Merge pull request #644 from mposolda/master

Docs about sync. Tooltips and minor fixes
This commit is contained in:
Marek Posolda 2014-08-25 17:19:02 +02:00
commit f51ba1cb8a
5 changed files with 66 additions and 5 deletions

View file

@ -101,7 +101,8 @@
<term>Other options</term> <term>Other options</term>
<listitem> <listitem>
<para> <para>
The rest of the configuration options should be self explanatory. The rest of the configuration options should be self explanatory. You can use tooltips in admin console
to see some more details about them.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -109,6 +110,46 @@
</para> </para>
</section> </section>
</section> </section>
<section>
<title>Sync of LDAP users to Keycloak</title>
<para>
LDAP Federation Provider will automatically take care of synchronization (import) of needed LDAP users into Keycloak database.
For example once you first authenticate LDAP user <literal>john</literal> from Keycloak UI, LDAP Federation provider will
first import this LDAP user into Keycloak database and then authenticate against LDAP password.
</para>
<para>
Thing is that Federation Provider import just requested users by default, so if you click to <literal>View all users</literal>
in Keycloak admin console, you will see just those LDAP users, which were already authenticated/requested by Keycloak.
</para>
<para>If you want to sync all LDAP users into Keycloak database, you may configure and enable Sync, which is in
admin console on same page like the configuration of Federation provider itself. There are 2 types of sync:
<variablelist>
<varlistentry>
<term>Full sync</term>
<listitem>
<para>
This will synchronize all LDAP users into Keycloak DB. Those LDAP users, which already exist in Keycloak and were
changed in LDAP directly will be updated in Keycloak DB (For example if user <literal>Mary Kelly</literal> was changed in LDAP to <literal>Mary Doe</literal>).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Changed users sync</term>
<listitem>
<para>
This will check LDAP and it will sync into Keycloak just those users, which were created or updated in LDAP from the time of last sync.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
In usual cases you may want to trigger full sync at the beginning, so you will import all LDAP users to Keycloak just once. Then you may setup
periodic sync of changed users, so Keycloak will periodically ask LDAP server for newly created or updated users and backport them to Keycloak DB.
Also you may want to trigger full sync again after some longer time or setup periodic full sync as well.
</para>
<para>In admin console, you can trigger sync directly or you can enable periodic changed or full sync.</para>
</section>
<section> <section>
<title>Writing your own User Federation Provider</title> <title>Writing your own User Federation Provider</title>
<para> <para>

