<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">This makes things a bit tricky.
Because:<br>
1) Our current model SPI and federation SPI for update credential
doesn't differ between the case when user is updating his
credential or when admin is resetting the credential of user.<br>
2) Also in LDAP both operations are executed under "admin"
connection (user own connection is used just to verify his
password). <br>
3) Finally there is no old password available in the
UserModel.updateCredential operation<br>
<br>
Feel free to create JIRA, but hard to promise when we will be able
to look into it (I am on holiday next week and then we have
feature freeze and won't be able to add new stuff like this).<br>
<br>
So if you really want it, you may need to send PR by yourself. The
implementation may require more changes. Some pointers how I would
do it (we may need ACK from other team members to confirm as we
are close to "feature freeze" phase right now until we start on
keycloak 2.x development):<br>
<br>
1) Change UserCredentialModel and put new fields "oldValue" with
the old password. Also maybe the boolean field "isAdminCall",
which will be true if admin is restarting the password (in this
case the LDAP operation can be same like already and use "replace"
operation) or if user himself is restarting the password. Maybe
the "isAdminCall" field is not necessary as with admin call, the
"oldValue" simply won't be available (when user himself is
restarting the password in account management, user is required to
set password and AccountService knows the old password value)<br>
<br>
Other possibility is to introduce the context map ( Map<String,
String> contextData ) on UserCredentialModel, which is more
flexible. At the same time the "device" field can be removed from
UserCredentialModel IMO as it doesn't seem to be used from
anywhere right now.<br>
<br>
2) Change the LDAPIdentityStore implementation to differ between
the two cases you described<br>
<br>
Marek<br>
<br>
On 14/01/16 17:41, Edgar Vonk - Info.nl wrote:<br>
</div>
<blockquote cite="mid:50F24EC9-4C03-49D1-8910-F561C5ACE613@info.nl"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div class="">Regarding the MSAD password history policy not being
used when we change the user’s password through Keycloak (using
Keycloak’s user account screen where the user is updating
his/her own password): is this maybe not caused because in the
code the change password request to MSAD is not done
‘correctly’? If I look at LDAPIdentityStore#updateADPassword it
seems that changing the password involves a replace operation
and not a delete + add operation? If I understand the
documentation from Microsoft correctly I think you need to do a
delete + add operation when the user changes his/her own
password and the replace operation only when an admin changes
someone else’s password. I think this might explain why the
password history policy is not adhered to?</div>
<div class=""><br class="">
</div>
<div class="">From <a moz-do-not-send="true"
href="https://support.microsoft.com/en-us/kb/269190:" class="">
https://support.microsoft.com/en-us/kb/269190:</a></div>
<div class="">"There are two possible ways to modify
the unicodePwd attribute. The first is similar to a normal "user
change password" operation. In this case, the modify request
must contain both a delete and an add operation. The delete
operation must contain the current password with quotes around
it. The add operation must contain the desired new password with
quotes around it.<br class="">
<br class="">
The second way to modify this attribute is analogous to an
administrator resetting a password for a user. In order to do
this, the client must bind as a user with sufficient permissions
to modify another user's password. This modify request should
contain a single replace operation with the new desired password
surrounded by quotes. If the client has sufficient permissions,
this password become the new password, regardless of what the
old password was."</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 14 Jan 2016, at 12:09, Edgar Vonk - <a
moz-do-not-send="true" href="http://info.nl" class="">
Info.nl</a> <<a moz-do-not-send="true"
href="mailto:Edgar@info.nl" class="">Edgar@info.nl</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
Ah, sorry about this. I had not added a MSAD User Account
Control mapper in our existing AD user federation in
Keycloak yet. I thought it might be implicit and that I
would not have to define an actual mapper or something.
However this fixed the synching of the enabled status
between AD and Keycloak. Nice work!
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class=""><br class="">
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 14 Jan 2016, at 11:23, Edgar
Vonk - <a moz-do-not-send="true"
href="http://info.nl/" class="">
Info.nl</a> <<a moz-do-not-send="true"
href="mailto:Edgar@info.nl" class="">Edgar@info.nl</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;"
class="">
<div class="">Hi Marek,</div>
<br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 14 Jan 2016, at 10:28,
Marek Posolda <<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
class=""><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div bgcolor="#FFFFFF" text="#000000"
class="">
<div class="moz-cite-prefix">Yeah,
the new MSAD mapper added in 1.8
should help you with this. Once
the user has in MSAD
userAccountControl of 514, he will
be marked as disabled in Keycloak.
