[keycloak-user] Updating lastLogon in LDAP/AD from Keycloak when user is authenticated

Marek Posolda mposolda at redhat.com
Fri Sep 30 05:20:23 EDT 2016 

No, it's not supported OOTB. Also lastLogon is the Active Directory 
system attribute, so it can't be changed programatically from Java (for 
example by adding custom attribute mapper). However what can work for 
you is maybe one of those possibilities:

1) Track lastLogon time in some other attribute either in Keycloak DB or 
in MSAD. You can create an EventListener, which will listen for LOGIN 
events and then update the attribute on user based on that. If you want 
to map that attribute to LDAP, you will also need LDAP 
UserAttributeMapper to map the attribute from keycloak user model into 
particular LDAP attribute. But maybe this means that you will also need 
to add custom LDAP attribute to your LDAP schema... Also note that 
always updating user attribute has performance implications (user is 
always removed from cache etc).

2) I've just played a bit and found that lastLogon attribute is 
automatically updated by MSAD, but just in case that there was 
unsuccessful login attempt of the particular user. This looks strange, 
but seems to work this way. At least in MSAD 2012 :-) So what you can do 
is an Authenticator implementation, which will first call LDAP 
authentication with some bad credentials before trying to login user 
with "real" credentials from login form. Bad thing is that "badPwdCount" 
MSAD attribute will contain more false login attempts then it really 
was, which may have consequences if you rely on MSAD password policies...

3) Check MSAD system logs, which seems to provide more proper tracking 
of last login than lastLogon attribute according to 
http://stackoverflow.com/questions/18598287/updating-lastlogontimestamp-using-java-code 
there is a way to do it.

None of the possibilities is probably ideal, but hope at least one of 
them can be useful for you.

Marek

On 30/09/16 09:04, Stian Thorgersen wrote:
> Marek - this isn't supported at the moment right?
>
> On 19 September 2016 at 15:25, Edgar Vonk - Info.nl <Edgar at info.nl 
> <mailto:Edgar at info.nl>> wrote:
>
>     Hi,
>
>     We would like to have Keycloak update the lastLogon user attribute
>     in our Active Directory server whenever a user logs in to our
>     customer portal.
>
>     It is possible to do this from Keycloak?
>
>     The portal is secured using Keycloak so behind the scenes the
>     Keycloak bind user is the one that authenticates the user in AD.
>
>     The only thing we have now is the user session information in
>     Keycloak but that is not of much value to us because:
>     - in our situation AD is leading for all user data
>     - whenever we redeploy Keycloak (quite often) we empty out the
>     Keycloak database and start new by synching users from AD
>     - if I am not mistaken currently user session data is not stored
>     in the Keycloak database anyway?
>
>     cheers
>
>     Edgar
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>

More information about the keycloak-user mailing list