[keycloak-user] krbLastPwdChange - can we use this attribute

Callum Smith callum at well.ox.ac.uk
Thu Nov 29 07:57:24 EST 2018 

Dear Dmitry,

Using the same method might it be possible to integrate the FreeIPA record of a user's OTP setup and sync that into Keycloak as well? Whilst it's possible to integrate OTP using LDAP or SSSD, neither of these are ideal, as the workflow is wrong to allow federated identity:

If a user authenticates via external provider, OTP challenge should still be required. If the OTP is configured in Keycloak, this is done as a second authentication step which is perfect. If you are using LDAP/SSSD to do your OTP integration, the login step is bypassed with a federated account, and therefore the OTP step-up authentication is not performed.

Additionally, it would be nice to expose as a SAML attribute whether the authentication was done with 2FA or not, which again is not possible unless Keycloak is the one handling the 2FA.

So, in conclusion, could i sync OTP token data via the same LDAP connector or should I be looking to sync these externally? Another issue that I foresee - if the user is required to use OTP by the identity provider, then they are likely to need to enter the OTP at both the login AND the OTP step in Keycloak if this sync goes ahead, unless they use a federated identity. Which means that OTP has to be optional for the service by which Keycloak connects to IPA (LDAP) - even for users who we force OTP use.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk>

On 19 Nov 2018, at 19:30, Dmitry Telegin <dt at acutus.pro<mailto:dt at acutus.pro>> wrote:

Hello Callum,

If you want a 100% pure Keycloak solution, you can implement your own mapper by extending this one:
https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java

and modifying it so that it uses krbLastPwdChange instead of pwdLastSet (LDAPConstants.PWD_LAST_SET).

Then deploy it as a provider and use on your LDAP definition instead of the built-in "msad-user-account-control-mapper".

Feel free to ask questions on provider development. Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71<tel:(022)%20888-30-71>
E-mail: info at acutus.pro<mailto:info at acutus.pro>

On Fri, 2018-11-16 at 16:27 +0000, Callum Smith wrote:
Dear All,

I've implemented this as a python script for now, hopefully this is useful to some, and hopefully something similar could be implemented for LDAP (although I imagine politically since SSSD cannot provide this data, and that's the preferred connection route for FreeIPA, it's not going to happen soon).

requirements: ldap3, python-keycloak


import python_freeipa
import json
import ldap3
from keycloak import KeycloakAdmin
from datetime import datetime

options['ipa_host']              = ''
options['ipa_admin_user']        = ''
options['ipa_base_dn']           = ''
options['ipa_admin_dn']          = ','+options['ipa_base_dn']
options['keycloak_host']         = ''
options['keycloak_admin_user']   = ''
options['keycloak_storage_id']   = ''

# Begin Keycloak Clietn
keycloakClient = KeycloakAdmin(server_url='https://'+options['keycloak_host']+'/auth/', username=options['keycloak_admin_user'], password=keycloakAdminPassword, realm_name='master<https://'+options['keycloak_host']+'/auth/',%20username=options['keycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master><https://'+options['keycloak_host']+'/auth/',%20username=options['keycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master<https://'+options['keycloak_host']+'/auth/',%20username=options['keycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master>>', verify=False)

# Begin LDAP client
ldapServer = ldap3.Server(options['ipa_host'])
ldapClient = ldap3.Connection(ldapServer, user=options['ipa_admin_dn'], password=ipaAdminPassword, auto_bind=True)

# Generate datestamp
date = datetime.utcnow().strftime('%Y%m%d%H%M%S')+'Z'

# Perform an LDAP sync for Keycloak
keycloakClient.sync_users(storage_id=options['keycloak_storage_id'], action="triggerFullSync")

# Search LDAP for expired passwords
ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(|(krbPasswordExpiration<='+date+')(!(krbPasswordExpiration=*)))', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn'])
resetPasswordUsers = ldapClient.entries

for user in resetPasswordUsers:
  user_id = keycloakClient.get_user_id(user.uid)
  keycloakClient.update_user(user_id=user_id, payload={"requiredActions":['UPDATE_PASSWORD']})


# Search LDAP for valid passwords
ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(krbPasswordExpiration>='+date+')', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn'])
validPasswordUsers = ldapClient.entries

for user in validPasswordUsers:
  user_id = keycloakClient.get_user_id(user.uid)
  keycloakClient.update_user(user_id=user_id, payload={"requiredActions":[]})




I've chopped some domain specific stuff from this so it might not be flawless, but hopefully a start for someone. Also no error checking involved here.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk><mailto:callum at well.ox.ac.uk>

On 16 Nov 2018, at 09:16, Callum Smith <callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk><mailto:callum at well.ox.ac.uk>> wrote:

Dear Keycloakers,

I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement?

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk><mailto:callum at well.ox.ac.uk><mailto:callum at well.ox.ac.uk>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list