Hi Marek,
Thanks for the info.
On 6-12-2016 10:41, Marek Posolda wrote:
We are testing with MSAD as an LDAP server and we use just the LDAP
connection from Keycloak to CRUD users (and other data). I personally
never saw the ADUC tool. It seems it is just something like
user-friendly frontend editory, but the actual user data are saved in
MSAD server, right? So is it using MSAD under the hood?
Exactly. It's the most
regular, standard way to access MSAD to edit the
accounts it contains. :-)
We are running a samba4 AD, but we're still using the default MS tools
to maintain the AD.
- The bug you reported related to email might be already fixed in
latest
master. See
https://issues.jboss.org/browse/KEYCLOAK-4028 . You can
either re-test with latest master and/or wait for the 2.5.0.CR1
Yep, will do.
- The dialog like "You need to change your password in X
days" - we
don't have any support for it and we don't plan it ATM. However in case
that user authenticates into Keycloak with his MSAD password, which is
already expired, we allow the authentication, but user must immediatelly
change his password (Required action "Update Password" is added to him
and he is then required by Keycloak to update his password. Updated
password is then propagated to MSAD).
Right. I'll try that.
Is there also support for password age? Like: every half year a user
should change his password? Could be done using the Pwd-Last-Set
attribute in MSAD.
(
https://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx)
Reason we ask: In a regular MSAD domain, with windows workstations
logging on, you can set those policies, and a workstation will prompt
the user that his password will expire in X days, and he needs to change it.
However, we have many remote users, who only use various web logons, and
who never logon locally on a domain joined windows workstation. For
these users, we currently have no way to make them change their
passwords regularly.
If keycloak could check Pwd-Last-Set, and start prompting the user to
change it when it's older then X months/weeks, we would have a unified
password policy for *all* users, local and remote.
It's a gap in functionality in MSAD, that no tool offers in the case of
ldap-based web access.
MJ