Pedro Igor
4ad462fbd3
Do not rely on the pwdLastSet attribute when updating AD entries
...
Closes #34467
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-30 17:43:07 +01:00
Stefan Guilhen
d66030fcad
Check if LDAPObject is available from a previously cached proxied user
...
Closes #34412
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-28 19:19:16 -03:00
Alexi Vandevoorde
0d07342649
Implement pagination for getLDAPRoleMappings ( #34043 )
...
* Implement pagination for getLDAPRoleMappings
On Active Directory, allow to retrieve more groups than the MaxPageSize
(default to 1000). Without this patch, we need to increase the
MaxPageSize which does not really scale. Implemented only for the
LoadRolesByMember startegy.
Closes #34042
Signed-off-by: Alexi Vandevoorde <alexi@vandevoor.de>
2024-10-28 16:40:20 -03:00
Stefan Guilhen
4690e00d91
Ensure searched LDAPObject is properly cached before other methods that trigger user validation run
...
Closes #34050
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-28 15:39:16 -03:00
Martin Kanis
0ebf862b63
LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists
...
Closes #32266
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-10-11 09:16:17 -03:00
Martin Kanis
51fd133f05
[Keycloak CI] - User Federation Tests - fixing AD tests
...
Closes #33231
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-10-02 16:02:55 -03:00
Stefan Guilhen
be13366c17
Improve response time when displaying group members using LDAP Provider
...
Closes #31786
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-09-20 21:20:24 +02:00
Alexander Schwartz
2a95d0abfa
Sort order of updates for user properties ( #32853 )
...
This should reduce deadlocks on the user property table if the users are updated concurrently.
Closes #32852
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-18 12:37:42 +02:00
Stefan Guilhen
92e435f192
Do not automatically re-import users if they already exist locally when searching by attributes
...
Closes #32870
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-09-13 08:54:44 +02:00
Thomas Darimont
2140e573f2
Fix test LDAP connection with multiple ldap connection urls
...
Previously, the given connection string was check with URI.create(..) which
failed when multiple space separated LDAP URLs were given.
Closes #31267
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-07-16 08:57:50 +02:00
rmartinc
bd90ead892
Do not compare user DN using DN comparison as Ad can login via username@domain
...
Closes #31196
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-07-10 17:01:49 -03:00
Pedro Igor
ead1b4a851
Testing ldap connection should not process or bind the credentials ( #31081 )
...
Closes #30821
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-07-08 13:58:02 +02:00
Rishabh Singh
3a156b1a8b
This fix allows the LDAP connection pool parameters - maxsize, prefsize, initsize - to be configured using JVM arguments.
...
Removed the check on connectionPoolingMaxSize, connectionPoolingInitSize and connectionPoolingPrefSize
Closes #30677
Signed-off-by: Rishabh Singh <rishabhsvats@gmail.com>
This fix allows all the LDAP connection pool parameters to be configured using JVM arguments.
Removed all the ldap connection pool parameters
Signed-off-by: Rishabh Singh <rishabhsvats@gmail.com>
2024-07-02 07:47:14 -03:00
Jon Koops
df18629ffe
Use a default Java version from root POM ( #29927 )
...
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-06-21 14:19:31 +02:00
rmartinc
c51640546d
Improvements for ldap test authentication
...
Closes #30434
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-15 10:01:24 +02:00
Stefan Guilhen
c49b5749ef
Fix GroupLDAPStorageMapper so it doesn't attempt to update a group fetched in a different tx when synchronizing groups from LDAP
...
Closes #29784
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-06-12 10:42:21 -03:00
rmartinc
eedfd0ef51
Missing auth checks in some admin endpoints ( #166 )
...
Closes keycloak/keycloak-private#156
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-06-05 12:04:47 +02:00
Stefan Guilhen
7f232f1510
Switch to VaultStringSecret to avoid encoding issues when special characters (such as §) are present in the ldap bind credential
...
Closes #29808
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-27 10:11:16 -03:00
Dimitri Papadopoulos Orfanos
64a145e960
Fix user-facing typos in error messages ( #29326 )
...
Update resource file and tests accordingly
Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
2024-05-16 09:55:41 +02:00
Alexander Schwartz
2d053312a0
Retrieve UUID from LDAP in same context ( #29470 )
...
This should avoid out-of-sync problems in distributed LDAP environments.
Closes #29206
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-05-13 16:18:30 +02:00
Dimitri Papadopoulos Orfanos
cd8e0fd333
Fix user-facing typos in Javadoc ( #28971 )
...
Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-05-06 18:57:55 +00:00
Robin Meese
8a5fb8337b
Fix catching NameAlreadyBoundException
...
Closes #29142
Signed-off-by: Robin Meese <39960884+robson90@users.noreply.github.com>
2024-05-02 15:10:08 -03:00
Tero Saarni
64862d568e
Convert database errors to 500 instead of 400.
...
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2024-04-22 11:42:18 -03:00
Stefan Guilhen
e6b9d287af
Add null checks after retrieving user from LDAP for validation to prevent NPE when user is removed in LDAP.
...
