<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">I agree we need some way to address
this. Active Directory is widely used and more people asked for
that . I've put the comment to
<a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-1744">https://issues.jboss.org/browse/KEYCLOAK-1744</a> with possible
solution, but it may need changes in UserFederationProvider
interface, so the federationProvider is able to propagate the
cause why password validation failed (password is expired, user is
disabled, or just invalid password was used etc...).<br>
<br>
As a temporary workaround, you can subclass LDAPFederationProvider
and do something on your own. You can override
LDAPFederationProvider.validPassword and add updatePassword on
User when you detect that reason of password validation failure is
expired password.<br>
<br>
Marek<br>
<br>
On 09/11/15 20:32, Cory Snyder wrote:<br>
</div>
<blockquote
cite="mid:76A3D583-AF5C-4616-B3B8-12B9C33C9CAE@iland.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div class="">Hey guys,</div>
<div class=""><br class="">
</div>
<div class="">Following up on this conversation that took place a
couple of months back: <a moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/keycloak-dev/2015-September/005286.html"
class="">http://lists.jboss.org/pipermail/keycloak-dev/2015-September/005286.html</a>.
I just had a chance to try the proposed approach of implementing
a custom authentication provider that checks the pwdLastSet
attribute and sets the update password required action. I
believe that this may not be quite as easy as was suggested due
to the fact that authentication fails with the default LDAP
Federation Provider before a custom execution in the login flow
has a chance to check the attribute and set the required action.
It seems I would need to implement a custom LDAP Federation
Provider that considers authentication successful when the
exception referenced in <a moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-1744" class="">https://issues.jboss.org/browse/KEYCLOAK-1744</a> is
thrown, but also add the required action for updating the
password. Is there an easy way to do that or something that I’m
missing? Otherwise, I’d be willing to work on a contribution for
this issue if you’re willing to have logic that is specific to
AD?</div>
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<br class="">
<div apple-content-edited="true" class="">
<div class="">
<div style="font-family: Arial, Helvetica, sans-serif;
font-size: 13px;" class="">
Cory Snyder</div>
<div style="font-family: Arial, Helvetica, sans-serif;
font-size: 11px; color: rgb(153, 153, 153);" class="">
software engineer</div>
<div style="font-family: Arial, Helvetica, sans-serif;
font-size: 11px;" class="">
<span style="font-weight: bold; color: rgb(11, 164, 232);"
class="">USA</span> <span style="color: rgb(153, 153,
153);" class="">+1.419.731.3479 </span><span
style="font-weight: bold; color: rgb(11, 164, 232);"
class=""> UK </span><span style="color: rgb(153, 153,
153);" class="">+44.20.7096.0149 </span> <a
moz-do-not-send="true" href="http://www.iland.com/"
style="font-weight: bold; color: rgb(11, 164, 232);
text-decoration: none;" class="">iland.com</a> </div>
</div>
</div>
<br class="">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>