In Keycloak 8.0.1 we have a Realm with a Group and Subgroups like this:
group -
subgroup1
subgroup2
...
We need to insert a batch of subgroups and users into group. The subgroup should have some attributes.
How can I do this?
I tried:
Using an exported realm-export.json file with newly added subgroups and "Overwrite" on the import. Now I don't see how to connect the new user with the subgroup. And I am also not sure if old users will not be removed this way.
Calling the Keycloak REST API. It doesn't seem possible to UPDATE a group and add subgroups. Documentation says:
PUT /{realm}/groups/{id}Update group, ignores subgroups.
Now I am looking at using a UI testing tool to add the user programmatically, but this seems needlessly complex.
Is it possible to programmatically add new subgroups with users associated to that subgroup? Am I missing something with the REST API call or the import functionality? Is there maybe another way via for example the Java Admin Client?
You can create groups and subgroups under it , Here is the sample code to create subgroups using Admin Client. You can also associate users to those groups
public void addSubgroups() {
RealmResource realm =keycloak.realm("myrealm");
GroupRepresentation topGroup = new GroupRepresentation();
topGroup.setName("group");
topGroup = createGroup(realm, topGroup);
createSubGroup(realm,topGroup.getId(),"subgroup1");
createSubGroup(realm,topGroup.getId(),"subgroup2");
}
private void createSubGroup(RealmResource realm, String parentGroupId, String subGroupName) {
GroupRepresentation subgroup = new GroupRepresentation();
subgroup.setName(subGroupName);
try (Response response = realm.groups().group(parentGroupId).subGroup(subgroup)){
if (response.getStatusInfo().getFamily() == Family.SUCCESSFUL) {
System.out.println("Created Subgroup : " + subGroupName );
} else {
logger.severe("Error Creating Subgroup : " + subGroupName + ", Error Message : " + getErrorMessage(response));
}
}
}
private GroupRepresentation createGroup(RealmResource realm, GroupRepresentation group) {
try (Response response = realm.groups().add(group)) {
String groupId = getCreatedId(response);
group.setId(groupId);
return group;
}
}
getCreatedId(response);
This method in above answer (by ravthiru) is belongs to CreatedResponseUtil from package (org.keycloak.admin.client)
CreatedResponseUtil.getCreatedId(response);
Related
I have written a Java application that searches Active directory via LDAP for user information. I have a list of instances of custom Person class that is passed in. In it I have either DN or email defined. I am modifying the search criteria accordingly. Here is the code:
for (Person person : members) {
boolean ready = false;
String filter = getConfig().getUserSearchFilter();
// (&(|(objectclass=user)(objectclass=person)(objectclass=inetOrgPerson)(objectclass=organizationalPerson)))
String base = person.getDistinguishedName();
if (base != null && !base.isEmpty()) {
ready = true;
} else if (person.getEmail() != null) {
base = getConfig().getMemberSearchBase();
// ou=Users,ou=Managed,dc=division,dc=company,dc=com
String mail = person.getEmail();
StringBuilder filterBuilder = new StringBuilder(filter);
int pIdx = filterBuilder.lastIndexOf(")");
filterBuilder.insert(pIdx, "(|(mail=" + mail + ")(x-personalmail=" + mail + "))");
filter = filterBuilder.toString();
LOG.debug("New value of a filter = {}", filter);
ready = true;
}
if (ready) {
try {
NamingEnumeration<SearchResult> search = getContext().search(base, filter, searchControls);
...
} catch (NamingException nex) {
throw new IOException(nex);
}
} else {
LOG.error("Incorrect search criteria for user {} of group {}. Person skipped", person.getName(), this.group.getName());
}
}
Code is working without errors, but when DN is specified it does find a person, but when email is defined it finds nothing.
However, If I copy generated filter string and pass it to ldapsearch command in a form of:
ldapsearch -LLL -x -H ldaps://my.ldap.server.com -D 'svc-acct#corp-dev.company.com' -W -b "ou=Users,ou=Managed,dc=division,dc=company,dc=com" '(&(|(objectclass=user)(objectclass=person)(objectclass=inetOrgPerson)(objectclass=organizationalPerson))(|(mail=person#domain.com)(x-personalmail=person#domain.com)))'
It does find this person perfectly.
Did anyone faced similar problem? Do you see any flaws in my code?
Please, do help me.
I did find the cause of my problem.
In the search control I had scope defined as OBJECT_SCOPE.
It does work when you are specifying DN, but with the search per one of the fields it fails finding the object.
I changed the scope to SUBTREE_SCOPE and everything started working as expected.
The docs for cognito user pools can be found here:
http://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html
In this they do not say whether you can query users by the automatically generated sub attribute, which is a uuid. It explicitly says you can't search for users by custom attributes, but sub/uuid is not a custom attribute. Weirdly though, in the list of searchable attributes sub/uuid is not one of them. Surely though you can look up users by their UUID, how would this be done though??
