11:37 a.m.
Hello Keycloak Developers,
at the end of the recent DevNation Live session [1] A Deep Dive into
Keycloak
a user asked whether it would be possible to only sync password changes
back
with a federated user store like LDAP or Kerberos.
This would be very useful in integration scenarios where the user directory
admins
want to keep control over user profiles.
I looked at the code and it seems that one needed to add a new
UserStorageProvider.EditMode like PASSWORD_ONLY
and update the updateCredential [2] Methods accordingly to allow credential
updates.
Would this be sufficient or am I missing something?
Cheers,
Thomas
[1]
https://www.youtube.com/watch?list=PLuWlr4oKSRUZj3ax5zG_t9KE6uwTb_0rU&...
[2] org.keycloak.storage.ldap.LDAPStorageProvider#updateCredential (and
similar methods for other providers)
8:32 p.m.
I thought the question was to allow password changes with read-only and my
assumption was that he wanted the change password in Keycloak only.
I'm no expert on the LDAP integration, but I believe you can control what
attributes are written back to LDAP in the protocol mappers. So could you
not achieve what you're thinking with simply setting all mappers to
read-only?
On Mon, 24 Sep 2018 at 11:43, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hello Keycloak Developers,
at the end of the recent DevNation Live session [1] A Deep Dive into
Keycloak
a user asked whether it would be possible to only sync password changes
back
with a federated user store like LDAP or Kerberos.
This would be very useful in integration scenarios where the user directory
admins
want to keep control over user profiles.
I looked at the code and it seems that one needed to add a new
UserStorageProvider.EditMode like PASSWORD_ONLY
and update the updateCredential [2] Methods accordingly to allow credential
updates.
Would this be sufficient or am I missing something?
Cheers,
Thomas
[1]
https://www.youtube.com/watch?list=PLuWlr4oKSRUZj3ax5zG_t9KE6uwTb_0rU&...
[2] org.keycloak.storage.ldap.LDAPStorageProvider#updateCredential (and
similar methods for other providers)
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:45 a.m.
Yes, exactly.
For LDAP, you can already achieve this. You just need to make sure that
LDAP provider is configured with WRITABLE edit mode and then mappers for
various attributes (firstName, lastName, email) are configured with
"Read Only" switch ON and "Always Read from LDAP" switch to OFF. That
way, if you update user profile in Keycloak, the updates will go just to
the Keycloak DB, not to LDAP. And Keycloak will read the values from DB
with bigger preference than from LDAP. However when password is written
in Keycloak, it will be updated in LDAP and also password verifications
will be triggered against LDAP. I've just tried it and works as expected.
For Kerberos Provider, we don't yet have support for updating password.
This will require implementation of "Kerberos Password Update" protocol.
We have JIRA already opened for it (We had PR for this some time ago,
but it added bunch of ApacheDS dependencies, so we couldn't accept it).
For custom UserStorage providers written by you, you don't need separate
editMode as well. In this case, you have control over your
implementation and you can implement updates and reads exactly how you want.
IMO there is no need to introduce another EditMode value.
Marek
On 24/09/18 20:32, Stian Thorgersen wrote:
I thought the question was to allow password changes with read-only
and my
assumption was that he wanted the change password in Keycloak only.
I'm no expert on the LDAP integration, but I believe you can control what
attributes are written back to LDAP in the protocol mappers. So could you
not achieve what you're thinking with simply setting all mappers to
read-only?
On Mon, 24 Sep 2018 at 11:43, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Hello Keycloak Developers,
>
> at the end of the recent DevNation Live session [1] A Deep Dive into
> Keycloak
> a user asked whether it would be possible to only sync password changes
> back
> with a federated user store like LDAP or Kerberos.
>
> This would be very useful in integration scenarios where the user directory
> admins
> want to keep control over user profiles.
>
> I looked at the code and it seems that one needed to add a new
> UserStorageProvider.EditMode like PASSWORD_ONLY
> and update the updateCredential [2] Methods accordingly to allow credential
> updates.
>
> Would this be sufficient or am I missing something?
>
> Cheers,
> Thomas
>
> [1]
>
>
https://www.youtube.com/watch?list=PLuWlr4oKSRUZj3ax5zG_t9KE6uwTb_0rU&...
> [2] org.keycloak.storage.ldap.LDAPStorageProvider#updateCredential (and
> similar methods for other providers)
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2040
days inactive
2041
days old
2 comments
3 participants
participants (3)
-
Marek Posolda -
Stian Thorgersen -
Thomas Darimont