return false;
@ -43,10 +44,20 @@ public class LDAPConnectionTestManager {
try { try {
Hashtable<String, Object> env = new Hashtable<String, Object>(); Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
if (connectionUrl == null) {
logger.errorf("Unknown connection URL");
return false;
}
env.put(Context.PROVIDER_URL, connectionUrl); env.put(Context.PROVIDER_URL, connectionUrl);
if (TEST_AUTHENTICATION.equals(action)) { if (TEST_AUTHENTICATION.equals(action)) {
env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_AUTHENTICATION, "simple");
if (bindDn == null) {
logger.error("Unknown bind DN");
return false;
}
env.put(Context.SECURITY_PRINCIPAL, bindDn); env.put(Context.SECURITY_PRINCIPAL, bindDn);
char[] bindCredentialChar = null; char[] bindCredentialChar = null;
@ -56,6 +67,8 @@ public class LDAPConnectionTestManager {
env.put(Context.SECURITY_CREDENTIALS, bindCredentialChar); env.put(Context.SECURITY_CREDENTIALS, bindCredentialChar);
} }
LDAPConstants.setTruststoreSpiIfNeeded(useTruststoreSpi, connectionUrl, env);
ldapContext = new InitialLdapContext(env, null); ldapContext = new InitialLdapContext(env, null);
return true; return true;
} catch (Exception ne) { } catch (Exception ne) {

5
services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
View file

@ -652,10 +652,11 @@ public class RealmAdminResource {
@GET @GET
@NoCache @NoCache
public Response testLDAPConnection(@QueryParam("action") String action, @QueryParam("connectionUrl") String connectionUrl, public Response testLDAPConnection(@QueryParam("action") String action, @QueryParam("connectionUrl") String connectionUrl,
@QueryParam("bindDn") String bindDn, @QueryParam("bindCredential") String bindCredential) { @QueryParam("bindDn") String bindDn, @QueryParam("bindCredential") String bindCredential,
@QueryParam("useTruststoreSpi") String useTruststoreSpi) {
auth.init(RealmAuth.Resource.REALM).requireManage(); auth.init(RealmAuth.Resource.REALM).requireManage();
boolean result = new LDAPConnectionTestManager().testLDAP(action, connectionUrl, bindDn, bindCredential); boolean result = new LDAPConnectionTestManager().testLDAP(action, connectionUrl, bindDn, bindCredential, useTruststoreSpi);
return result ? Response.noContent().build() : ErrorResponse.error("LDAP test error", Response.Status.BAD_REQUEST); return result ? Response.noContent().build() : ErrorResponse.error("LDAP test error", Response.Status.BAD_REQUEST);
} }

4
testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/FederationProvidersIntegrationTest.java
View file

@ -405,6 +405,9 @@ public class FederationProvidersIntegrationTest {
if (!skip) { if (!skip) {
LDAPObject johnComma = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "john,comma", "John", "Comma", "johncomma@email.org", null, "12387"); LDAPObject johnComma = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "john,comma", "John", "Comma", "johncomma@email.org", null, "12387");
FederationTestUtils.updateLDAPPassword(ldapFedProvider, johnComma, "Password1"); FederationTestUtils.updateLDAPPassword(ldapFedProvider, johnComma, "Password1");
LDAPObject johnPlus = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "john+plus,comma", "John", "Plus", "johnplus@email.org", null, "12387");
FederationTestUtils.updateLDAPPassword(ldapFedProvider, johnPlus, "Password1");
} }
} finally { } finally {
keycloakRule.stopSession(session, false); keycloakRule.stopSession(session, false);
@ -413,6 +416,7 @@ public class FederationProvidersIntegrationTest {
if (!skip) { if (!skip) {
// Try to import the user with comma in username into Keycloak // Try to import the user with comma in username into Keycloak
loginSuccessAndLogout("john,comma", "Password1"); loginSuccessAndLogout("john,comma", "Password1");
loginSuccessAndLogout("john+plus,comma", "Password1");
} }
} }

