Hi Marek, list,
On 01/27/2017 12:52 PM, Marek Posolda wrote:
Actually we don't test and officially support Samba AD, just the
MSAD.
We may add that in the future though as there are more people asking for
that, but each LDAP vendor adds some overhead for testing etc...
An update on the above:
We are now collection quotations on making samba's output compatible
with MSAD in the case of "NT_STATUS_PWD_MUST_CHANGEā. So with a bit of
luck, future samba will behave just like MSAD in that case.
There is another question that we have: Is keycloak supposed to import
the pwdLastSet field for a user, in the case of an MSAD backend?
If keycloak imports that field, it would be able enforce keycloaks own
password max age policy also on MSAD federated accounts.
Password age adherance is such a vital bit of functionality, to make
keycloak a viable competitor of microsofts own AD federation services.
MJ