3:16 p.m.
Hi all,
I didn't see anything in Jira regarding this, so I figured I'd ask here. I
have an organization that uses OpenLDAP and Kerberos to authenticate users,
and have set up an LDAP federation provider and enabled Kerberos
integration. That part works great, but if I enable write on the federation
provider and try to change a user's password, it attempts to update the
password through LDAP and not Kerberos. I took a look
at LDAPStorageProvider.java and it appears that there isn't support for
updating credentials via Kerberos when Kerberos integration is enabled, and
the Kerberos federation provider itself doesn't currently support password
changes.
As this is necessary to enable password changes through Keycloak for my
organization, I wanted to reach out and see if there were any suggestions
as to how I could go about implementing this and to get any feedback or
concerns regarding this feature. It looks fairly simple to implement with
the ApacheDS kerberos-client: http://stackoverflow.com/a/34575316
Thanks!
-Steven
2:51 a.m.
Yes, we don't yet have support for this. The problems I can see is:
- It seems that both ApacheDS based solution and "embeddded kpasswd
process" based solution requires the old password of user. But In
Keycloak we don't usually have the old password of user (eg. when admin
changes password, or during UPDATE_PASSWORD require action etc. Just the
account management is the only place where existing password is available).
- Another question is, if ApacheDS based approach really uses just the
kerberos standards and works for the other Kerberos vendors besides
ApacheDS (MSAD, FreeIPA, MIT Kerberos)
Feel free to create a JIRA, however not sure if we add that in the near
future...
Marek
On 26/01/17 22:16, Steven Mirabito wrote:
Hi all,
I didn't see anything in Jira regarding this, so I figured I'd ask here. I
have an organization that uses OpenLDAP and Kerberos to authenticate users,
and have set up an LDAP federation provider and enabled Kerberos
integration. That part works great, but if I enable write on the federation
provider and try to change a user's password, it attempts to update the
password through LDAP and not Kerberos. I took a look
at LDAPStorageProvider.java and it appears that there isn't support for
updating credentials via Kerberos when Kerberos integration is enabled, and
the Kerberos federation provider itself doesn't currently support password
changes.
As this is necessary to enable password changes through Keycloak for my
organization, I wanted to reach out and see if there were any suggestions
as to how I could go about implementing this and to get any feedback or
concerns regarding this feature. It looks fairly simple to implement with
the ApacheDS kerberos-client: http://stackoverflow.com/a/34575316
Thanks!
-Steven
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2888
days inactive
2892
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Steven Mirabito