We don't support and test with samba AD. You can try to enable TRACE or
DEBUG logging for "org.keycloak.storage.ldap" and see the server.log for
more details.
However it seems that MSADUserAccountControlStorageMapperjust doesn't
work OOTB with the Samba AD. You may need to implement your own mapper
with some changes (for example recently we have contribution from the
community for the MSAD LDS mapper)
Marek
On 10/01/17 13:02, lists wrote:
Hi,
Keycloak 2.5.0, added MSAD (samba4) as a writeable federation provider,
verified that the MSAD account controls mapper is added.
When an end-user logs into the keycloak account client
(/auth/realms/ourrealm/account) he/she has the option to change his/her
password.
However, keycloak says:
> Could not modify attribute for DN [CN=ted t.
test,CN=Users,DC=samba,DC=company,DC=com]
Note: I used "ABC-def123_*%#" as a password, so I guess MSAD password
policies are not the problem here.
Additionally, I was under the impression that I should be able to logon
when in MSAD the "user is required to change password on next login",
and keycloak would require me to change it. However, in that case I'm
just getting an "Invalid username or password".
I asked about these things before, but was told to test the new 2.5.0,
because the problem could have been solved already. However, I'm trying
with 2.5.0, and the behaviour is still there.
Is this functionality working for others using MSAD here? (perhaps
others with samba4 AD?)
Best regards,
MJ
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user