View file

@ -32,12 +32,14 @@
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" id="consoleDisplayName" type="text" ng-model="instance.displayName" placeholder="defaults to id"> <input class="form-control" id="consoleDisplayName" type="text" ng-model="instance.displayName" placeholder="defaults to id">
</div> </div>
<span tooltip-placement="right" tooltip="Display name of provider when linked in admin console." class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-sm-2 control-label" for="priority">Priority </label> <label class="col-sm-2 control-label" for="priority">Priority </label>
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" id="priority" type="text" ng-model="instance.priority"> <input class="form-control" id="priority" type="text" ng-model="instance.priority">
</div> </div>
<span tooltip-placement="right" tooltip="Priority of provider when doing a user lookup. Lowest first." class="fa fa-info-circle"></span>
</div> </div>
<div data-ng-repeat="option in providerFactory.options" class="form-group"> <div data-ng-repeat="option in providerFactory.options" class="form-group">
<label class="col-sm-2 control-label">{{option|capitalize}} </label> <label class="col-sm-2 control-label">{{option|capitalize}} </label>
@ -56,24 +58,28 @@
<div class="col-sm-4"> <div class="col-sm-4">
<input ng-model="fullSyncEnabled" name="fullSyncEnabled" id="fullSyncEnabled" onoffswitch /> <input ng-model="fullSyncEnabled" name="fullSyncEnabled" id="fullSyncEnabled" onoffswitch />
</div> </div>
<span tooltip-placement="right" tooltip="Does periodic full synchronization of provider users to Keycloak should be enabled or not" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix" data-ng-show="fullSyncEnabled"> <div class="form-group clearfix" data-ng-show="fullSyncEnabled">
<label class="col-sm-2 control-label" for="fullSyncPeriod">Full sync period</label> <label class="col-sm-2 control-label" for="fullSyncPeriod">Full sync period</label>
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" type="number" ng-model="instance.fullSyncPeriod" id="fullSyncPeriod" /> <input class="form-control" type="number" ng-model="instance.fullSyncPeriod" id="fullSyncPeriod" />
</div> </div>
<span tooltip-placement="right" tooltip="Period for full synchronization in seconds" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-sm-2 control-label" for="changedSyncEnabled">Periodic changed users sync</label> <label class="col-sm-2 control-label" for="changedSyncEnabled">Periodic changed users sync</label>
<div class="col-sm-4"> <div class="col-sm-4">
<input ng-model="changedSyncEnabled" name="changedSyncEnabled" id="changedSyncEnabled" onoffswitch /> <input ng-model="changedSyncEnabled" name="changedSyncEnabled" id="changedSyncEnabled" onoffswitch />
</div> </div>
<span tooltip-placement="right" tooltip="Does periodic synchronization of changed or newly created provider users to Keycloak should be enabled or not" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix" data-ng-show="changedSyncEnabled"> <div class="form-group clearfix" data-ng-show="changedSyncEnabled">
<label class="col-sm-2 control-label" for="changedSyncPeriod">Changed users sync period</label> <label class="col-sm-2 control-label" for="changedSyncPeriod">Changed users sync period</label>
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" type="number" ng-model="instance.changedSyncPeriod" id="changedSyncPeriod" /> <input class="form-control" type="number" ng-model="instance.changedSyncPeriod" id="changedSyncPeriod" />
</div> </div>
<span tooltip-placement="right" tooltip="Period for synchronization of changed or newly created provider users in seconds" class="fa fa-info-circle"></span>
</div> </div>
</fieldset> </fieldset>

