<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Yeah, the new MSAD mapper added in 1.8
should help you with this. Once the user has in MSAD
userAccountControl of 514, he will be marked as disabled in
Keycloak. Then when you enable it in Keycloak, it should be
propagated to MSAD and user will be put in MSAD to 512. Hope it
will work for you.<br>
<br>
Not sure about password history issue.<br>
<br>
Will wait for your feedback. Hope we can sort your issues.<br>
<br>
Marek<br>
<br>
On 14/01/16 10:01, Edgar Vonk - Info.nl wrote:<br>
</div>
<blockquote cite="mid:37112117-4485-474C-A94D-4169B9AEA7BB@info.nl"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Hi Marek,
<div class=""><br class="">
</div>
<div class="">Sorry, I overlooked you mentioning that you added
this in Keycloak 1.8 while we are still on Keycloak 1.7.. I will
upgrade and let you know a.s.a.p!</div>
<div class=""><br class="">
</div>
<div class="">Thanks again for your help.</div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<div class=""><br class="">
</div>
<div class="">Edgar</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 14 Jan 2016, at 09:54, Edgar Vonk - <a
moz-do-not-send="true" href="http://info.nl" class="">
Info.nl</a> <<a moz-do-not-send="true"
href="mailto:Edgar@info.nl" class="">Edgar@info.nl</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;" class="">
Hi Marek,
<div class=""><br class="">
</div>
<div class="">Thanks very much for your reply. See
remarks below.</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 13 Jan 2016, at 22:53, Marek
Posolda <<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" class="">mposolda@redhat.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><span style="font-family: Georgia;
font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; float: none;
display: inline !important;" class="">On
13/01/16 13:40, Edgar Vonk -<span
class="Apple-converted-space"> </span></span><a
moz-do-not-send="true" href="http://info.nl/"
style="font-family: Georgia; font-size: 13px;
font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent:
0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">Info.nl</a><span
style="font-family: Georgia; font-size: 13px;
font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent:
0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; float: none;
display: inline !important;" class=""><span
class="Apple-converted-space"> </span>wrote:</span><br
style="font-family: Georgia; font-size: 13px;
font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent:
0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<blockquote type="cite" style="font-family:
Georgia; font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
Hi all,<br class="">
<br class="">
We use Keycloak’s user federation to integrate
with a (Windows 2012) Active Directory (AD)
server. We want to store all users and groups
in AD and also want to manage the password
policies from AD so we do not have any
password policies in Keycloak set up. We also
want to use Keycloak for all user management
functionality. We have set up the password
policies in AD at the domain level where we
connect to from Keycloak.<br class="">
<br class="">
Our password policies in AD are as follows:<br
class="">
- password complexity (min length + special
chars)<br class="">
- account lock out after 3 attempts<br
class="">
- password history (not allowed to use
previous 5 passwords)<br class="">
<br class="">
Users and admins can set and change passwords
in AD from Keycloak fine. However the password
policies do not quite do what we want them to:<br
class="">
- Password complexity policy seems to work
fine.<br class="">
- Account is indeed locked in AD after three
failed attempts. However the ‘Unlock users’
functionality in Keycloak does not unlock the
users in AD. Users can only be unlocked in AD
itself it seems. We would like to be able to
do this from Keycloak however (and really per
user and not for all users in one go). Should
this work in Keycloak or is this a new feature
request?<br class="">
</blockquote>
<span style="font-family: Georgia; font-size:
13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width:
0px; float: none; display: inline !important;"
class="">Is the fact that user is locked
tracked in your MSAD through
userAccountControl attribute?
</span></div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">Yes it is. I see this working when I
look at a normal LDAP browser connected to MSAD.
When I disable a user in MSAD I see the
userAccountControl attribute change from 512 to
514.</div>
<div class=""><br class="">
</div>
<br class="">
<blockquote type="cite" class="">
<div class=""><span style="font-family: Georgia;
font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; float: none;
display: inline !important;" class="">In the
Keycloak 1.8 I've added the MSAD
UserAccountControl mapper, which allows to
integrate the MSAD account state more tightly
into Keycloak state. For example enable user
in Keycloak admin console will remove the
ACCOUNTDISABLE flag from userAccountControl
value in MSAD as well and hence enable this
user in MSAD too.</span><br
style="font-family: Georgia; font-size: 13px;
font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent:
0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">This sounds good, however
unfortunately we do not see this happening. When
I disable the user in Keycloak the
userAccountControl attribute does not change at
all so the propagation to MSAD does not seem to
work here.</div>
<div class=""><br class="">
</div>
<div class="">We have indeed configured the user
federation in Keycloak to WRITABLE LDAP and all
other user attributes (like user name etc) are
propagated from Keycloak to MSAD just fine.</div>
<div class=""><br class="">
</div>
<div class="">I will create a JIRA issue so that I
can send you some more details.</div>
<br class="">
<blockquote type="cite" class="">
<div class=""><br style="font-family: Georgia;
font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Georgia; font-size:
13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width:
0px; float: none; display: inline !important;"
class="">However support for lock/unlock is
not included in the mapper though. So feel
free to create JIRA.</span><br
style="font-family: Georgia; font-size: 13px;
font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent:
0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Georgia; font-size:
13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width:
0px;" class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">Ok, will do.</div>
<div class=""><br class="">
</div>
<br class="">
<blockquote type="cite" class="">
<div class=""><span style="font-family: Georgia;
font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; float: none;
display: inline !important;" class="">Until
it's implemented, you can possibly use
adminEvent listener (There is admin event
triggered when you click "Unlock user" in
Keycloak UI. So you can listen to this event
and propagate the call to MSAD once you
successfully enable it)</span><br
style="font-family: Georgia; font-size: 13px;
font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent:
0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<blockquote type="cite" style="font-family:
Georgia; font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
- The password history policy does not seem to
work at all. Users can currently set their
password to a previous password without a
problem. Does anyone have an idea why this
policy in AD does not work from Keycloak?<br
class="">
</blockquote>
<span style="font-family: Georgia; font-size:
13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width:
0px; float: none; display: inline !important;"
class="">No idea. Keycloak is just using
Directory API for change password. It's
strange the MSAD allows to change password
through this API when it breaks password
history policy. Are you sure you have WRITABLE
LDAP and password update from Keycloak is
propagated to MSAD?</span><br
style="font-family: Georgia; font-size: 13px;
font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent:
0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">Yes, we have writable ldap configured
and indeed the password is propagated to MSAD.
Maybe it is related to the issue we see with the
userAccountControl attribute. </div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<div class=""><br class="">
</div>
<div class="">Edgar</div>
<br class="">
<blockquote type="cite" class="">
<div class=""><br style="font-family: Georgia;
font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Georgia; font-size:
13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width:
0px; float: none; display: inline !important;"
class="">Marek</span><br style="font-family:
Georgia; font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<blockquote type="cite" style="font-family:
Georgia; font-size: 13px; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<br class="">
cheers<br class="">
<br class="">
Edgar<br class="">
<br class="">
<br class="">
_______________________________________________<br class="">
keycloak-dev mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
class="">keycloak-dev@lists.jboss.org</a><br
class="">
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
class="">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br>
</body>
</html>