<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Hi Marek,
<div class=""><br class="">
</div>
<div class="">Thanks very much for your reply. See remarks below.</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 13 Jan 2016, at 22:53, Marek Posolda <<a href="mailto:mposolda@redhat.com" class="">mposolda@redhat.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><span style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">On
13/01/16 13:40, Edgar Vonk -<span class="Apple-converted-space"> </span></span><a href="http://info.nl/" style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Info.nl</a><span style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class=""><span class="Apple-converted-space"> </span>wrote:</span><br style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<blockquote type="cite" style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
Hi all,<br class="">
<br class="">
We use Keycloak’s user federation to integrate with a (Windows 2012) Active Directory (AD) server. We want to store all users and groups in AD and also want to manage the password policies from AD so we do not have any password policies in Keycloak set up.
We also want to use Keycloak for all user management functionality. We have set up the password policies in AD at the domain level where we connect to from Keycloak.<br class="">
<br class="">
Our password policies in AD are as follows:<br class="">
- password complexity (min length + special chars)<br class="">
- account lock out after 3 attempts<br class="">
- password history (not allowed to use previous 5 passwords)<br class="">
<br class="">
Users and admins can set and change passwords in AD from Keycloak fine. However the password policies do not quite do what we want them to:<br class="">
- Password complexity policy seems to work fine.<br class="">
- Account is indeed locked in AD after three failed attempts. However the ‘Unlock users’ functionality in Keycloak does not unlock the users in AD. Users can only be unlocked in AD itself it seems. We would like to be able to do this from Keycloak however (and
really per user and not for all users in one go). Should this work in Keycloak or is this a new feature request?<br class="">
</blockquote>
<span style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Is
the fact that user is locked tracked in your MSAD through userAccountControl attribute?
</span></div>
</blockquote>
<div><br class="">
</div>
<div>Yes it is. I see this working when I look at a normal LDAP browser connected to MSAD. When I disable a user in MSAD I see the userAccountControl attribute change from 512 to 514.</div>
<div><br class="">
</div>
<br class="">
<blockquote type="cite" class="">
<div class=""><span style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">In
the Keycloak 1.8 I've added the MSAD UserAccountControl mapper, which allows to integrate the MSAD account state more tightly into Keycloak state. For example enable user in Keycloak admin console will remove the ACCOUNTDISABLE flag from userAccountControl
value in MSAD as well and hence enable this user in MSAD too.</span><br style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
</div>
</blockquote>
<div><br class="">
</div>
<div><br class="">
</div>
<div>This sounds good, however unfortunately we do not see this happening. When I disable the user in Keycloak the userAccountControl attribute does not change at all so the propagation to MSAD does not seem to work here.</div>
<div><br class="">
</div>
<div>We have indeed configured the user federation in Keycloak to WRITABLE LDAP and all other user attributes (like user name etc) are propagated from Keycloak to MSAD just fine.</div>
<div><br class="">
</div>
<div>I will create a JIRA issue so that I can send you some more details.</div>
<br class="">
<blockquote type="cite" class="">
<div class=""><br style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">However
support for lock/unlock is not included in the mapper though. So feel free to create JIRA.</span><br style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
</div>
</blockquote>
<div><br class="">
</div>
<div>Ok, will do.</div>
<div><br class="">
</div>
<br class="">
<blockquote type="cite" class="">
<div class=""><span style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Until
it's implemented, you can possibly use adminEvent listener (There is admin event triggered when you click "Unlock user" in Keycloak UI. So you can listen to this event and propagate the call to MSAD once you successfully enable it)</span><br style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<blockquote type="cite" style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
- The password history policy does not seem to work at all. Users can currently set their password to a previous password without a problem. Does anyone have an idea why this policy in AD does not work from Keycloak?<br class="">
</blockquote>
<span style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">No
idea. Keycloak is just using Directory API for change password. It's strange the MSAD allows to change password through this API when it breaks password history policy. Are you sure you have WRITABLE LDAP and password update from Keycloak is propagated to
MSAD?</span><br style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
</div>
</blockquote>
<div><br class="">
</div>
<div>Yes, we have writable ldap configured and indeed the password is propagated to MSAD. Maybe it is related to the issue we see with the userAccountControl attribute. </div>
<div><br class="">
</div>
<div>cheers</div>
<div><br class="">
</div>
<div>Edgar</div>
<br class="">
<blockquote type="cite" class="">
<div class=""><br style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Marek</span><br style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<blockquote type="cite" style="font-family: Georgia; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<br class="">
cheers<br class="">
<br class="">
Edgar<br class="">
<br class="">
<br class="">
_______________________________________________<br class="">
keycloak-dev mailing list<br class="">
<a href="mailto:keycloak-dev@lists.jboss.org" class="">keycloak-dev@lists.jboss.org</a><br class="">
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" class="">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>