Then when you enable it in
Keycloak, it should be propagated
to MSAD and user will be put in
MSAD to 512. Hope it will work for
you.<br class="">
<br class="">
</div>
</div>
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Thanks but I’m afraid it
does not work for us. I am using
Keycloak 1.8.0.CR1 now. When I disable
the user in MSAD I see
the userAccountControl attribute change
to 514, however this is not reflected in
Keycloak. Not even when I force a resync
of all users.</div>
<div class=""><br class="">
</div>
<div class="">I will see if I can do some
debugging and create a JIRA issue for
you. </div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<div class=""><br class="">
</div>
<div class="">Edgar</div>
<div class=""><br class="">
</div>
<br class="">
<blockquote type="cite" class="">
<div class="">
<div bgcolor="#FFFFFF" text="#000000"
class="">
<div class="moz-cite-prefix">Not
sure about password history issue.<br
class="">
<br class="">
Will wait for your feedback. Hope
we can sort your issues.<br
class="">
<br class="">
Marek<br class="">
<br class="">
On 14/01/16 10:01, Edgar Vonk - <a
moz-do-not-send="true"
href="http://info.nl/" class="">Info.nl</a>
wrote:<br class="">
</div>
<blockquote
cite="mid:37112117-4485-474C-A94D-4169B9AEA7BB@info.nl"
type="cite" class="">
Hi Marek,
<div class=""><br class="">
</div>
<div class="">Sorry, I overlooked
you mentioning that you added
this in Keycloak 1.8 while we
are still on Keycloak 1.7.. I
will upgrade and let you know
a.s.a.p!</div>
<div class=""><br class="">
</div>
<div class="">Thanks again for
your help.</div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<div class=""><br class="">
</div>
<div class="">Edgar</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite"
class="">
<div class="">On 14 Jan
2016, at 09:54, Edgar Vonk
- <a
moz-do-not-send="true"
href="http://info.nl/"
class="">
Info.nl</a> <<a
moz-do-not-send="true"
href="mailto:Edgar@info.nl"
class=""><a class="moz-txt-link-abbreviated" href="mailto:Edgar@info.nl">Edgar@info.nl</a></a>>
wrote:</div>
<br
class="Apple-interchange-newline">
<div class="">
<div style="word-wrap:
break-word;
-webkit-nbsp-mode:
space;
-webkit-line-break:
after-white-space;"
class="">
Hi Marek,
<div class=""><br
class="">
</div>
<div class="">Thanks
very much for your
reply. See remarks
below.</div>
<div class=""><br
class="">
<div class="">
<blockquote
type="cite"
class="">
<div class="">On
13 Jan 2016, at
22:53, Marek
Posolda <<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com" class=""><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>>
wrote:</div>
<br
class="Apple-interchange-newline">
<div class=""><span
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px; float:
none; display:
inline
!important;"
class="">On
13/01/16
13:40, Edgar
Vonk -<span
class="Apple-converted-space"> </span></span><a
moz-do-not-send="true" href="http://info.nl/" style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">Info.nl</a><span
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px; float:
none; display:
inline
!important;"
class=""><span
class="Apple-converted-space"> </span>wrote:</span><br
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
<blockquote
type="cite"
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
Hi all,<br
class="">
<br class="">
We use
Keycloak’s
user
federation to
integrate with
a (Windows
2012) Active
Directory (AD)
server. We
want to store
all users and
groups in AD
and also want
to manage the
password
policies from
AD so we do
not have any
password
policies in
Keycloak set
up. We also
want to use
Keycloak for
all user
management
functionality.
We have set up
the password
policies in AD
at the domain
level where we
connect to
from Keycloak.<br
class="">
<br class="">
Our password
policies in AD
are as
follows:<br
class="">
- password
complexity
(min length +
special chars)<br
class="">
- account lock
out after 3
attempts<br
class="">
- password
history (not
allowed to use
previous 5
passwords)<br
class="">
<br class="">
Users and
admins can set
and change
passwords in
AD from
Keycloak fine.
However the
password
policies do
not quite do
what we want
them to:<br
class="">
- Password
complexity
policy seems
to work fine.<br
class="">
- Account is
indeed locked
in AD after
three failed
attempts.
However the
‘Unlock users’
functionality
in Keycloak
does not
unlock the
users in AD.