You know, I have used COgnito but never needed to look up via sub (or other params other than the username). I looked into it because surely you can, but it is not very clear (like a lot of their documentation). Here is what I saw that you could try... hope it helps man.
// the imported ListUsersResult is...
import com.amazonaws.services.cognitoidp.model.ListUsersRequest;
import com.amazonaws.services.cognitoidp.model.ListUsersResult;
// class var
protected final AWSCognitoIdentityProviderClient identityUserPoolProviderClient;
// omitted stuff...
// initialize the Cognito Provider client. This is used to talk to the user pool
identityUserPoolProviderClient = new AWSCognitoIdentityProviderClient(new BasicAWSCredentials(AWS_ACCESS_KEY, AWS_SECRET_KEY)); // creds are loaded via variables that are supplied to my program dynamically
identityUserPoolProviderClient.setRegion(RegionUtils.getRegion(USER_POOL_REGION)); // var loaded
// ...some code omitted
ListUsersRequest listUsersRequest = new ListUsersRequest();
listUsersRequest.withUserPoolId(USER_POOL_ID); // id of the userpool, look this up in Cognito console
listUsersRequest.withFilter("sub=xyz"); // i THINK this is how the Filter works... the documentation is terribad
// get the results
ListUsersResult result = identityUserPoolProviderClient.listUsers(listUsersRequest);
List<UserType> userTypeList = result.getUsers();
// loop through them
for (UserType userType : userTypeList) {
List<AttributeType> attributeList = userType.getAttributes();
for (AttributeType attribute : attributeList) {
String attName = attribute.getName();
String attValue = attribute.getValue();
System.out.println(attName + ": " + attValue);
}
}
If you have the username you could get the user like this
// build the request
AdminGetUserRequest idRequest = new AdminGetUserRequest();
idRequest.withUserPoolId(USER_POOL_ID);
idRequest.withUsername(username);
// call cognito for the result
AdminGetUserResult result = identityUserPoolProviderClient.adminGetUser(idRequest);
// loop through results
I want to use DFCs in order to change the value for r_accessor_permit of a group assigned to an acl :
1 - > first I chose an ACL called "fme"
2 - > Then I wrote the following DQL in order to get the groups assigned to it :
select r_accossor_name from dm_acl where object_name = 'fme'
3 - > I received a list of groups and I copy pasted one of them which was called : grp_corp_lgl_sateri_hk
Then I wrote the following :
public void changeGroupPermission (){
try{
String myAcl = "fme";
IDfACL acl = (IDfACL)_session.newObject("dm_acl");
acl.setString("object_name", myAcl);
acl.revoke("grp_corp_lgl_sateri_hk","execute_proc");
acl.save();
}catch(Exception E){
System.out.println(E.getLocalizedMessage());
}
}
And I ran it the result was the following error :
[DM_ACL_E_NOMATCH]error: "No ACEs matched for the name
'grp_corp_lgl_sateri_hk' in the ACL 'fme'."
I am quite sure that I have not made any typing mistake . But I cant find the reason why I am facing such error . Any idea where am I making my mistake ?
===> Updating question
After I realised what my mistake was based on the comments I gave it another attempt as follow :
try{
String aclName = "fme";
IDfACL acl = _session.getACL(aclName, "LEXOPEDIA");
acl.destroy();
//or
acl.revoke("grp_sateri_prc_lgl_acc2", "change_location");
acl.save();
}catch(Exception E){
E.printStackTrace();
}
But I still keep getting error and I really know why ? Any idea ?
You made mistake when you thought that retrieving ACL from repository is done using IDfSession.newObject(<type_name>) method. This method serves to create new objects in repository. Instead you should do:
IDfACL acl = sess.getObjectByQualification("dm_acl where object_name='" + myAcl + "'");
acl.revoke("grp_corp_lgl_sateri_hk","execute_proc");
acl.save();
or
IDfACL acl = sess.getACL(myACL, <your ACL's domain name>);
// domain name could be "DM_DBO" if your ACL is available for everyone in repository
acl.revoke("grp_corp_lgl_sateri_hk","execute_proc");
acl.save();
Since you created new object it's logical that you at that point don't have accessor with name grp_corp_lgl_sateri_hk.
I'm doing a Dynamics CRM integration from a Java application and I've followed the example from the CRM training kit and managed successfully to connect and create accounts and contacts.
Now I'm having some problems with adding some more fields in the account creation and when connecting a contact with an account.
For instance I cannot create accounts with "address1_freighttermscode" that is a picklist.
