Hi Marek,
But I am under the impression that KEYCLOAK-4052 would not allow the
user to provide a password that does not meet the complexity
requirements configured in keycloak?
And if I would configure keycloak to require complexer passwords than
MSAD does, the user password change would succeed?
Because currently keycloak accepts 'abc' as a password, and samba
doesn't. If keycloak would require the user to provide a GOOD password,
samba would also accept it.
(because the basic password-change-functionality works fine)
I would only like keycloak to NOT accept '123' as a valid password, but
take into account it's own configured password complexity when changing
the MSAD password.
Is that not what KEYCLOAK-4052 is about?
MJ
On 22-8-2017 8:43, Marek Posolda wrote:
KEYCLOAK-4052 will help with the case when you want to enforce
Keycloak
password policies when updating the password of Keycloak user, who is
mapped to LDAP provider. However LDAP password policies will be applied
too. And in your case, MSAD policies are applied already. In other
words, KEYCLOAK-4052 won't help you with the error "Could not modify
attribute for DN [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
The case you mentioned should be already supported, but it workds just
for MSAD. AFAIK it doesn't work for some others like Samba AD. Also you
need to have MSAD User Account Controls mapper enabled.
Marek