Dear All, I've implemented this as a python script for now, hopefully this is useful to some, and hopefully something similar could be implemented for LDAP (although I imagine politically since SSSD cannot provide this data, and that's the preferred connection route for FreeIPA, it's not going to happen soon). requirements: ldap3, python-keycloak import python_freeipa import json import ldap3 from keycloak import KeycloakAdmin from datetime import datetime options['ipa_host'] = '' options['ipa_admin_user'] = '' options['ipa_base_dn'] = '' options['ipa_admin_dn'] = ','+options['ipa_base_dn'] options['keycloak_host'] = '' options['keycloak_admin_user'] = '' options['keycloak_storage_id'] = '' # Begin Keycloak Clietn keycloakClient = KeycloakAdmin(server_url='https://'+options['keycloak_host']+'/auth/', username=options['keycloak_admin_user'], password=keycloakAdminPassword, realm_name='master<https://'+options['keycloak_host']+'/auth/',%20username=options['keycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master>', verify=False) # Begin LDAP client ldapServer = ldap3.Server(options['ipa_host']) ldapClient = ldap3.Connection(ldapServer, user=options['ipa_admin_dn'], password=ipaAdminPassword, auto_bind=True) # Generate datestamp date = datetime.utcnow().strftime('%Y%m%d%H%M%S')+'Z' # Perform an LDAP sync for Keycloak keycloakClient.sync_users(storage_id=options['keycloak_storage_id'], action="triggerFullSync") # Search LDAP for expired passwords ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(|(krbPasswordExpiration<='+date+')(!(krbPasswordExpiration=*)))', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) resetPasswordUsers = ldapClient.entries for user in resetPasswordUsers: user_id = keycloakClient.get_user_id(user.uid) keycloakClient.update_user(user_id=user_id, payload={"requiredActions":['UPDATE_PASSWORD']}) # Search LDAP for valid passwords ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(krbPasswordExpiration>='+date+')', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) validPasswordUsers = ldapClient.entries for user in validPasswordUsers: user_id = keycloakClient.get_user_id(user.uid) keycloakClient.update_user(user_id=user_id, payload={"requiredActions":[]}) I've chopped some domain specific stuff from this so it might not be flawless, but hopefully a start for someone. Also no error checking involved here. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk> On 16 Nov 2018, at 09:16, Callum Smith <callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk>> wrote: Dear Keycloakers, I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement? Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk><mailto:callum@well.ox.ac.uk> _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Dear Dmitry, Using the same method might it be possible to integrate the FreeIPA record of a user's OTP setup and sync that into Keycloak as well? Whilst it's possible to integrate OTP using LDAP or SSSD, neither of these are ideal, as the workflow is wrong to allow federated identity: If a user authenticates via external provider, OTP challenge should still be required. If the OTP is configured in Keycloak, this is done as a second authentication step which is perfect. If you are using LDAP/SSSD to do your OTP integration, the login step is bypassed with a federated account, and therefore the OTP step-up authentication is not performed. Additionally, it would be nice to expose as a SAML attribute whether the authentication was done with 2FA or not, which again is not possible unless Keycloak is the one handling the 2FA. So, in conclusion, could i sync OTP token data via the same LDAP connector or should I be looking to sync these externally? Another issue that I foresee - if the user is required to use OTP by the identity provider, then they are likely to need to enter the OTP at both the login AND the OTP step in Keycloak if this sync goes ahead, unless they use a federated identity. Which means that OTP has to be optional for the service by which Keycloak connects to IPA (LDAP) - even for users who we force OTP use. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk> On 19 Nov 2018, at 19:30, Dmitry Telegin <dt@acutus.pro<mailto:dt@acutus.pro>> wrote: Hello Callum, If you want a 100% pure Keycloak solution, you can implement your own mapper by extending this one: https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main... and modifying it so that it uses krbLastPwdChange instead of pwdLastSet (LDAPConstants.PWD_LAST_SET). Then deploy it as a provider and use on your LDAP definition instead of the built-in "msad-user-account-control-mapper". Feel free to ask questions on provider development. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71<tel:(022)%20888-30-71> E-mail: info@acutus.pro<mailto:info@acutus.pro> On Fri, 2018-11-16 at 16:27 +0000, Callum Smith wrote: Dear All, I've implemented this as a python script for now, hopefully this is useful to some, and hopefully something similar could be implemented for LDAP (although I imagine politically since SSSD cannot provide this data, and that's the preferred connection route for FreeIPA, it's not going to happen soon). requirements: ldap3, python-keycloak import python_freeipa import json import ldap3 from keycloak import KeycloakAdmin from datetime import datetime options['ipa_host'] = '' options['ipa_admin_user'] = '' options['ipa_base_dn'] = '' options['ipa_admin_dn'] = ','+options['ipa_base_dn'] options['keycloak_host'] = '' options['keycloak_admin_user'] = '' options['keycloak_storage_id'] = '' # Begin Keycloak Clietn keycloakClient = KeycloakAdmin(server_url='https://'+options['keycloak_host']+'/auth/', username=options['keycloak_admin_user'], password=keycloakAdminPassword, realm_name='master<https://'+options['keycloak_host']+'/auth/',%20username=options['keycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master><https://'+options['keycloak_host']+'/auth/',%20username=options['keycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master<https://'+options['keycloak_host']+'/auth/',%20username=options['keycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master>>', verify=False) # Begin LDAP client ldapServer = ldap3.Server(options['ipa_host']) ldapClient = ldap3.Connection(ldapServer, user=options['ipa_admin_dn'], password=ipaAdminPassword, auto_bind=True) # Generate datestamp date = datetime.utcnow().strftime('%Y%m%d%H%M%S')+'Z' # Perform an LDAP sync for Keycloak keycloakClient.sync_users(storage_id=options['keycloak_storage_id'], action="triggerFullSync") # Search LDAP for expired passwords ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(|(krbPasswordExpiration<='+date+')(!(krbPasswordExpiration=*)))', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) resetPasswordUsers = ldapClient.entries for user in resetPasswordUsers: user_id = keycloakClient.get_user_id(user.uid) keycloakClient.update_user(user_id=user_id, payload={"requiredActions":['UPDATE_PASSWORD']}) # Search LDAP for valid passwords ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(krbPasswordExpiration>='+date+')', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) validPasswordUsers = ldapClient.entries for user in validPasswordUsers: user_id = keycloakClient.get_user_id(user.uid) keycloakClient.update_user(user_id=user_id, payload={"requiredActions":[]}) I've chopped some domain specific stuff from this so it might not be flawless, but hopefully a start for someone. Also no error checking involved here. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk><mailto:callum@well.ox.ac.uk> On 16 Nov 2018, at 09:16, Callum Smith <callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk><mailto:callum@well.ox.ac.uk>> wrote: Dear Keycloakers, I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement? Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk><mailto:callum@well.ox.ac.uk><mailto:callum@well.ox.ac.uk> _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user