2
themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
View file

@ -653,6 +653,8 @@ custom-user-ldap-filter=Custom User LDAP Filter
ldap.custom-user-ldap-filter.tooltip=Additional LDAP Filter for filtering searched users. Leave this empty if you don't need additional filter. Make sure that it starts with '(' and ends with ')' ldap.custom-user-ldap-filter.tooltip=Additional LDAP Filter for filtering searched users. Leave this empty if you don't need additional filter. Make sure that it starts with '(' and ends with ')'
search-scope=Search Scope search-scope=Search Scope
ldap.search-scope.tooltip=For one level, we search for users just in DNs specified by User DNs. For subtree, we search in whole of their subtree. See LDAP documentation for more details ldap.search-scope.tooltip=For one level, we search for users just in DNs specified by User DNs. For subtree, we search in whole of their subtree. See LDAP documentation for more details
use-truststore-spi=Use Truststore SPI
ldap.use-truststore-spi.tooltip=Specifies whether LDAP connection will use the truststore SPI with the truststore configured in keycloak-server.json. 'Always' means that it will always use it. 'Never' means that it won't use it. 'Only for ldaps' means that it will use if your connection URL use ldaps. Note even if keycloak-server.json is not configured, the default Java cacerts or certificate specified by 'javax.net.ssl.trustStore' property will be used.
connection-pooling=Connection Pooling connection-pooling=Connection Pooling
ldap.connection-pooling.tooltip=Does Keycloak should use connection pooling for accessing LDAP server ldap.connection-pooling.tooltip=Does Keycloak should use connection pooling for accessing LDAP server
ldap.pagination.tooltip=Does the LDAP server support pagination. ldap.pagination.tooltip=Does the LDAP server support pagination.

13
themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js
View file

@ -771,6 +771,12 @@ module.controller('LDAPCtrl', function($scope, $location, $route, Notifications,
{ "id": "2", "name": "Subtree" } { "id": "2", "name": "Subtree" }
]; ];
$scope.useTruststoreOptions = [
{ "id": "always", "name": "Always" },
{ "id": "ldapsOnly", "name": "Only for ldaps" },
{ "id": "never", "name": "Never" }
];
var DEFAULT_BATCH_SIZE = "1000"; var DEFAULT_BATCH_SIZE = "1000";
$scope.create = !instance.providerName; $scope.create = !instance.providerName;
@ -793,6 +799,7 @@ module.controller('LDAPCtrl', function($scope, $location, $route, Notifications,
instance.config.authType = 'simple'; instance.config.authType = 'simple';
instance.config.batchSizeForSync = DEFAULT_BATCH_SIZE; instance.config.batchSizeForSync = DEFAULT_BATCH_SIZE;
instance.config.searchScope = "1"; instance.config.searchScope = "1";
instance.config.useTruststoreSpi = "ldapsOnly";
$scope.fullSyncEnabled = false; $scope.fullSyncEnabled = false;
$scope.changedSyncEnabled = false; $scope.changedSyncEnabled = false;
@ -815,6 +822,9 @@ module.controller('LDAPCtrl', function($scope, $location, $route, Notifications,
if (!instance.config.searchScope) { if (!instance.config.searchScope) {
instance.config.searchScope = '1'; instance.config.searchScope = '1';
} }
if (!instance.config.useTruststoreSpi) {
instance.config.useTruststoreSpi = "ldapsOnly";
}
$scope.fullSyncEnabled = (instance.fullSyncPeriod && instance.fullSyncPeriod > 0); $scope.fullSyncEnabled = (instance.fullSyncPeriod && instance.fullSyncPeriod > 0);
$scope.changedSyncEnabled = (instance.changedSyncPeriod && instance.changedSyncPeriod > 0); $scope.changedSyncEnabled = (instance.changedSyncPeriod && instance.changedSyncPeriod > 0);
@ -939,7 +949,8 @@ module.controller('LDAPCtrl', function($scope, $location, $route, Notifications,
realm: $scope.realm.realm, realm: $scope.realm.realm,
connectionUrl: ldapConfig.connectionUrl, connectionUrl: ldapConfig.connectionUrl,
bindDn: ldapConfig.bindDn, bindDn: ldapConfig.bindDn,
bindCredential: ldapConfig.bindCredential bindCredential: ldapConfig.bindCredential,
useTruststoreSpi: ldapConfig.useTruststoreSpi
}; };
}; };

13
themes/src/main/resources/theme/base/admin/resources/partials/federated-ldap.html
View file

@ -163,6 +163,19 @@
</div> </div>
<kc-tooltip>{{:: 'ldap.search-scope.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'ldap.search-scope.tooltip' | translate}}</kc-tooltip>
</div> </div>
<div class="form-group">
<label class="col-md-2 control-label" for="useTruststoreSpi">{{:: 'use-truststore-spi' | translate}}</label>
<div class="col-md-6">
<div>
<select class="form-control" id="useTruststoreSpi"
ng-model="instance.config.useTruststoreSpi"
ng-options="useTruststoreSpi.id as useTruststoreSpi.name for useTruststoreSpi in useTruststoreOptions"
required>
</select>
</div>
</div>
<kc-tooltip>{{:: 'ldap.use-truststore-spi.tooltip' | translate}}</kc-tooltip>
</div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-md-2 control-label" for="connectionPooling">{{:: 'connection-pooling' | translate}}</label> <label class="col-md-2 control-label" for="connectionPooling">{{:: 'connection-pooling' | translate}}</label>
<div class="col-md-6"> <div class="col-md-6">