[keycloak-user] another small enhancement request for MSAD password mapper

mj lists at merit.unu.edu
Fri Jan 27 15:15:03 EST 2017


Hi Marek, list,

> Actually we don't test and officially support Samba AD, just the MSAD.
Yeah I know. And (usually, so far) everything that works with MSAD works 
also with samba4, this is actually the first time we are running into a 
compatibility issue like this.

> You can send PR to contribute the mapper for Samba AD if you manage to
> have it working. Ideally also with the writable scenarios like
> passwordUpdate, disable user in KC will disable him in AD etc.
All those things should normally work exactly as they do with MSAD.

Andrew Bartlett (core samba dev) pointed me to the following file:
https://github.com/keycloak/keycloak/blob/b2d1a1a17fc8f665f4ba83d62e3c22d4dfa0048a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java
written by you.

I was thinking (being no programmer at all!!!) that I could simple edit 
a line slightly, to watch for "NT_STATUS_PWD_MUST_CHANGE" instead of the 
MSAD output.

That would give me a MSADUserAccountControlStorageMapper 'version' 
targetted for samba4, as for the rest no changes should be required at all.

However...in my keycloak install, I cannot find the file 
MSADUserAccountControlStorageMapper.java, so I guess that bright idea is 
also not an option.

It seems such a waist of energy to create a complete subclass of 
MSADUserAccountControlStorageMapper, given that the only difference is 
to look for "NT_STATUS_PWD_MUST_CHANGE"....

Any place I could edit, to change that in an installed keycloak?

MJ


More information about the keycloak-user mailing list