[keycloak-dev] Require password change on login when AD is the federation provider and pwdLastSet equals 0
Marek Posolda
mposolda at redhat.com
Mon Sep 14 15:26:37 EDT 2015
The JIRA for almost the same issue already exists
https://issues.jboss.org/browse/KEYCLOAK-1744 . Theoretically we can
parse the error code sent from Active Directory and set the update
password required action based on that. But I don't know if we should go
this way as error codes are Active Directory specific. On the other
hand, majority of people likely use Active Directory as LDAP
implementation...
Maybe we should look into it if more people ask for this to be available
OOTB?
Marek
On 14/09/15 17:16, Bill Burke wrote:
> You should be able to do this in 1.5. You'd write an authenticator that
> checks this attribute, if 0, then set the update password required action.
>
> On 9/14/2015 10:05 AM, Cory Snyder wrote:
>> With Active Directory, a user is required to change their password on
>> next login if the pwdLastSet attribute on their account is set to zero.
>> It would be nice to redirect the user to a form where they can change
>> their password if they try to login under this scenario. On Keycloak 1.4
>> it seems that the application currently just displays a login error when
>> this is the case. Any thoughts on this or can I go ahead and create an
>> issue and try to implement this change?
>>
>> Thanks,
>>
>> Cory Snyder
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
More information about the keycloak-dev
mailing list