Re: [keycloak-dev] Require password change on login when AD is the federation provider and pwdLastSet equals 0

Hey guys, Following up on this conversation that took place a couple of months back: http://lists.jboss.org/pipermail/keycloak-dev/2015-September/005286.html. I just had a chance to try the proposed approach of implementing a custom authentication provider that checks the pwdLastSet attribute and sets the update password required action. I believe that this may not be quite as easy as was suggested due to the fact that authentication fails with the default LDAP Federation Provider before a custom execution in the login flow has a chance to check the attribute and set the required action. It seems I would need to implement a custom LDAP Federation Provider that considers authentication successful when the exception referenced in https://issues.jboss.org/browse/KEYCLOAK-1744 is thrown, but also add the required action for updating the password. Is there an easy way to do that or something that I’m missing? Otherwise, I’d be willing to work on a contribution for this issue if you’re willing to have logic that is specific to AD? Thanks, Cory Snyder software engineer USA +1.419.731.3479 UK +44.20.7096.0149 iland.com<http://www.iland.com/>