On 13/01/16 13:40, Edgar Vonk - Info.nl wrote:
Hi all,
We use Keycloak’s user federation to integrate with a (Windows 2012) Active Directory
(AD) server. We want to store all users and groups in AD and also want to manage the
password policies from AD so we do not have any password policies in Keycloak set up. We
also want to use Keycloak for all user management functionality. We have set up the
password policies in AD at the domain level where we connect to from Keycloak.
Our password policies in AD are as follows:
- password complexity (min length + special chars)
- account lock out after 3 attempts
- password history (not allowed to use previous 5 passwords)
Users and admins can set and change passwords in AD from Keycloak fine. However the
password policies do not quite do what we want them to:
- Password complexity policy seems to work fine.
- Account is indeed locked in AD after three failed attempts. However the ‘Unlock users’
functionality in Keycloak does not unlock the users in AD. Users can only be unlocked in
AD itself it seems. We would like to be able to do this from Keycloak however (and really
per user and not for all users in one go). Should this work in Keycloak or is this a new
feature request?
Is the fact that user is locked tracked in your MSAD through
userAccountControl attribute? In the Keycloak 1.8 I've added the MSAD
UserAccountControl mapper, which allows to integrate the MSAD account
state more tightly into Keycloak state. For example enable user in
Keycloak admin console will remove the ACCOUNTDISABLE flag from
userAccountControl value in MSAD as well and hence enable this user in
MSAD too.
However support for lock/unlock is not included in the mapper though. So
feel free to create JIRA.
Until it's implemented, you can possibly use adminEvent listener (There
is admin event triggered when you click "Unlock user" in Keycloak UI. So
you can listen to this event and propagate the call to MSAD once you
successfully enable it)
- The password history policy does not seem to work at all. Users can
currently set their password to a previous password without a problem. Does anyone have an
idea why this policy in AD does not work from Keycloak?
No idea. Keycloak is just
using Directory API for change password. It's
strange the MSAD allows to change password through this API when it
breaks password history policy. Are you sure you have WRITABLE LDAP and
password update from Keycloak is propagated to MSAD?
Marek
cheers
Edgar
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev