<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">The mapper should be added
automatically when you create LDAP Federation provider with
"Active directory" set as vendor. Also it should be added
automatically when migrating DB from previous Keycloak version.
Strange it didn't work for you...<br>
<br>
Marek<br>
<br>
On 14/01/16 12:09, Edgar Vonk - Info.nl wrote:<br>
</div>
<blockquote cite="mid:1A7F913C-74B5-40D9-AC10-8C76E4552DDC@info.nl"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Ah, sorry about this. I had not added a MSAD User Account Control
mapper in our existing AD user federation in Keycloak yet. I
thought it might be implicit and that I would not have to define
an actual mapper or something. However this fixed the synching of
the enabled status between AD and Keycloak. Nice work!
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class=""><br class="">
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 14 Jan 2016, at 11:23, Edgar Vonk - <a
moz-do-not-send="true" href="http://info.nl"
class="">
Info.nl</a> <<a moz-do-not-send="true"
href="mailto:Edgar@info.nl" class="">Edgar@info.nl</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;"
class="">
<div class="">Hi Marek,</div>
<br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 14 Jan 2016, at 10:28, Marek
Posolda <<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" class="">mposolda@redhat.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<div class="moz-cite-prefix">Yeah, the new
MSAD mapper added in 1.8 should help you
with this. Once the user has in MSAD
userAccountControl of 514, he will be
marked as disabled in Keycloak. Then when
you enable it in Keycloak, it should be
propagated to MSAD and user will be put in
MSAD to 512. Hope it will work for you.<br
class="">
<br class="">
</div>
</div>
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Thanks but I’m afraid it does not
work for us. I am using Keycloak 1.8.0.CR1 now.
When I disable the user in MSAD I see
the userAccountControl attribute change to 514,
however this is not reflected in Keycloak. Not
even when I force a resync of all users.</div>
<div class=""><br class="">
</div>
<div class="">I will see if I can do some
debugging and create a JIRA issue for you. </div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<div class=""><br class="">
</div>
<div class="">Edgar</div>
<div class=""><br class="">
</div>
<br class="">
<blockquote type="cite" class="">
<div class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<div class="moz-cite-prefix">Not sure about
password history issue.<br class="">
<br class="">
Will wait for your feedback. Hope we can
sort your issues.<br class="">
<br class="">
Marek<br class="">
<br class="">
On 14/01/16 10:01, Edgar Vonk - <a
moz-do-not-send="true"
href="http://info.nl/" class="">Info.nl</a>
wrote:<br class="">
</div>
<blockquote
cite="mid:37112117-4485-474C-A94D-4169B9AEA7BB@info.nl"
type="cite" class="">
Hi Marek,
<div class=""><br class="">
</div>
<div class="">Sorry, I overlooked you
mentioning that you added this in
Keycloak 1.8 while we are still on
Keycloak 1.7.. I will upgrade and let
you know a.s.a.p!</div>
<div class=""><br class="">
</div>
<div class="">Thanks again for your help.</div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<div class=""><br class="">
</div>
<div class="">Edgar</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 14 Jan 2016, at
09:54, Edgar Vonk - <a
moz-do-not-send="true"
href="http://info.nl/" class="">
Info.nl</a> <<a
moz-do-not-send="true"
href="mailto:Edgar@info.nl"
class=""><a class="moz-txt-link-abbreviated" href="mailto:Edgar@info.nl">Edgar@info.nl</a></a>>
wrote:</div>
<br
class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space;" class="">
Hi Marek,
<div class=""><br class="">
</div>
<div class="">Thanks very much
for your reply. See remarks
below.</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite"
class="">
<div class="">On 13 Jan
2016, at 22:53, Marek
Posolda <<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com" class=""><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>>
wrote:</div>
<br
class="Apple-interchange-newline">
<div class=""><span
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px; float: none;
display: inline
!important;" class="">On
13/01/16 13:40, Edgar
Vonk -<span
class="Apple-converted-space"> </span></span><a
moz-do-not-send="true"
href="http://info.nl/"
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">Info.nl</a><span
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px; float: none;
display: inline
!important;" class=""><span
class="Apple-converted-space"> </span>wrote:</span><br
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
<blockquote type="cite"
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
Hi all,<br class="">
<br class="">
We use Keycloak’s user
federation to
integrate with a
(Windows 2012) Active
Directory (AD) server.
We want to store all
users and groups in AD
and also want to
manage the password
policies from AD so we
do not have any
password policies in
Keycloak set up. We
also want to use
Keycloak for all user
management
functionality. We have
set up the password
policies in AD at the
domain level where we
connect to from
Keycloak.<br class="">
<br class="">
Our password policies
in AD are as follows:<br
class="">
- password complexity
(min length + special
chars)<br class="">
- account lock out
after 3 attempts<br
class="">
- password history
(not allowed to use
previous 5 passwords)<br
class="">
<br class="">
Users and admins can
set and change
passwords in AD from
Keycloak fine. However
the password policies
do not quite do what
we want them to:<br
class="">
- Password complexity
policy seems to work
fine.<br class="">
- Account is indeed
locked in AD after
three failed attempts.
However the ‘Unlock
users’ functionality
in Keycloak does not
unlock the users in
AD. Users can only be
unlocked in AD itself
it seems. We would
like to be able to do
this from Keycloak
however (and really
per user and not for
all users in one go).
Should this work in
Keycloak or is this a
new feature request?<br
class="">
</blockquote>
<span
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px; float: none;
display: inline
!important;" class="">Is
the fact that user is
locked tracked in your
MSAD through
userAccountControl
attribute?
</span></div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">Yes it is. I
see this working when I
look at a normal LDAP
browser connected to MSAD.
When I disable a user in
MSAD I see the
userAccountControl
attribute change from 512
to 514.</div>
<div class=""><br class="">
</div>
<br class="">
<blockquote type="cite"
class="">
<div class=""><span
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px; float: none;
display: inline
!important;" class="">In
the Keycloak 1.8 I've
added the MSAD
UserAccountControl
mapper, which allows
to integrate the MSAD
account state more
tightly into Keycloak
state. For example
enable user in
Keycloak admin console
will remove the
ACCOUNTDISABLE flag
from
userAccountControl
value in MSAD as well
and hence enable this
user in MSAD too.</span><br
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">This sounds
good, however
unfortunately we do not
see this happening. When
I disable the user in
Keycloak the
userAccountControl
attribute does not change
at all so the propagation
to MSAD does not seem to
work here.</div>
<div class=""><br class="">
</div>
<div class="">We have indeed
configured the user
federation in Keycloak to
WRITABLE LDAP and all
other user attributes
(like user name etc) are
propagated from Keycloak
to MSAD just fine.</div>
<div class=""><br class="">
</div>
<div class="">I will create
a JIRA issue so that I can
send you some more
details.</div>
<br class="">
<blockquote type="cite"
class="">
<div class=""><br
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
<span
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px; float: none;
display: inline
!important;" class="">However
support for
lock/unlock is not
included in the mapper
though. So feel free
to create JIRA.</span><br
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
<br style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">Ok, will do.</div>
<div class=""><br class="">
</div>
<br class="">
<blockquote type="cite"
class="">
<div class=""><span
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px; float: none;
display: inline
!important;" class="">Until
it's implemented, you
can possibly use
adminEvent listener
(There is admin event
triggered when you
click "Unlock user" in
Keycloak UI. So you
can listen to this
event and propagate
the call to MSAD once
you successfully
enable it)</span><br
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
<blockquote type="cite"
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
- The password history
policy does not seem
to work at all. Users
can currently set
their password to a
previous password
without a problem.
Does anyone have an
idea why this policy
in AD does not work
from Keycloak?<br
class="">
</blockquote>
<span
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px; float: none;
display: inline
!important;" class="">No
idea. Keycloak is just
using Directory API
for change password.
It's strange the MSAD
allows to change
password through this
API when it breaks
password history
policy. Are you sure
you have WRITABLE LDAP
and password update
from Keycloak is
propagated to MSAD?</span><br
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">Yes, we have
writable ldap configured
and indeed the password is
propagated to MSAD. Maybe
it is related to the issue
we see with the
userAccountControl
attribute. </div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<div class=""><br class="">
</div>
<div class="">Edgar</div>
<br class="">
<blockquote type="cite"
class="">
<div class=""><br
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
<span
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px; float: none;
display: inline
!important;" class="">Marek</span><br
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
<blockquote type="cite"
style="font-family:
Georgia; font-size:
13px; font-style:
normal; font-variant:
normal; font-weight:
normal;
letter-spacing:
normal; orphans: auto;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
widows: auto;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">
<br class="">
cheers<br class="">
<br class="">
Edgar<br class="">
<br class="">
<br class="">
_______________________________________________<br class="">
keycloak-dev mailing
list<br class="">
<a
moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org" class=""><a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></a><br
class="">
<a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" class=""><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></a></blockquote>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>