[keycloak-user] krbLastPwdChange - can we use this attribute

Dmitry Telegin dt at acutus.pro
Mon Nov 19 14:30:49 EST 2018 

Hello Callum,

If you want a 100% pure Keycloak solution, you can implement your own mapper by extending this one:
https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java

and modifying it so that it uses krbLastPwdChange instead of pwdLastSet (LDAPConstants.PWD_LAST_SET).

Then deploy it as a provider and use on your LDAP definition instead of the built-in "msad-user-account-control-mapper".

Feel free to ask questions on provider development. Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro 

On Fri, 2018-11-16 at 16:27 +0000, Callum Smith wrote:
> Dear All,
> 
> I've implemented this as a python script for now, hopefully this is useful to some, and hopefully something similar could be implemented for LDAP (although I imagine politically since SSSD cannot provide this data, and that's the preferred connection route for FreeIPA, it's not going to happen soon).
> 
> requirements: ldap3, python-keycloak
> 
> 
> import python_freeipa
> import json
> import ldap3
> from keycloak import KeycloakAdmin
> from datetime import datetime
> 
> options['ipa_host']              = ''
> options['ipa_admin_user']        = ''
> options['ipa_base_dn']           = ''
> options['ipa_admin_dn']          = ','+options['ipa_base_dn']
> options['keycloak_host']         = ''
> options['keycloak_admin_user']   = ''
> options['keycloak_storage_id']   = ''
> 
> # Begin Keycloak Clietn
> keycloakClient = KeycloakAdmin(server_url='https://'+options['keycloak_host']+'/auth/', username=options['keycloak_admin_user'], password=keycloakAdminPassword, realm_name='master<https://'+options['keycloak_host']+'/auth/',%20username=options['keycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master>', verify=False)
> 
> # Begin LDAP client
> ldapServer = ldap3.Server(options['ipa_host'])
> ldapClient = ldap3.Connection(ldapServer, user=options['ipa_admin_dn'], password=ipaAdminPassword, auto_bind=True)
> 
> # Generate datestamp
> date = datetime.utcnow().strftime('%Y%m%d%H%M%S')+'Z'
> 
> # Perform an LDAP sync for Keycloak
> keycloakClient.sync_users(storage_id=options['keycloak_storage_id'], action="triggerFullSync")
> 
> # Search LDAP for expired passwords
> ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(|(krbPasswordExpiration<='+date+')(!(krbPasswordExpiration=*)))', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn'])
> resetPasswordUsers = ldapClient.entries
> 
> for user in resetPasswordUsers:
>   user_id = keycloakClient.get_user_id(user.uid)
>   keycloakClient.update_user(user_id=user_id, payload={"requiredActions":['UPDATE_PASSWORD']})
> 
> 
> # Search LDAP for valid passwords
> ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(krbPasswordExpiration>='+date+')', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn'])
> validPasswordUsers = ldapClient.entries
> 
> for user in validPasswordUsers:
>   user_id = keycloakClient.get_user_id(user.uid)
>   keycloakClient.update_user(user_id=user_id, payload={"requiredActions":[]})
> 
> 
> 
> 
> I've chopped some domain specific stuff from this so it might not be flawless, but hopefully a start for someone. Also no error checking involved here.
> 
> Regards,
> Callum
> 
> --
> 
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> > > e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk>
> 
> > On 16 Nov 2018, at 09:16, Callum Smith <callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk>> wrote:
> 
> Dear Keycloakers,
> 
> I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement?
> 
> Regards,
> Callum
> 
> --
> 
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> > > e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk><mailto:callum at well.ox.ac.uk>
> 
> _______________________________________________
> keycloak-user mailing list
> > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list