Re: [keycloak-dev] Support for password-only sync in user federation

Monday, 24 September 2018

I thought the question was to allow password changes with read-only and my
assumption was that he wanted the change password in Keycloak only.

I'm no expert on the LDAP integration, but I believe you can control what
attributes are written back to LDAP in the protocol mappers. So could you
not achieve what you're thinking with simply setting all mappers to
read-only?

On Mon, 24 Sep 2018 at 11:43, Thomas Darimont <
thomas.darimont(a)googlemail.com&gt; wrote:

...
 Hello Keycloak Developers,

 at the end of the recent DevNation Live session [1] A Deep Dive into
 Keycloak
 a user asked whether it would be possible to only sync password changes
 back
 with a federated user store like LDAP or Kerberos.

 This would be very useful in integration scenarios where the user directory
 admins
 want to keep control over user profiles.

 I looked at the code and it seems that one needed to add a new
 UserStorageProvider.EditMode like PASSWORD_ONLY
 and update the updateCredential [2] Methods accordingly to allow credential
 updates.

 Would this be sufficient or am I missing something?

 Cheers,
 Thomas

 [1]

https://www.youtube.com/watch?list=PLuWlr4oKSRUZj3ax5zG_t9KE6uwTb_0rU&...
 [2] org.keycloak.storage.ldap.LDAPStorageProvider#updateCredential (and
 similar methods for other providers)
 _______________________________________________
 keycloak-dev mailing list
 keycloak-dev(a)lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-dev

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Re: [keycloak-dev] Support for password-only sync in user federation