Hmm... I think this should be already working?
I've just tested the usecase:
- Keycloak with configured writable MSAD and with "MSAD Account
controls" mapper available
- User "john" from LDAP authenticated in Keycloak successfully
- Then I changed in the LDAP the "john" user record the value of
"pwdLastSet" attribute to 0
- Then login again as "john" in Keycloak. I am asked to change my
password. After this change is user authenticated successfully and also
his LDAP record has "pwdLastSet" updated back to the current time.
I am testing with latest master though.
Can you doublecheck this scenario on your side? Are you using latest
Keycloak master?
Marek
On 24/01/17 10:30, mj wrote:
Hi,
In the microsoft management tools there is a checkbox: "user must change
password at next logon". If I check that box, keycloak 2.5 gives us a
logon failure.
Perhaps it would be only a rather small change, to map that MSAD
checkbox ("Pwd-Last-Set" = 0) to the equivalent in keycloak:
"credentials" / "temporary" switch. So the next time a user is asked
to
change his/her password.
More MS info here:
https://msdn.microsoft.com/en-us/library/ms679430
And, and thanks very much very much for the recent fix of issue 2333, on
MSAD password policies! Much appreciated! :-)
MJ
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user