On
13/01/16 13:40, Edgar Vonk - Info.nl wrote:
Hi all,
We use Keycloak’s user federation to integrate
with a (Windows 2012) Active Directory (AD)
server. We want to store all users and groups
in AD and also want to manage the password
policies from AD so we do not have any
password policies in Keycloak set up. We also
want to use Keycloak for all user management
functionality. We have set up the password
policies in AD at the domain level where we
connect to from Keycloak.
Our password policies in AD are as follows:
- password complexity (min length + special
chars)
- account lock out after 3 attempts
- password history (not allowed to use
previous 5 passwords)
Users and admins can set and change passwords
in AD from Keycloak fine. However the password
policies do not quite do what we want them to:
- Password complexity policy seems to work
fine.
- Account is indeed locked in AD after three
failed attempts. However the ‘Unlock users’
functionality in Keycloak does not unlock the
users in AD. Users can only be unlocked in AD
itself it seems. We would like to be able to
do this from Keycloak however (and really per
user and not for all users in one go). Should
this work in Keycloak or is this a new feature
request?
Is the fact that user is locked
tracked in your MSAD through
userAccountControl attribute?
Yes it is. I see this working when I
look at a normal LDAP browser connected to MSAD.
When I disable a user in MSAD I see the
userAccountControl attribute change from 512 to
514.
In the
Keycloak 1.8 I've added the MSAD
UserAccountControl mapper, which allows to
integrate the MSAD account state more tightly
into Keycloak state. For example enable user
in Keycloak admin console will remove the
ACCOUNTDISABLE flag from userAccountControl
value in MSAD as well and hence enable this
user in MSAD too.
This sounds good, however
unfortunately we do not see this happening. When
I disable the user in Keycloak the
userAccountControl attribute does not change at
all so the propagation to MSAD does not seem to
work here.
We have indeed configured the user
federation in Keycloak to WRITABLE LDAP and all
other user attributes (like user name etc) are
propagated from Keycloak to MSAD just fine.
I will create a JIRA issue so that I
can send you some more details.
However support for lock/unlock is
not included in the mapper though. So feel
free to create JIRA.
Ok, will do.
Until
it's implemented, you can possibly use
adminEvent listener (There is admin event
triggered when you click "Unlock user" in
Keycloak UI. So you can listen to this event
and propagate the call to MSAD once you
successfully enable it)
- The password history policy does not seem to
work at all. Users can currently set their
password to a previous password without a
problem. Does anyone have an idea why this
policy in AD does not work from Keycloak?
No idea. Keycloak is just using
Directory API for change password. It's
strange the MSAD allows to change password
through this API when it breaks password
history policy. Are you sure you have WRITABLE
LDAP and password update from Keycloak is
propagated to MSAD?
Yes, we have writable ldap configured
and indeed the password is propagated to MSAD.
Maybe it is related to the issue we see with the
userAccountControl attribute.
cheers
Edgar