For LDAP, you can already achieve this. You just need to make sure that
LDAP provider is configured with WRITABLE edit mode and then mappers for
various attributes (firstName, lastName, email) are configured with
"Read Only" switch ON and "Always Read from LDAP" switch to OFF. That
way, if you update user profile in Keycloak, the updates will go just to
the Keycloak DB, not to LDAP. And Keycloak will read the values from DB
with bigger preference than from LDAP. However when password is written
in Keycloak, it will be updated in LDAP and also password verifications
will be triggered against LDAP. I've just tried it and works as expected.
For Kerberos Provider, we don't yet have support for updating password.
This will require implementation of "Kerberos Password Update" protocol.
We have JIRA already opened for it (We had PR for this some time ago,
but it added bunch of ApacheDS dependencies, so we couldn't accept it).
For custom UserStorage providers written by you, you don't need separate
editMode as well. In this case, you have control over your
implementation and you can implement updates and reads exactly how you want.
IMO there is no need to introduce another EditMode value.
On 24/09/18 20:32, Stian Thorgersen wrote:
I thought the question was to allow password changes with read-only
assumption was that he wanted the change password in Keycloak only.
I'm no expert on the LDAP integration, but I believe you can control what
attributes are written back to LDAP in the protocol mappers. So could you
not achieve what you're thinking with simply setting all mappers to
On Mon, 24 Sep 2018 at 11:43, Thomas Darimont <
> Hello Keycloak Developers,
> at the end of the recent DevNation Live session  A Deep Dive into
> a user asked whether it would be possible to only sync password changes
> with a federated user store like LDAP or Kerberos.
> This would be very useful in integration scenarios where the user directory
> want to keep control over user profiles.
> I looked at the code and it seems that one needed to add a new
> UserStorageProvider.EditMode like PASSWORD_ONLY
> and update the updateCredential  Methods accordingly to allow credential
> Would this be sufficient or am I missing something?
>  org.keycloak.storage.ldap.LDAPStorageProvider#updateCredential (and
> similar methods for other providers)
> keycloak-dev mailing list
keycloak-dev mailing list