Closes #28523
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-11 14:29:30 -03:00
Stijn Last
e9498079e0
LDAP: Show error message when groups synchronization fails
...
closes : #28436
Signed-off-by: Stijn Last <stijn.last@barco.com>
2024-04-09 09:10:19 -03:00
Pedro Igor
52ba9b4b7f
Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user
...
Closes #28248
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-08 09:05:16 -03:00
Stefan Guilhen
9bb2402d3b
Propagate Username LDAP Attribute changes to the username mapper to keep mapper and main LDAP storage config in synch.
...
Closed #27984
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-03 09:11:55 -03:00
Stefan Guilhen
2ca59d4141
Align isEnabled in MSAD mappers to how other properties are processed in UserAttributeLDAPStorageMapper
...
- user model is updated by onImport with the enabled/disabled status of the LDAP user
- a config option always.read.enabled.value.from.ldap was introduced, in synch to what we have in UserAttributeLDAPStorageMapper
- isEnabled checks the flag to decide if it should always retrieve the value from LDAP, or return the local value.
- setEnabled first updates the LDAP tx, and then calls the delegate to avoid issue #24201
Closes #26695
Closed #24201
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-01 08:20:35 -03:00
Pedro Igor
b9a7152a29
Avoid commiting the transaction prematurely when creating users through the User API
...
Closes #28217
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-27 19:16:09 -03:00
rmartinc
d679c13040
Continue LDAP search if a duplicated user (ModelDuplicateException) is found
...
Closes #25778
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-13 08:52:58 -03:00
Steven Hawkins
8d9439913c
fix: removal of resteasy-core ( #27032 )
...
* fix: partial removal of resteasy-core
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* fix: fully removing resteasy-core
closes : #26315
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-29 11:43:13 +00:00
Ricardo Martin
3bc074913e
Allow LDAP provider to search using any attribute configured via mappers ( #26235 )
...
Closes #22436
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-21 08:48:39 +00:00
Stefan Guilhen
143ccbfa15
Check if kerberos auth is enabled before creating the kerberos principal in LDAPStorageProvider
...
- prevents misleading warn messages from being logged
Closes #25294
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-02-16 15:44:45 +01:00
Stefan Guilhen
2161e72872
Add migration for the useTruststoreSpi config property in LDAP user storage provider
...
- legacy `ldapsOnly` value now migrated to `always`.
Closes #25912
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-02-12 11:53:19 +01:00
Stefan Guilhen
eac43822c3
Avoid changing the config value for the useTruststoreSpi property
...
- prevents cached LDAPConfig entry from changing when retrieving this value
Closes #25912
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-02-12 11:53:19 +01:00
Stefan Guilhen
d3ae075a33
Fix MembershipType so that NPE is not thrown when an empty member is found within a group
...
Closes #25883
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-02-09 19:04:37 +01:00
rmartinc
509f618992
Improvements for test connection and authentication in the LDAP provider
...
Closes #26464
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-06 13:04:06 -03:00
Marek Posolda
651d99db25
Allow selecting attributes from user profile when managing token mappers ( #26415 )
...
* Allow selecting attributes from user profile when managing token mappers
closes #24250
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-01-25 17:01:02 +01:00
Martin Kanis
7797f778d1
Map Store Removal: Rename legacy modules
...
Closes #24107
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-25 16:29:16 +01:00
Martin Kanis
84603a9363
Map Store Removal: Rename Legacy* classes ( #26273 )
...
Closes #24105
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-23 13:50:31 +00:00
rmartinc
42f0488d76
Avoid returning duplicated users in LDAP and unsynced
...
Closes #24141
Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-10 12:47:15 +01:00
Réda Housni Alaoui
5287500703
@NoCache is not considered anymore
...
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-01-02 09:06:55 -03:00
mposolda
eb184a8554
More info on UserProfileContext
...
closes #25691
Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-19 13:00:31 -03:00
rmartinc
4e7bd76954
Use conditions instead of String for filters and just use default escape strategy
...
Closes https://github.com/keycloak/keycloak/issues/24767
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-14 15:50:46 -03:00
rmartinc
c8009b4627
Ensure that all LDAP conditions escape attribute values
...
Closes https://github.com/keycloak/keycloak/issues/24767
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-14 15:50:46 -03:00
Ricardo Martin
f78c54fa42
Fixes for LDAP group membership and search in chunks
...
Closes #23966
2023-12-08 17:55:17 +01:00
mposolda
479e6bc86b
Update Kerberos provider for user-profile
...
closes #25074
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-29 15:21:26 -03:00
Tero Saarni
ab3758842c
Add configuration option for LDAP referral ( #24852 )
...
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2023-11-28 14:06:34 +01:00
Pedro Igor
2c611cb8fc
User profile configuration scoped to user-federation provider
...
closes #23878
Co-Authored-By: mposolda <mposolda@gmail.com>
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-27 14:45:44 +01:00
Stian Thorgersen
a32b58d337
Escape ldap id when using normal attribute syntax ( #25 ) ( #25036 )
...
Closes https://github.com/keycloak/security/issues/46
Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
2023-11-27 11:38:14 +01:00