My code is the following:
private static OrganizationServiceStub.Guid createAccount(OrganizationServiceStub serviceStub, String[] args) {
try {
OrganizationServiceStub.Create entry = new OrganizationServiceStub.Create();
OrganizationServiceStub.Entity newEntryInfo = new OrganizationServiceStub.Entity();
OrganizationServiceStub.AttributeCollection collection = new OrganizationServiceStub.AttributeCollection();
if (! (args[0].equals("null") )) {
OrganizationServiceStub.KeyValuePairOfstringanyType values = new OrganizationServiceStub.KeyValuePairOfstringanyType();
values.setKey("name");
values.setValue(args[0]);
collection.addKeyValuePairOfstringanyType(values);
}
if (! (args[13].equals("null"))){
OrganizationServiceStub.KeyValuePairOfstringanyType incoterm = new OrganizationServiceStub.KeyValuePairOfstringanyType();
incoterm.setKey("address1_freighttermscode");
incoterm.setValue(args[13]);
collection.addKeyValuePairOfstringanyType(incoterm);
}
newEntryInfo.setAttributes(collection);
newEntryInfo.setLogicalName("account");
entry.setEntity(newEntryInfo);
OrganizationServiceStub.CreateResponse createResponse = serviceStub.create(entry);
OrganizationServiceStub.Guid createResultGuid = createResponse.getCreateResult();
System.out.println("New Account GUID: " + createResultGuid.getGuid());
return createResultGuid;
} catch (IOrganizationService_Create_OrganizationServiceFaultFault_FaultMessage e) {
logger.error(e.getMessage());
} catch (RemoteException e) {
logger.error(e.getMessage());
}
return null;
}
When it executes, I get this error
[ERROR] Incorrect attribute value type System.String
Does anyone have examples on how to handle picklists or lookups?
To connect the contact with the account I'm filling the fields parentcustomerid and parentcustomeridtype with the GUID from the account and with "account", but the contact does not get associated with the account.
To set a picklist value you must use an OptionSet and for a lookup you must use an EntityReference. See the SDK's C# documentation, should work the same way using the Axis generated Java code.
incoterm.setKey("address1_freighttermscode")
//assuming the arg is an integer value that matches a picklist value for the attribute
OptionSetValue freight = new OptionSetValue();
freight.Value = args[13];
incoterm.setValue(freight);
collection.addKeyValuePairOfstringanyType(incoterm);
I haven't worked with Java for over a decade (and never towards an MS creation like Dynamics) so it might be way off from what you like. :)
You could use the REST web service and call directly to CRM creating your instances. As far I know, that's platform independent and should work as long as you can connect to the exposed service OrganizationData.
I want to use a custom authentication module conforming to JSR 196 in GlassFish 3. The interface javax.security.auth.message.ServerAuth has the method:
AuthStatus validateRequest(
MessageInfo messageInfo,
javax.security.auth.Subject clientSubject,
javax.security.auth.Subject serviceSubject
)
AuthStatus can be one of several constants like FAILURE or SUCCESS.
The question is: How can I get the roles from a "role datebase" with JSR 196?
Example: The server receives a request with a SSO token (CAS token for example), checks whether the token is valid, populates the remote user object with roles fetches from a database via JDBC or from REST service via http.
Is the role fetching in the scope of JSR 196? How could that be implemented?
Do I have to use JSR 196 together with JSR 115 to use custom authentication and a custom role source?
This is a code example from my JSR-196OpenID Implementation.
The method set the roles stored in a String Array for the current CallerPrincipal:
private boolean setCallerPrincipal(String caller, Subject clientSubject) {
boolean rvalue = true;
boolean assignGroups = true;
// create CallerPrincipalCallback
CallerPrincipalCallback cPCB = new CallerPrincipalCallback(
clientSubject, caller);
if (cPCB.getName() == null && cPCB.getPrincipal() == null) {
assignGroups = false;
}
try {
handler.handle((assignGroups ? new Callback[] {
cPCB,
new GroupPrincipalCallback(cPCB.getSubject(),
assignedGroups) } : new Callback[] { cPCB }));
logInfo(DEBUG_JMAC, "jmac.caller_principal:" + cPCB.getName() + " "
+ cPCB.getPrincipal());
} catch (Exception e) {
// should not happen
logger.log(Level.WARNING, "jmac.failed_to_set_caller", e);
rvalue = false;
}
return rvalue;
}
I call this method during the validateRequest() method.
You can see the complete code here:
http://code.google.com/p/openid4java-jsr196/source/browse/trunk/src/main/java/org/imixs/openid/openid4java/OpenID4JavaAuthModule.java
Also this page will be helpfull :
http://code.google.com/p/openid4java-jsr196/
Here's how I map users to roles:
I have 3 roles in my web.xml and also I have 3 role-to-group mappings in my sun-web.xml which map those roles several groups. Then I have a database with table Users that has a column called "group". That group corresponds to the group that is mapped to a role. I also use JSR 196-based custom auth module with OpenID. So basically whenever a user is logged in their group is read from the db and then my app assigns them the corresponding role. This is all done using the standard declarative security model of J2EE.
For my custom auth module I use a library called AuthenticRoast which makes things quite a bit simpler.
Here's also a related post...
Hope this helps.