Commit graph

245 commits

Author SHA1 Message Date
rmartinc
b97f177f26 [KEYCLOAK-14696] Unable to fetch list of members from a group through keycloak admin console. 2021-05-20 11:32:23 +02:00
Pascal Euhus
82fc401298 [KEYCLOAK-9841] use LDAPUser UUID as an identifier instead of username 2021-03-16 17:55:24 +01:00
Andrew Elwell
c76ca4ad13
Correct "doesn't exists" typos - fixes KEYCLOAK-14986 (#7316)
* Correct "doesn't exists" typos

* Revert changes to imported package

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2021-03-16 11:52:36 +01:00
Mathieu CLAUDEL
197b34889c KEYCLOAK-17146 : Fix reset password MS AD LDS mapper 2021-03-03 09:17:39 +01:00
Thomas Darimont
2faf809536 KEYCLOAK-16464 Allow to map enabled user model attribute to LDAP attribute 2021-01-20 09:24:06 +01:00
Thomas Darimont
f76e9cc833 KEYCLOAK-16464 Allow to map emailVerified user model attribute to LDAP attribute 2021-01-20 09:24:06 +01:00
Michal Hajas
ba8e2fef6b KEYCLOAK-15524 Cleanup user related interfaces 2021-01-18 16:56:10 +01:00
Jiri Lunacek
91a51c2dbe KEYCLOAK-16606 add default value to mandatory LDAP attributes 2021-01-15 21:58:04 +01:00
vramik
1402d021de KEYCLOAK-14846 Default roles processing 2021-01-08 13:55:48 +01:00
Cédric Couralet
f4abc86a66 KEYCLOAK-16112 don't remove username attribute 2020-12-14 15:46:25 +01:00
Michal Hajas
8e376aef51
KEYCLOAK-15847 Add MapUserProvider 2020-12-10 08:57:53 +01:00
Thomas Riccardi
f45e187c35 Finish renaming 'application role' to 'client role' in help texts 2020-12-08 12:18:13 +01:00
Stefan Guilhen
edef93cd49 [KEYCLOAK-16232] Streamify the UserCredentialStore and UserCredentialManager interfaces 2020-12-07 19:48:35 +01:00
Stefan Guilhen
73d0bb34c4 [KEYCLOAK-16232] Replace usages of deprecated collection-based methods with the respective stream variants 2020-12-07 19:48:35 +01:00
Stefan Guilhen
84df008bc2 [KEYCLOAK-16341] Make the new stream-based methods in server-spi user interfaces default instead of the collection-based versions.
- this ensures that providing implementation for the collection-based methods is enough, which preserves
   backwards compatibility with older custom implementations.
 - alternative interfaces now allow new implementations to focus on the stream variants of the query methods.
2020-11-18 21:07:51 +01:00
Stefan Guilhen
aa46735173 [KEYCLOAK-15200] Complement methods for accessing users with Stream variants 2020-11-10 15:13:11 +01:00
Sven-Torben Janus
79f0703d62 KEYCLOAK-3365 Configure required actions for LDAP in READ_ONLY mode 2020-10-15 08:43:31 +02:00
Martin Kanis
086f7b4696 KEYCLOAK-15450 Complement methods for accessing realms with Stream variants 2020-10-14 08:16:49 +02:00
testn
269a72d672 KEYCLOAK-15184: Use static inner class where possible 2020-10-09 23:37:08 +02:00
Martin Kanis
5d5e56dde3 KEYCLOAK-15199 Complement methods for accessing roles with Stream variants 2020-09-16 16:29:51 +02:00
Martin Kanis
4e9bdd44f3 KEYCLOAK-14901 Replace deprecated ClientProvider related methods across Keycloak 2020-09-07 13:11:55 +02:00
Martin Kanis
d59a74c364 KEYCLOAK-15102 Complement methods for accessing groups with Stream variants 2020-08-28 20:56:10 +02:00
mposolda
bd48d7914d KEYCLOAK-15139 Backwards compatibility for LDAP Read-only mode with IMPORT_USERS enabled 2020-08-20 14:05:21 +02:00
mposolda
a427784350 KEYCLOAK-14996 Fix performance bottleneck in GroupLDAPStorageMapper.getAllKcGroups 2020-08-18 18:04:32 +02:00
rmartinc
32bf50e037 KEYCLOAK-14336: LDAP group membership is not visible under "Users in Role" tab for users imported from LDAP 2020-07-30 16:19:22 +02:00
Martin Idel
97400827d2 KEYCLOAK-14870: Fix bug where user is incorrectly imported
Bug: SerializedBrokeredIdentityContext was changed to mirror
UserModel changes. However, when creating the user in LDAP,
the username must be provided first (everything else can
be handled via attributes).
2020-07-29 11:33:41 +02:00
Réda Housni Alaoui
47f5b56a9a KEYCLOAK-14747 LDAP pooling should include SSL protocol by default 2020-07-28 18:59:42 +02:00
mposolda
c4fca5895f KEYCLOAK-14892 NullPointerException when group mappings for LDAP users are accessed 2020-07-28 14:45:06 +02:00
Martin Idel
bf411d7567 KEYCLOAK-14869: Fix nullpointer exception in FullNameLDAPStorageMapper
Setting an attribute should be possible with a list
containing no elements or a null list

