[keycloak-user] another small enhancement request for MSAD password mapper
mj
lists at merit.unu.edu
Thu Feb 2 09:03:40 EST 2017
Hi Marek, list,
On 01/27/2017 12:52 PM, Marek Posolda wrote:
> Actually we don't test and officially support Samba AD, just the MSAD.
> We may add that in the future though as there are more people asking for
> that, but each LDAP vendor adds some overhead for testing etc...
An update on the above:
We are now collection quotations on making samba's output compatible
with MSAD in the case of "NT_STATUS_PWD_MUST_CHANGE”. So with a bit of
luck, future samba will behave just like MSAD in that case.
There is another question that we have: Is keycloak supposed to import
the pwdLastSet field for a user, in the case of an MSAD backend?
If keycloak imports that field, it would be able enforce keycloaks own
password max age policy also on MSAD federated accounts.
Password age adherance is such a vital bit of functionality, to make
keycloak a viable competitor of microsofts own AD federation services.
MJ
More information about the keycloak-user
mailing list