2:55 a.m.
Hi Guys,
We've imported some Users from AD and they now have UPDATE_PASSWORD action
required, although this was not marked as *default_action*. The thing is
that we cannot click that away as admins - on top of that the
UPDATE_PASSWORD is not present in the USER_REQUIRED_ACTION table...
Any ideas? Would be very much appreciated...
Best regards,
Adrian
8:21 a.m.
It's added by MSAD account controls mapper. The mapper see the state in
which the MSAD account is (based on userAccountControls or pwdLastSet
attributes) and once it requires updating the password, it is required
from the Keycloak as well. Hence Keycloak adds the requiredAction
UPDATE_PASSWORD to the user.
What is the mode of your LDAP (WRITABLE, READ_ONLY or UNSYNCED)? In case
that your MSAD is read-only, then removing the requiredAction likely
doesn't work as MSAD can't be updated from Keycloak. Does Keycloak
displays some error message in the admin console? Is it something in the
log when you enable DEBUG logging for class
org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper ?
You can manually remove the mapper and then requiredAction shouldn't be
present. However your users likely won't be able to login to the MSAD in
case that their account is not in the proper state, which allows login
(Mapper impl is supposed the catch the MSAD error message and handle it
and convert to the Keycloak requiredAction).
Marek
On 09/10/17 09:55, Adrian Matei wrote:
Hi Guys,
We've imported some Users from AD and they now have UPDATE_PASSWORD action
required, although this was not marked as *default_action*. The thing is
that we cannot click that away as admins - on top of that the
UPDATE_PASSWORD is not present in the USER_REQUIRED_ACTION table...
Any ideas? Would be very much appreciated...
Best regards,
Adrian
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:44 a.m.
Hi Marek,
Thank you for the extensive answer. Before I imported the users in Keycloak
I moved them from a different OU, and half of them got marked with
Upate_password flag and deactivated in AD (I am still wondering what caused
that...) Once they've been corrected at the AD level the UPDATE_PASSWORD
required action was gone, in accordance with your explanation.
Adrian
On Mon, Oct 9, 2017 at 3:21 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
It's added by MSAD account controls mapper. The mapper see the
state in
which the MSAD account is (based on userAccountControls or pwdLastSet
attributes) and once it requires updating the password, it is required from
the Keycloak as well. Hence Keycloak adds the requiredAction
UPDATE_PASSWORD to the user.
What is the mode of your LDAP (WRITABLE, READ_ONLY or UNSYNCED)? In case
that your MSAD is read-only, then removing the requiredAction likely
doesn't work as MSAD can't be updated from Keycloak. Does Keycloak displays
some error message in the admin console? Is it something in the log when
you enable DEBUG logging for class org.keycloak.storage.ldap.mappers.msad.
MSADUserAccountControlStorageMapper ?
You can manually remove the mapper and then requiredAction shouldn't be
present. However your users likely won't be able to login to the MSAD in
case that their account is not in the proper state, which allows login
(Mapper impl is supposed the catch the MSAD error message and handle it and
convert to the Keycloak requiredAction).
Marek
On 09/10/17 09:55, Adrian Matei wrote:
Hi Guys,
We've imported some Users from AD and they now have UPDATE_PASSWORD action
required, although this was not marked as *default_action*. The thing is
that we cannot click that away as admins - on top of that the
UPDATE_PASSWORD is not present in the USER_REQUIRED_ACTION table...
Any ideas? Would be very much appreciated...
Best regards,
Adrian
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
2648
days inactive
2648
days old
2 comments
2 participants
participants (2)
-
Adrian Matei -
Marek Posolda