Re: [keycloak-user] krbLastPwdChange - can we use this attribute

Dear All, I've implemented this as a python script for now, hopefully this is useful to some, and hopefully something similar could be implemented for LDAP (although I imagine politically since SSSD cannot provide this data, and that's the preferred connection route for FreeIPA, it's not going to happen soon). requirements: ldap3, python-keycloak import python_freeipa import json import ldap3 from keycloak import KeycloakAdmin from datetime import datetime options['ipa_host'] = '' options['ipa_admin_user'] = '' options['ipa_base_dn'] = '' options['ipa_admin_dn'] = ','+options['ipa_base_dn'] options['keycloak_host'] = '' options['keycloak_admin_user'] = '' options['keycloak_storage_id'] = '' # Begin Keycloak Clietn keycloakClient = KeycloakAdmin(server_url='https://'+options['keycloak_host']+'/auth/', username=options['keycloak_admin_user'], password=keycloakAdminPassword, realm_name='master<https://'+options['keycloak_host']+'/auth/',%20username=options['keycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master>', verify=False) # Begin LDAP client ldapServer = ldap3.Server(options['ipa_host']) ldapClient = ldap3.Connection(ldapServer, user=options['ipa_admin_dn'], password=ipaAdminPassword, auto_bind=True) # Generate datestamp date = datetime.utcnow().strftime('%Y%m%d%H%M%S')+'Z' # Perform an LDAP sync for Keycloak keycloakClient.sync_users(storage_id=options['keycloak_storage_id'], action="triggerFullSync") # Search LDAP for expired passwords ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(|(krbPasswordExpiration<='+date+')(!(krbPasswordExpiration=*)))', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) resetPasswordUsers = ldapClient.entries for user in resetPasswordUsers: user_id = keycloakClient.get_user_id(user.uid) keycloakClient.update_user(user_id=user_id, payload={"requiredActions":['UPDATE_PASSWORD']}) # Search LDAP for valid passwords ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(krbPasswordExpiration>='+date+')', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) validPasswordUsers = ldapClient.entries for user in validPasswordUsers: user_id = keycloakClient.get_user_id(user.uid) keycloakClient.update_user(user_id=user_id, payload={"requiredActions":[]}) I've chopped some domain specific stuff from this so it might not be flawless, but hopefully a start for someone. Also no error checking involved here. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk> On 16 Nov 2018, at 09:16, Callum Smith <callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk>> wrote: Dear Keycloakers, I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement? Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk><mailto:callum@well.ox.ac.uk> _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user