[keycloak-user] another small enhancement request for MSAD password mapper
Marek Posolda
mposolda at redhat.com
Fri Jan 27 06:52:05 EST 2017
On 27/01/17 11:21, mj wrote:
>
> On 01/27/2017 10:58 AM, mj wrote:
>> However, if keycloak would rely only on the Errorcode 49, password would
>> work with _both_ samba and MSAD.
>>
>> Would it be possible to change keycloak like that?
> Ah no. It seems that 49 is actually a whole range of logon failures,
> including
>
> - expired
> - disabled
> - user not found
>
> Hmm. :-(
Yes, exactly. That's not sufficient...
Actually we don't test and officially support Samba AD, just the MSAD.
We may add that in the future though as there are more people asking for
that, but each LDAP vendor adds some overhead for testing etc...
So for now, you would need to add your own implementation of LDAP
mapper. I guess it can be subclass of
MSADUserAccountControlStorageMapper with some overriden methods (like
onAuthenticationFailure with the specific logic for parsing Samba AD
error, which is different than MSAD + maybe some more).
You can send PR to contribute the mapper for Samba AD if you manage to
have it working. Ideally also with the writable scenarios like
passwordUpdate, disable user in KC will disable him in AD etc.
Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list