On 27/01/17 21:15, mj wrote:
Hi Marek, list,
> Actually we don't test and officially support Samba AD, just the MSAD.
Yeah I know. And (usually, so far) everything that works with MSAD
works also with samba4, this is actually the first time we are running
into a compatibility issue like this.
> You can send PR to contribute the mapper for Samba AD if you manage to
> have it working. Ideally also with the writable scenarios like
> passwordUpdate, disable user in KC will disable him in AD etc.
All those things should normally work exactly as they do with MSAD.
Andrew Bartlett (core samba dev) pointed me to the following file:
https://github.com/keycloak/keycloak/blob/b2d1a1a17fc8f665f4ba83d62e3c22d...
written by you.
I was thinking (being no programmer at all!!!) that I could simple
edit a line slightly, to watch for "NT_STATUS_PWD_MUST_CHANGE" instead
of the MSAD output.
That would give me a MSADUserAccountControlStorageMapper 'version'
targetted for samba4, as for the rest no changes should be required at
all.
However...in my keycloak install, I cannot find the file
MSADUserAccountControlStorageMapper.java, so I guess that bright idea
is also not an option.
The java files are not inside the server distribution. Java
works in a
way, that Java files (sources) are compiled to the class files and then
packed in JAR archives. There is no easy way to change the source of the
existing class inside the archive and rewrite something directly.
It seems such a waist of energy to create a complete subclass of
MSADUserAccountControlStorageMapper, given that the only difference is
to look for "NT_STATUS_PWD_MUST_CHANGE"....
Any place I could edit, to change that in an installed keycloak?
Well, if logic is
really the same, the Samba4 specific subclass doesn't
need to have everything forked (copy/pasted). It can just override one
single method (onAuthenticationFailure). That's one of the benefits of
inheritance. So the way to go is really to create separate mapper for
Samba4 and deploy it as a Keycloak provider.
You can take a look at Server Developer Guide [1] and "provider"
examples in our example distribution. Unfortunately it requires to have
some programmer and Java knowledge, so not sure if helpful for you.
However I don't have anything better ATM, sorry... Our position is to
not add more supported LDAP servers, like Samba4, by ourselves. So
Samba4 would need to be community contribution (from you or someone
else). Also we will need to rely on community for additional maintenance
and testing.
[1]
https://keycloak.gitbooks.io/server-developer-guide/content/
Marek
MJ