View file

@ -72,6 +72,7 @@
</select> </select>
</div> </div>
</div> </div>
<span tooltip-placement="right" tooltip="LDAP vendor (provider)" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-sm-2 control-label" for="usernameLDAPAttribute">Username LDAP attribute </label> <label class="col-sm-2 control-label" for="usernameLDAPAttribute">Username LDAP attribute </label>
@ -83,18 +84,21 @@
</select> </select>
</div> </div>
</div> </div>
<span tooltip-placement="right" tooltip="Name of LDAP attribute, which is mapped as Keycloak username" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-sm-2 control-label" for="userObjectClasses">User Object Classes </label> <label class="col-sm-2 control-label" for="userObjectClasses">User Object Classes </label>
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" id="userObjectClasses" type="text" ng-model="instance.config.userObjectClasses" placeholder="LDAP User Object Classes (div. by comma)"> <input class="form-control" id="userObjectClasses" type="text" ng-model="instance.config.userObjectClasses" placeholder="LDAP User Object Classes (div. by comma)">
</div> </div>
<span tooltip-placement="right" tooltip="All values of LDAP objectClass attribute divided by comma, which are used for newly created LDAP users" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-sm-2 control-label" for="ldapConnectionUrl">Connection URL<span class="required">*</span></label> <label class="col-sm-2 control-label" for="ldapConnectionUrl">Connection URL<span class="required">*</span></label>
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" id="ldapConnectionUrl" type="text" ng-model="instance.config.connectionUrl" placeholder="LDAP connection URL" required> <input class="form-control" id="ldapConnectionUrl" type="text" ng-model="instance.config.connectionUrl" placeholder="LDAP connection URL" required>
</div> </div>
<span tooltip-placement="right" tooltip="Connection URL to your LDAP server" class="fa fa-info-circle"></span>
<div class="col-sm-4" data-ng-show="access.manageRealm"> <div class="col-sm-4" data-ng-show="access.manageRealm">
<a class="btn btn-primary" data-ng-click="testConnection()">Test connection</a> <a class="btn btn-primary" data-ng-click="testConnection()">Test connection</a>
</div> </div>
@ -104,24 +108,28 @@
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" id="ldapBaseDn" type="text" ng-model="instance.config.baseDn" placeholder="LDAP Base DN" required> <input class="form-control" id="ldapBaseDn" type="text" ng-model="instance.config.baseDn" placeholder="LDAP Base DN" required>
</div> </div>
<span tooltip-placement="right" tooltip="Base DN of LDAP tree where your data are. Base DN is usually ancestor of User DN Suffix" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-sm-2 control-label" for="ldapUserDnSuffix">User DN Suffix <span class="required">*</span></label> <label class="col-sm-2 control-label" for="ldapUserDnSuffix">User DN Suffix <span class="required">*</span></label>
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" id="ldapUserDnSuffix" type="text" ng-model="instance.config.userDnSuffix" placeholder="LDAP User DN Suffix" required> <input class="form-control" id="ldapUserDnSuffix" type="text" ng-model="instance.config.userDnSuffix" placeholder="LDAP User DN Suffix" required>
</div> </div>
<span tooltip-placement="right" tooltip="Base DN of LDAP tree where your users are. This DN is parent of all DNs of LDAP users" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-sm-2 control-label" for="ldapBindDn">Bind DN <span class="required">*</span></label> <label class="col-sm-2 control-label" for="ldapBindDn">Bind DN <span class="required">*</span></label>
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" id="ldapBindDn" type="text" ng-model="instance.config.bindDn" placeholder="LDAP Bind DN" required> <input class="form-control" id="ldapBindDn" type="text" ng-model="instance.config.bindDn" placeholder="LDAP Bind DN" required>
</div> </div>
<span tooltip-placement="right" tooltip="DN of LDAP admin, which will be used by Keycloak to access LDAP server" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-sm-2 control-label" for="ldapBindCredential">Bind Credential <span class="required">*</span></label> <label class="col-sm-2 control-label" for="ldapBindCredential">Bind Credential <span class="required">*</span></label>
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" id="ldapBindCredential" type="text" ng-model="instance.config.bindCredential" placeholder="LDAP Bind Credentials" required> <input class="form-control" id="ldapBindCredential" type="text" ng-model="instance.config.bindCredential" placeholder="LDAP Bind Credentials" required>
</div> </div>
<span tooltip-placement="right" tooltip="Password of LDAP admin" class="fa fa-info-circle"></span>
<div class="col-sm-4" data-ng-show="access.manageRealm"> <div class="col-sm-4" data-ng-show="access.manageRealm">
<a class="btn btn-primary" data-ng-click="testAuthentication()">Test authentication</a> <a class="btn btn-primary" data-ng-click="testAuthentication()">Test authentication</a>
</div> </div>
@ -131,6 +139,7 @@
<div class="col-sm-4"> <div class="col-sm-4">
<input ng-model="connectionPooling" name="connectionPooling" id="connectionPooling" onoffswitch /> <input ng-model="connectionPooling" name="connectionPooling" id="connectionPooling" onoffswitch />
</div> </div>
