[keycloak-user] Keycloak LDAP federation (FreeIPA) and expired passwords

Marek Posolda mposolda at redhat.com
Tue May 22 03:13:29 EDT 2018 

The KEYCLOAK-4052 is already implemented. This is useful mainly for LDAP 
servers, which itself doesn't provide the feature of password 
expiration. That way, the password expiration is handled only by Keycloak.

The thing is, that FreeIPA itself has support for password expiration. 
If you combine both Keycloak password policies and FreeIPA password 
policies, you need to make sure that:
- After password is updated in Keycloak, the password-update time is 
correctly updated in FreeIPA as well
- After update of password in FreeIPA, the password-update time is 
currectly updated in Keycloak as well

I don't think that Keycloak itself has ability to provide this OOTB. So 
I likely suggest to rely either Keycloak password policies (and then 
disable FreeIPA password policies if possible) or on FreeIPA password 
policies (but this likely doesn't work in Keycloak OOTB). In shortcut, 
you will likely need to do some customization if you want to rely on 
FreeIPA password policies. We didn't yet try to test anything like this.

Marek

On 17/05/18 16:09, Ryan King wrote:
> Hello,
>
> We're trying to use Keycloak as the main portal for users (to access
> services + manage their accounts) - but I've been struggling to come up
> with the best solution for handling expired passwords (for federated users
> - FreeIPA LDAP).  We are using Keycloak (3.4.3).
>
> As far as I am aware, expired passwords are currently only handled
> correctly with Active Directory (using the msad-user-account-control
> mapper).  It looks like someone was interested in implementing for other
> LDAP providers, but didn't:
>
> https://issues.jboss.org/browse/KEYCLOAK-4052
>
> I've also tried configuring keycloak to use Kerberos password
> authentication (LDAP + Kerberos integration..) - but that still didn't seem
> to detect the expired password (even though from a console, kinit prompts
> the user to change their password).
>
> So, currently I have put in a workaround by:
>
> 1. Under the realm Authentication - Required Actions - set "Update
> Password" to default (so "new" users - ie: those who are given a temp
> password - are prompted to set a new password... keycloak has been given
> access to set non-expired passwords on our FreeIPA servers)
>
> 2. Set a password policy on the realm - 90 days expiry (matches that of the
> FreeIPA password policy).
>
> Some issues with this are - if the user sets their password via FreeIPA
> directly (kpasswd, ldap, etc) - then keycloak won't know about the new
> expiry - hence, the user may have to set their password again on Keycloak
> sooner than they would expect.
>
> So, my questions are:
>
> 1. Is there a better way to handle this?  We'd just like to avoid sending
> our users around to different places (ie: to the freeIPA UI) to work around
> an expired password & we'd like to make sure it's clear _when_ their
> password has expired... to the best of our ability.
>
> 2. I'm also not 100% certain if this Keycloak password policy is actually
> implemented on federated ldap users?  Does anyone know?  I came across a
> few issues that discussed implementing it - but so far haven't come up with
> anything conclusive (I'm setting the password expiry to 1 day now to test
> it out).  I checked a dump of the database, and could not see anything that
> looked like a timestamp or anything (to indicate a 90 day expiry) for a
> user who just changed their password in Keycloak... so, I'm not sure how
> that's tracked?  (if I could find it in the DB, I was thinking of another
> dirty hack to sync the password expiry from freeipa -> keycloak via a hook
> if someone does update their account in freeipa).
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list