This can happen e.g. when creating users via idps
using a UserAttributeStatementMapper.

Fix this unprotected access in other classes too
2020-07-28 09:54:37 +02:00
Martin Idel
05b6ef8327 KEYCLOAK-14536 Migrate UserModel fields to attributes
- In order to make lastName/firstName/email/username field
  configurable in profile
  we need to store it as an attribute
- Keep database as is for now (no impact on performance, schema)
- Keep field names and getters and setters (no impact on FTL files)

Fix tests with logic changes

- PolicyEvaluationTest: We need to take new user attributes into account
- UserTest: We need to take into account new user attributes

Potential impact on users:

- When subclassing UserModel, consistency issues may occur since one can
  now set e.g. username via setSingleAttribute also
- When using PolicyEvaluations, the number of attributes has changed
2020-06-25 14:50:57 +02:00
Tero Saarni
3c82f523ff [KEYCLOAK-14343] Truststore SPI support for LDAP with StartTLS
Signed-off-by:  Tero Saarni <tero.saarni@est.tech>
Co-authored-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-06-11 18:07:53 +02:00
Torsten Juergeleit
6005503a3d Namespace support to group-ldap-mapper
Previously, Keycloak did only support syncing groups from LDAP federation provider as top-level KC groups.

This approach has some limitations:
- If using multiple group mappers then there’s no way to isolate the KC groups synched by each group mapper.
- If the option "Drop non-existing groups during sync” is activated then all KC groups (including the manually created ones) are deleted.
- There’s no way to inherit roles from a parent KC group.

This patch introduces support to specify a prefix for the resulting group path, which effectively serves as a namespace for a group.

A path prefix can be specified via the newly introduced `Groups Path` config option on the mapper. This groups path defaults to `/` for top-level groups.

This also enables to have multiple `group-ldap-mapper`'s which can manage groups within their own namespace.

An `group-ldap-mapper` with a `Group Path` configured as `/Applications/App1` will only manage groups under that path. Other groups, either manually created or managed by other `group-ldap-mapper` are not affected.
2020-05-26 17:37:29 +02:00
cachescrubber
3382682115
KEYCLOAK-10927 - Implement LDAPv3 Password Modify Extended Operation … (#6962)
* KEYCLOAK-10927 - Implement LDAPv3 Password Modify Extended Operation (RFC-3062).

* KEYCLOAK-10927 - Introduce getLDAPSupportedExtensions(). Use result instead of configuration.

