On
13/01/16 13:40, Edgar
Vonk - Info.nl wrote:
Hi all,
We use Keycloak’s user
federation to
integrate with a
(Windows 2012) Active
Directory (AD) server.
We want to store all
users and groups in AD
and also want to
manage the password
policies from AD so we
do not have any
password policies in
Keycloak set up. We
also want to use
Keycloak for all user
management
functionality. We have
set up the password
policies in AD at the
domain level where we
connect to from
Keycloak.
Our password policies
in AD are as follows:
- password complexity
(min length + special
chars)
- account lock out
after 3 attempts
- password history
(not allowed to use
previous 5 passwords)
Users and admins can
set and change
passwords in AD from
Keycloak fine. However
the password policies
do not quite do what
we want them to:
- Password complexity
policy seems to work
fine.
- Account is indeed
locked in AD after
three failed attempts.
However the ‘Unlock
users’ functionality
in Keycloak does not
unlock the users in
AD. Users can only be
unlocked in AD itself
it seems. We would
like to be able to do
this from Keycloak
however (and really
per user and not for
all users in one go).
Should this work in
Keycloak or is this a
new feature request?
Is
the fact that user is
locked tracked in your
MSAD through
userAccountControl
attribute?
Yes it is. I
see this working when I
look at a normal LDAP
browser connected to MSAD.
When I disable a user in
MSAD I see the
userAccountControl
attribute change from 512
to 514.
In
the Keycloak 1.8 I've
added the MSAD
UserAccountControl
mapper, which allows
to integrate the MSAD
account state more
tightly into Keycloak
state. For example
enable user in
Keycloak admin console
will remove the
ACCOUNTDISABLE flag
from
userAccountControl
value in MSAD as well
and hence enable this
user in MSAD too.
This sounds
good, however
unfortunately we do not
see this happening. When
I disable the user in
Keycloak the
userAccountControl
attribute does not change
at all so the propagation
to MSAD does not seem to
work here.
We have indeed
configured the user
federation in Keycloak to
WRITABLE LDAP and all
other user attributes
(like user name etc) are
propagated from Keycloak
to MSAD just fine.
I will create
a JIRA issue so that I can
send you some more
details.
However
support for
lock/unlock is not
included in the mapper
though. So feel free
to create JIRA.
Ok, will do.
Until
it's implemented, you
can possibly use
adminEvent listener
(There is admin event
triggered when you
click "Unlock user" in
Keycloak UI. So you
can listen to this
event and propagate
the call to MSAD once
you successfully
enable it)
- The password history
policy does not seem
to work at all. Users
can currently set
their password to a
previous password
without a problem.
Does anyone have an
idea why this policy
in AD does not work
from Keycloak?
No
idea. Keycloak is just
using Directory API
for change password.
It's strange the MSAD
allows to change
password through this
API when it breaks
password history
policy. Are you sure
you have WRITABLE LDAP
and password update
from Keycloak is
propagated to MSAD?
Yes, we have
writable ldap configured
and indeed the password is
propagated to MSAD. Maybe
it is related to the issue
we see with the
userAccountControl
attribute.
cheers
Edgar