[keycloak-user] active directory | end user password change
Marek Posolda
mposolda at redhat.com
Tue Jan 10 07:38:20 EST 2017
We don't support and test with samba AD. You can try to enable TRACE or
DEBUG logging for "org.keycloak.storage.ldap" and see the server.log for
more details.
However it seems that MSADUserAccountControlStorageMapperjust doesn't
work OOTB with the Samba AD. You may need to implement your own mapper
with some changes (for example recently we have contribution from the
community for the MSAD LDS mapper)
Marek
On 10/01/17 13:02, lists wrote:
> Hi,
>
> Keycloak 2.5.0, added MSAD (samba4) as a writeable federation provider,
> verified that the MSAD account controls mapper is added.
>
> When an end-user logs into the keycloak account client
> (/auth/realms/ourrealm/account) he/she has the option to change his/her
> password.
>
> However, keycloak says:
>
>> Could not modify attribute for DN [CN=ted t. test,CN=Users,DC=samba,DC=company,DC=com]
> Note: I used "ABC-def123_*%#" as a password, so I guess MSAD password
> policies are not the problem here.
>
> Additionally, I was under the impression that I should be able to logon
> when in MSAD the "user is required to change password on next login",
> and keycloak would require me to change it. However, in that case I'm
> just getting an "Invalid username or password".
>
> I asked about these things before, but was told to test the new 2.5.0,
> because the problem could have been solved already. However, I'm trying
> with 2.5.0, and the behaviour is still there.
>
> Is this functionality working for others using MSAD here? (perhaps
> others with samba4 AD?)
>
> Best regards,
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list