Skip to content

Commit

Permalink
KEYCLOAK-2659 Allow sync all roles even if there are more than 1000
Browse files Browse the repository at this point in the history
  • Loading branch information
@mposolda
mposolda committed Mar 14, 2016
1 parent 2d18806 commit e24ce91
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 28 deletions.
40 changes: 40 additions & 0 deletions federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPUtils.java
View file
Expand Up @@ -19,6 +19,7 @@

import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
Expand Down Expand Up @@ -229,6 +230,45 @@ public static String getMemberValueOfChildObject(LDAPObject ldapUser, Membership
}


/**
* Load all LDAP objects corresponding to given query. We will load them paginated, so we allow to bypass the limitation of 1000
* maximum loaded objects in single query in MSAD
*
* @param ldapQuery
* @param ldapProvider
* @return
*/
public static List<LDAPObject> loadAllLDAPObjects(LDAPQuery ldapQuery, LDAPFederationProvider ldapProvider) {
LDAPConfig ldapConfig = ldapProvider.getLdapIdentityStore().getConfig();
boolean pagination = ldapConfig.isPagination();
if (pagination) {
// For now reuse globally configured batch size in LDAP provider page
int pageSize = ldapConfig.getBatchSizeForSync();

List<LDAPObject> result = new LinkedList<>();
boolean nextPage = true;

while (nextPage) {
ldapQuery.setLimit(pageSize);
final List<LDAPObject> currentPageGroups = ldapQuery.getResultList();
result.addAll(currentPageGroups);
nextPage = ldapQuery.getPaginationContext() != null;
}

return result;
} else {
// LDAP pagination not available. Do everything in single transaction
return ldapQuery.getResultList();
}
}


/**
* Validate configured customFilter matches the requested format
*
* @param customFilter
* @throws FederationConfigValidationException
*/
public static void validateCustomLdapFilter(String customFilter) throws FederationConfigValidationException {
if (customFilter != null) {

Expand Down
23 changes: 1 addition & 22 deletions ...java/org/keycloak/federation/ldap/mappers/membership/group/GroupLDAPFederationMapper.java
View file
Expand Up @@ -343,28 +343,7 @@ protected GroupModel findKcGroupOrSyncFromLDAP(LDAPObject ldapGroup, UserModel u
// Send LDAP query to retrieve all groups
protected List<LDAPObject> getAllLDAPGroups() {
LDAPQuery ldapGroupQuery = createGroupQuery();

LDAPConfig ldapConfig = ldapProvider.getLdapIdentityStore().getConfig();
boolean pagination = ldapConfig.isPagination();
if (pagination) {
// For now reuse globally configured batch size in LDAP provider page
int pageSize = ldapConfig.getBatchSizeForSync();

List<LDAPObject> result = new LinkedList<>();
boolean nextPage = true;

while (nextPage) {
ldapGroupQuery.setLimit(pageSize);
final List<LDAPObject> currentPageGroups = ldapGroupQuery.getResultList();
result.addAll(currentPageGroups);
nextPage = ldapGroupQuery.getPaginationContext() != null;
}

return result;
} else {
// LDAP pagination not available. Do everything in single transaction
return ldapGroupQuery.getResultList();
}
return LDAPUtils.loadAllLDAPObjects(ldapGroupQuery, ldapProvider);
}


Expand Down
7 changes: 4 additions & 3 deletions ...g/keycloak/federation/ldap/mappers/membership/group/GroupLDAPFederationMapperFactory.java
View file
Expand Up @@ -88,9 +88,9 @@ public class GroupLDAPFederationMapperFactory extends AbstractLDAPFederationMapp
for (MembershipType membershipType : MembershipType.values()) {
membershipTypes.add(membershipType.toString());
}
ProviderConfigProperty membershipType = createConfigProperty(RoleMapperConfig.MEMBERSHIP_ATTRIBUTE_TYPE, "Membership Attribute Type",
"DN means that LDAP role has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . " +
"UID means that LDAP role has it's members declared in form of pure user uids. For example 'memberUid: john' .",
ProviderConfigProperty membershipType = createConfigProperty(GroupMapperConfig.MEMBERSHIP_ATTRIBUTE_TYPE, "Membership Attribute Type",
"DN means that LDAP group has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . " +
"UID means that LDAP group has it's members declared in form of pure user uids. For example 'memberUid: john' .",
ProviderConfigProperty.LIST_TYPE, membershipTypes);
configProperties.add(membershipType);

Expand Down Expand Up @@ -165,6 +165,7 @@ public Map<String, String> getDefaultConfig(UserFederationProviderModel provider

defaultValues.put(GroupMapperConfig.PRESERVE_GROUP_INHERITANCE, "true");
defaultValues.put(GroupMapperConfig.MEMBERSHIP_LDAP_ATTRIBUTE, LDAPConstants.MEMBER);
defaultValues.put(GroupMapperConfig.MEMBERSHIP_ATTRIBUTE_TYPE, MembershipType.DN.toString());

String mode = config.getEditMode() == UserFederationProvider.EditMode.WRITABLE ? LDAPGroupMapperMode.LDAP_ONLY.toString() : LDAPGroupMapperMode.READ_ONLY.toString();
defaultValues.put(GroupMapperConfig.MODE, mode);
Expand Down
6 changes: 3 additions & 3 deletions ...n/java/org/keycloak/federation/ldap/mappers/membership/role/RoleLDAPFederationMapper.java
View file
Expand Up @@ -122,9 +122,9 @@ public String getStatus() {

logger.debugf("Syncing roles from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", mapperModel.getName(), ldapProvider.getModel().getDisplayName());

// Send LDAP query
LDAPQuery ldapQuery = createRoleQuery();
List<LDAPObject> ldapRoles = ldapQuery.getResultList();
// Send LDAP query to load all roles
LDAPQuery ldapRoleQuery = createRoleQuery();
List<LDAPObject> ldapRoles = LDAPUtils.loadAllLDAPObjects(ldapRoleQuery, ldapProvider);

RoleContainerModel roleContainer = getTargetRoleContainer();
String rolesRdnAttr = config.getRoleNameLdapAttribute();
Expand Down

0 comments on commit e24ce91

Please sign in to comment.