Co-authored-by: Lars Uffmann <lars.uffmann@vitroconnect.de>
Co-authored-by: Kevin Kappen <kevin.kappen@vitroconnect.de>
Co-authored-by: mposolda <mposolda@gmail.com>
2020-05-20 21:04:45 +02:00
mposolda
8797e5c4e5 KEYCLOAK-14244 Compilation error in latest master in LDAPStorageProvider 2020-05-19 21:34:53 +02:00
mposolda
12d965abf3 KEYCLOAK-13047 LDAP no-import fixes. Avoid lost updates - dont allow update attributes, which are not mapped to LDAP 2020-05-19 16:58:25 +02:00
Sven-Torben Janus
82d3251ab4 Remove *-imports 2020-05-12 20:50:18 +02:00
Sven-Torben Janus
fcb0e450a0 KEYCLOAK-13817 Return local user from LDAPStorageProvider 2020-05-12 20:50:18 +02:00
Sven-Torben Janus
fed34929ae KEYCLOAK-13817 Fix X509 auth fails
when attribute value is always read from LDAP and import is enabled

When userattribute value is always read from LDAP, then the value is not
available in the local store. Therfore, KC will not find a user by that
attribute in the local store. When querying the LDAP storage
provider, the user will be found. However, when it is also available in
the local store (though without the attribute) it will not get imported
and therefore not returned with the result set of the LDAP storage
provider. Hence, the user will not be found at all.

This change adds the user to the result set of the LDAP user stoage
provider, iff the attribute user by the search is set to always read
value from LDAP.
2020-05-12 20:50:18 +02:00
mposolda
38195ca789 KEYCLOAK-12842 Not possible to update user with multivalued LDAP RDN 2020-04-21 11:35:41 +02:00
mposolda
821405e175 KEYCLOAK-10852 Inconsistency when using 'forgot password' after changing email directly in LDAP 2020-04-16 12:28:41 +02:00
mposolda
4f1985826c KEYCLOAK-12934 LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY user roles retrieve strategy role-ldap-mapper option should only be displayed if LDAP provider vendor is Active Directory 2020-04-14 20:01:55 +02:00
mposolda
803f398dba KEYCLOAK-12876 KEYCLOAK-13148 KEYCLOAK-13149 KEYCLOAK-13151 Re-introduce some changes to preserve UserStorage SPI backwards compatibility. Added test for backwards compatibility of user storage 2020-03-11 12:51:56 +01:00
rmartinc
ad3b9fc389 KEYCLOAK-12579: LDAP groups duplicated during UI listing of user groups 2020-03-11 06:14:29 +01:00
Sebastian Schuster
99aba33980 KEYCLOAK-13163 Fixed searching for user with fine-grained permissions 2020-03-09 09:56:13 -03:00
Phy
8aa5019efe KEYCLOAK-13074 Don't return LDAP group members if under IMPORT mode
If GroupLDAPStorageMapper is running under IMPORT mode, getGroupMembers should not return users in LDAP, which, according to how UserStorageManager.query works (getting both user federation and Keycloak storage), will cause duplicate users in the list.

A test has been added as well, which will fail before the fix in the mapper.
2020-03-06 11:44:36 +01:00
BrunoJCM
5c910d6f13 KEYCLOAK-12437 Revert KEYCLOAK-11802 (#6700)
This reverts commit e018ca3e29 from:
Simplifying logic for determining disabled status (#6416)

Co-authored-by: brunomedeiros-visagio <55057005+brunomedeiros-visagio@users.noreply.github.com>
2020-01-28 14:59:03 +01:00
mposolda
fea7b4e031 KEYCLOAK-12424 SPNEGO / Kerberos sends multiple 401 responses with WWW-Authenticate: Negotiate header when kerberos token is invalid 2020-01-09 10:21:24 +01:00
Tero Saarni
1ac76fde59 KEYCLOAK-12242 KEYCLOAK-12280
(cherry picked from commit 6f47d7fc2ccab4f31e373774c983501e83dffa4b)
2019-12-18 13:29:21 +01:00
Cédric Couralet
bde94f2f08 KEYCLOAK-11770 add an hardcoded attribute mapper (#6396)
Signed-off-by: Cédric Couralet <cedric.couralet@insee.fr>
2019-12-10 12:57:46 +01:00
Martin Kanis
685d49c693 KEYCLOAK-11967 Violation of UNIQUE KEY constraint SIBLING_NAMES (#6485) 2019-11-26 16:00:50 +01:00