<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Yep, agree it's better to handle at
LDAPFederationProvider level.<br>
<br>
Marek<br>
<br>
On 10/11/15 14:40, Cory Snyder wrote:<br>
</div>
<blockquote
cite="mid:ED8E8C83-0686-465C-8343-64AB97218CE1@iland.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div class="">Thanks for the suggestions, Marek. I think that
overriding the LDAPFederationProvider will be the way to go. The
problem that I am seeing which is preventing me from doing this
in just the authenticator is that I have no way to authenticate
the user in order to allow them to update the password unless I
also make changes to the LDAPFederationProvider. As you
mentioned, the LDAPFederationProvider simply returns false from
the validCredentials method when the pwdLastSet attribute equals
0. If I don’t authenticate the user with their current password
beforehand, it would allow anyone with the username to change
the user’s password. Or am I overlooking something?</div>
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<br class="">
<div apple-content-edited="true" class="">
<div class="">
<div style="font-family: Arial, Helvetica, sans-serif;
font-size: 13px;" class="">
Cory Snyder</div>
<div style="font-family: Arial, Helvetica, sans-serif;
font-size: 11px; color: rgb(153, 153, 153);" class="">
software engineer</div>
<div style="font-family: Arial, Helvetica, sans-serif;
font-size: 11px;" class="">
<span style="font-weight: bold; color: rgb(11, 164, 232);"
class="">USA</span> <span style="color: rgb(153, 153,
153);" class="">+1.419.731.3479 </span><span
style="font-weight: bold; color: rgb(11, 164, 232);"
class=""> UK </span><span style="color: rgb(153, 153,
153);" class="">+44.20.7096.0149 </span> <a
moz-do-not-send="true" href="http://www.iland.com/"
style="font-weight: bold; color: rgb(11, 164, 232);
text-decoration: none;" class="">iland.com</a> </div>
</div>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Nov 10, 2015, at 8:32 AM, Marek Posolda <<a
moz-do-not-send="true" href="mailto:mposolda@redhat.com"
class=""><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
<div class="moz-cite-prefix">Btv. I think it should be
possible to do it with authenticator as well, but you
need to configure authentication flow correctly. You
will have your custom authenticator, which will check
pwdLastSet and if it's 0, it will put the requiredAction
on user and at the same time it will set user as
authenticated. It would need to be ALTERNATIVE
authenticator used in browser flow before "Forms"
authenticator (Forms authenticator is that one which
displays login form with username/password and
optionally OTP). That way, forms authenticator won't be
used and username/password form won't be displayed. It
will go directly to requiredActions and user will be
asked to update password.<br class="">
<br class="">
Marek<br class="">
<br class="">
0On 10/11/15 14:27, Marek Posolda wrote:<br class="">
</div>
<blockquote cite="mid:5641F0BF.6000208@redhat.com"
type="cite" class="">
<div class="moz-cite-prefix">I agree we need some way to
address this. Active Directory is widely used and more
people asked for that . I've put the comment to
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://issues.jboss.org/browse/KEYCLOAK-1744">
https://issues.jboss.org/browse/KEYCLOAK-1744</a>
with possible solution, but it may need changes in
UserFederationProvider interface, so the
federationProvider is able to propagate the cause why
password validation failed (password is expired, user
is disabled, or just invalid password was used
etc...).<br class="">
<br class="">
As a temporary workaround, you can subclass
LDAPFederationProvider and do something on your own.
You can override LDAPFederationProvider.validPassword
and add updatePassword on User when you detect that
reason of password validation failure is expired
password.<br class="">
<br class="">
Marek<br class="">
<br class="">
On 09/11/15 20:32, Cory Snyder wrote:<br class="">
</div>
<blockquote
cite="mid:76A3D583-AF5C-4616-B3B8-12B9C33C9CAE@iland.com"
type="cite" class="">
<div class="">Hey guys,</div>
<div class=""><br class="">
</div>
<div class="">Following up on this conversation that
took place a couple of months back: <a
moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/keycloak-dev/2015-September/005286.html"
class=""><a class="moz-txt-link-freetext" href="http://lists.jboss.org/pipermail/keycloak-dev/2015-September/005286.html">http://lists.jboss.org/pipermail/keycloak-dev/2015-September/005286.html</a></a>.
I just had a chance to try the proposed approach of
implementing a custom authentication provider that
checks the pwdLastSet attribute and sets the update
password required action. I believe that this may
not be quite as easy as was suggested due to the
fact that authentication fails with the default LDAP
Federation Provider before a custom execution in the
login flow has a chance to check the attribute and
set the required action. It seems I would need to
implement a custom LDAP Federation Provider that
considers authentication successful when the
exception referenced in <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://issues.jboss.org/browse/KEYCLOAK-1744">https://issues.jboss.org/browse/KEYCLOAK-1744</a> is
thrown, but also add the required action for
updating the password. Is there an easy way to do
that or something that I’m missing? Otherwise, I’d
be willing to work on a contribution for this issue
if you’re willing to have logic that is specific to
AD?</div>
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<br class="">
<div apple-content-edited="true" class="">
<div class="">
<div style="font-family: Arial, Helvetica,
sans-serif; font-size: 13px;" class="">
Cory Snyder</div>
<div style="font-family: Arial, Helvetica,
sans-serif; font-size: 11px; color: rgb(153,
153, 153);" class="">
software engineer</div>
<div style="font-family: Arial, Helvetica,
sans-serif; font-size: 11px;" class="">
<span style="font-weight: bold; color: rgb(11,
164, 232);" class="">USA</span> <span
style="color: rgb(153, 153, 153);" class="">+1.419.731.3479
</span><span style="font-weight: bold; color:
rgb(11, 164, 232);" class=""> UK </span><span
style="color: rgb(153, 153, 153);" class="">+44.20.7096.0149 </span>
<a moz-do-not-send="true"
href="http://www.iland.com/"
style="font-weight: bold; color: rgb(11, 164,
232); text-decoration: none;" class="">iland.com</a> </div>
</div>
</div>
<br class="">
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br class="">
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</blockquote>
<br>
</body>
</html>