Users can only
be unlocked in
AD itself it
seems. We
would like to
be able to do
this from
Keycloak
however (and
really per
user and not
for all users
in one go).
Should this
work in
Keycloak or is
this a new
feature
request?<br
class="">
</blockquote>
<span
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px; float:
none; display:
inline
!important;"
class="">Is
the fact that
user is locked
tracked in
your MSAD
through
userAccountControl
attribute?
</span></div>
</blockquote>
<div class=""><br
class="">
</div>
<div class="">Yes it
is. I see this
working when I
look at a normal
LDAP browser
connected to MSAD.
When I disable a
user in MSAD I see
the
userAccountControl
attribute change
from 512 to 514.</div>
<div class=""><br
class="">
</div>
<br class="">
<blockquote
type="cite"
class="">
<div class=""><span
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px; float:
none; display:
inline
!important;"
class="">In
the Keycloak
1.8 I've added
the MSAD
UserAccountControl
mapper, which
allows to
integrate the
MSAD account
state more
tightly into
Keycloak
state. For
example enable
user in
Keycloak admin
console will
remove the
ACCOUNTDISABLE
flag from
userAccountControl
value in MSAD
as well and
hence enable
this user in
MSAD too.</span><br
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
</div>
</blockquote>
<div class=""><br
class="">
</div>
<div class=""><br
class="">
</div>
<div class="">This
sounds good,
however
unfortunately we
do not see this
happening. When I
disable the user
in Keycloak the
userAccountControl
attribute does not
change at all so
the propagation to
MSAD does not seem
to work here.</div>
<div class=""><br
class="">
</div>
<div class="">We
have indeed
configured the
user federation in
Keycloak to
WRITABLE LDAP and
all other user
attributes (like
user name etc) are
propagated from
Keycloak to MSAD
just fine.</div>
<div class=""><br
class="">
</div>
<div class="">I will
create a JIRA
issue so that I
can send you some
more details.</div>
<br class="">
<blockquote
type="cite"
class="">
<div class=""><br
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
<span
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px; float:
none; display:
inline
!important;"
class="">However
support for
lock/unlock is
not included
in the mapper
though. So
feel free to
create JIRA.</span><br
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
<br
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
</div>
</blockquote>
<div class=""><br
class="">
</div>
<div class="">Ok,
will do.</div>
<div class=""><br
class="">
</div>
<br class="">
<blockquote
type="cite"
class="">
<div class=""><span
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px; float:
none; display:
inline
!important;"
class="">Until
it's
implemented,
you can
possibly use
adminEvent
listener
(There is
admin event
triggered when
you click
"Unlock user"
in Keycloak
UI. So you can
listen to this
event and
propagate the
call to MSAD
once you
successfully
enable it)</span><br
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
<blockquote
type="cite"
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
- The password
history policy
does not seem
to work at
all. Users can
currently set
their password
to a previous
password
without a
problem. Does
anyone have an
idea why this
policy in AD
does not work
from Keycloak?<br
class="">
</blockquote>
<span
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px; float:
none; display:
inline
!important;"
class="">No
idea. Keycloak
is just using
Directory API
for change
password. It's
strange the
MSAD allows to
change
password
through this
API when it
breaks
password
history
policy. Are
you sure you
have WRITABLE
LDAP and
password
update from
Keycloak is
propagated to
MSAD?</span><br
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
</div>
</blockquote>
<div class=""><br
class="">
</div>
<div class="">Yes,
we have writable
ldap configured
and indeed the
password is
propagated to
MSAD. Maybe it is
related to the
issue we see with
the
userAccountControl
attribute. </div>
<div class=""><br
class="">
</div>
<div class="">cheers</div>
<div class=""><br
class="">
</div>
<div class="">Edgar</div>
<br class="">
<blockquote
type="cite"
class="">
<div class=""><br
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
<span
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px; float:
none; display:
inline
!important;"
class="">Marek</span><br
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
<blockquote
type="cite"
style="font-family:
Georgia;
font-size:
13px;
font-style:
normal;
font-variant:
normal;
font-weight:
normal;
letter-spacing:
normal;
orphans: auto;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
widows: auto;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class="">
<br class="">
cheers<br
class="">
<br class="">
Edgar<br
class="">
<br class="">
<br class="">
_______________________________________________<br class="">
keycloak-dev
mailing list<br
class="">
<a
moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org" class=""><a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></a><br
class="">
<a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" class=""><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></a></blockquote>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</blockquote>
<br>
</body>
</html>