<span tooltip-placement="right" tooltip="Does Keycloak should use connection pooling for accessing LDAP server" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-sm-2 control-label" for="pagination">Pagination</label> <label class="col-sm-2 control-label" for="pagination">Pagination</label>
@ -144,6 +153,8 @@
<div class="col-sm-4"> <div class="col-sm-4">
<input ng-model="userAccountControlsAfterPasswordUpdate" name="userAccountControlsAfterPasswordUpdate" id="userAccountControlsAfterPasswordUpdate" onoffswitch /> <input ng-model="userAccountControlsAfterPasswordUpdate" name="userAccountControlsAfterPasswordUpdate" id="userAccountControlsAfterPasswordUpdate" onoffswitch />
</div> </div>
<span tooltip-placement="right" tooltip="Useful just for Active Directory. If enabled, then Keycloak will always set
Active Directory userAccountControl attribute to 512 after password update. This would mean that particular user will be enabled in Active Directory" class="fa fa-info-circle"></span>
</div> </div>
</fieldset> </fieldset>
@ -154,30 +165,35 @@
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" type="text" ng-model="instance.config.batchSizeForSync" id="batchSizeForSync" /> <input class="form-control" type="text" ng-model="instance.config.batchSizeForSync" id="batchSizeForSync" />
</div> </div>
<span tooltip-placement="right" tooltip="Count of LDAP users to be imported from LDAP to Keycloak within single transaction." class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-sm-2 control-label" for="fullSyncEnabled">Periodic full sync</label> <label class="col-sm-2 control-label" for="fullSyncEnabled">Periodic full sync</label>
<div class="col-sm-4"> <div class="col-sm-4">
<input ng-model="fullSyncEnabled" name="fullSyncEnabled" id="fullSyncEnabled" onoffswitch /> <input ng-model="fullSyncEnabled" name="fullSyncEnabled" id="fullSyncEnabled" onoffswitch />
</div> </div>
<span tooltip-placement="right" tooltip="Does periodic full synchronization of LDAP users to Keycloak should be enabled or not" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix" data-ng-show="fullSyncEnabled"> <div class="form-group clearfix" data-ng-show="fullSyncEnabled">
<label class="col-sm-2 control-label" for="fullSyncPeriod">Full sync period</label> <label class="col-sm-2 control-label" for="fullSyncPeriod">Full sync period</label>
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" type="number" ng-model="instance.fullSyncPeriod" id="fullSyncPeriod" /> <input class="form-control" type="number" ng-model="instance.fullSyncPeriod" id="fullSyncPeriod" />
</div> </div>
<span tooltip-placement="right" tooltip="Period for full synchronization in seconds" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix"> <div class="form-group clearfix">
<label class="col-sm-2 control-label" for="changedSyncEnabled">Periodic changed users sync</label> <label class="col-sm-2 control-label" for="changedSyncEnabled">Periodic changed users sync</label>
<div class="col-sm-4"> <div class="col-sm-4">
<input ng-model="changedSyncEnabled" name="changedSyncEnabled" id="changedSyncEnabled" onoffswitch /> <input ng-model="changedSyncEnabled" name="changedSyncEnabled" id="changedSyncEnabled" onoffswitch />
</div> </div>
<span tooltip-placement="right" tooltip="Does periodic synchronization of changed or newly created LDAP users to Keycloak should be enabled or not" class="fa fa-info-circle"></span>
</div> </div>
<div class="form-group clearfix" data-ng-show="changedSyncEnabled"> <div class="form-group clearfix" data-ng-show="changedSyncEnabled">
<label class="col-sm-2 control-label" for="changedSyncPeriod">Changed users sync period</label> <label class="col-sm-2 control-label" for="changedSyncPeriod">Changed users sync period</label>
<div class="col-sm-4"> <div class="col-sm-4">
<input class="form-control" type="number" ng-model="instance.changedSyncPeriod" id="changedSyncPeriod" /> <input class="form-control" type="number" ng-model="instance.changedSyncPeriod" id="changedSyncPeriod" />
</div> </div>
<span tooltip-placement="right" tooltip="Period for synchronization of changed or newly created LDAP users in seconds" class="fa fa-info-circle"></span>
</div> </div>
</fieldset> </fieldset>

View file

@ -68,7 +68,7 @@ public class UsersSyncManager {
try { try {
syncAllUsers(sessionFactory, realmId, fedProvider); syncAllUsers(sessionFactory, realmId, fedProvider);
} catch (Throwable t) { } catch (Throwable t) {
logger.error("Error occured during full sync of users", t); logger.error("Error occurred during full sync of users", t);
} }
} }
@ -86,7 +86,7 @@ public class UsersSyncManager {
try { try {
syncChangedUsers(sessionFactory, realmId, fedProvider); syncChangedUsers(sessionFactory, realmId, fedProvider);
} catch (Throwable t) { } catch (Throwable t) {
logger.error("Error occured during sync of changed users", t); logger.error("Error occurred during sync of changed users", t);
} }
} }

View file

@ -1,6 +1,5 @@
package org.keycloak.testsuite.forms; package org.keycloak.testsuite.forms;
import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
@ -18,7 +17,6 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.UserFederationProvider; import org.keycloak.models.UserFederationProvider;
import org.keycloak.models.UserFederationProviderFactory;
import org.keycloak.models.UserFederationProviderModel; import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider; import org.keycloak.models.UserProvider;