Hey guys,

Following up on this conversation that took place a couple of months back: http://lists.jboss.org/pipermail/keycloak-dev/2015-September/005286.html. I just had a chance to try the proposed approach of implementing a custom authentication provider that checks the pwdLastSet attribute and sets the update password required action. I believe that this may not be quite as easy as was suggested due to the fact that authentication fails with the default LDAP Federation Provider before a custom execution in the login flow has a chance to check the attribute and set the required action. It seems I would need to implement a custom LDAP Federation Provider that considers authentication successful when the exception referenced in https://issues.jboss.org/browse/KEYCLOAK-1744 is thrown, but also add the required action for updating the password. Is there an easy way to do that or something that I’m missing? Otherwise, I’d be willing to work on a contribution for this issue if you’re willing to have logic that is specific to AD?

Thanks,

Cory Snyder
software engineer
USA +1.419.731.3479   UK +44.20.7096.0149    iland.com