[jboss-jira] [JBoss JIRA] (WFLY-13013) Elytron LDAP can't set-password in Active Directory or react to external changes

David Guthrie created WFLY-13013: ------------------------------------ Summary: Elytron LDAP can't set-password in Active Directory or react to external changes Key: WFLY-13013 URL: https://issues.redhat.com/browse/WFLY-13013 Project: WildFly Issue Type: Feature Request Components: Security Affects Versions: 19.0.0.Beta1, 18.0.1.Final Reporter: David Guthrie Assignee: Darran Lofthouse The caching realm seems to work as advertised with open ldap and Red Hat Directory Server when I add a user-password-mapper after setting: <user-password-mapper from="userPassword" writable="true" verifiable="true" /> When I change the password in LDAP, the caching realm reacts, and I can login with the new password. Also when I call `set-password`: /subsystem=elytron/ldap-realm=ldap-realm:set-password(identity=testUser, clear= {password="1A3b6w"} ) It changes the password correctly in LDAP. Neither of these work in Active Directory. Active Directory stores the password, by default using the field "UnicodePwd" rather than "userPassword", so I tried having them map the user password to that field: /subsystem=elytron/ldap-realm=ldap-realm:write-attribute(name=identity-mapping.user-password-mapper.from, value=UnicodePwd) But it it can't set the password because the password code needs to write it with a different character set when writing to active directory. See the different between the code in ldap/UserPasswordCredentialLoader.java and in the special case for Active Directory in Keycloak[1] It can't react to external changes to the directory because Active Directory doesn't support the listening mechanism used. There is a potential to be able to change the active directory settings so "userPassword" runs in compatibility mode[2], but that's not a normal thing to be able to do is most environments. [1] Keycloak - AD UnicodePWD https://github.com/keycloak/keycloak/blob/e12c245355f5fcbabab4a6807a9975f... [2] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f3ad... -- This message was sent by Atlassian Jira (v7.13.8#713008)