5:04 p.m.
Hi,
We have connected keycloak to our active directory (samba4-based) and
selected the "MSAD account controls" under mappings.
I thought this would give us access to dialogues like "Your password is
about to expire in X days. Would you like to change it now?" or "You
need to change your password after your first logon", etc.
This does not seem to happen here. Is there anything else we need to do
to get this functionality?
MJ
6:13 p.m.
More specific info, and some examples. This is on keycloak 2.3.0.Final,
and I have configured the AD as a WRITABLE source.
On 5-12-2016 17:04, lists wrote:
This does not seem to happen here. Is there anything else we need to
do
to get this functionality?
Setting the accountflag "user must change password at next logon" in
ADUC gets imported into the keycloak's "Update-Password" flag. Good.
However, when the "Update-Password"-flag is set, that user can no longer
authenticate in keycloak at all, because of "Invalid Username or
Password". Not expected..?
Also my test account will expire in 5 days. But keycloak does not
generate a warning like "You need to change your password in X days".
I'm simply granted access.
So, then for some more testing:
Removing the "User must change password at next logon" in ADUC, sync AD
into keycloak, and logging directly into the 'account' client on
https://keycloak.company.com/auth/realms/domain/account:
Access granted, now let's do some editing:
- I can edit my first and lastname & changes are synced back to AD
- I can edit email address, save, but the change is NOT synced back to
AD (and afterwards I can no longer edit my email back, because "User
with username 'test' already exists in Keycloak. It conflicts with LDAP
user with email 'test(a)company.com')
Keycloak still only lists ONE user, searching for 'test'.
Then finally, trying to change a password gives an error:
Could not modify attribute for DN [CN=ted t.
test,CN=Users,DC=samba,DC=company,DC=com]
Are the above things working for others, or am I hitting some keycloak
bugs here?
MJ
9:22 a.m.
We are testing with MSAD and that should work. We don't test with ADUC.
Marek
On 05/12/16 18:13, lists wrote:
More specific info, and some examples. This is on keycloak
2.3.0.Final,
and I have configured the AD as a WRITABLE source.
On 5-12-2016 17:04, lists wrote:
> This does not seem to happen here. Is there anything else we need to do
> to get this functionality?
Setting the accountflag "user must change password at next logon" in
ADUC gets imported into the keycloak's "Update-Password" flag. Good.
However, when the "Update-Password"-flag is set, that user can no longer
authenticate in keycloak at all, because of "Invalid Username or
Password". Not expected..?
Also my test account will expire in 5 days. But keycloak does not
generate a warning like "You need to change your password in X days".
I'm simply granted access.
So, then for some more testing:
Removing the "User must change password at next logon" in ADUC, sync AD
into keycloak, and logging directly into the 'account' client on
https://keycloak.company.com/auth/realms/domain/account:
Access granted, now let's do some editing:
- I can edit my first and lastname & changes are synced back to AD
- I can edit email address, save, but the change is NOT synced back to
AD (and afterwards I can no longer edit my email back, because "User
with username 'test' already exists in Keycloak. It conflicts with LDAP
user with email 'test(a)company.com')
Keycloak still only lists ONE user, searching for 'test'.
Then finally, trying to change a password gives an error:
> Could not modify attribute for DN [CN=ted t.
test,CN=Users,DC=samba,DC=company,DC=com]
Are the above things working for others, or am I hitting some keycloak
bugs here?
MJ
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:23 a.m.
Hi,
On 6-12-2016 9:22, Marek Posolda wrote:
We are testing with MSAD and that should work. We don't test with
ADUC.
I'm not sure I understand... You're testing with MSAD (="Micro Soft
Active Directory"?) and not ADUC ("Active Directory Users and
Computers") the default microsoft tool to add/edit users in an active
directory environment?
MJ
10:41 a.m.
We are testing with MSAD as an LDAP server and we use just the LDAP
connection from Keycloak to CRUD users (and other data). I personally
never saw the ADUC tool. It seems it is just something like
user-friendly frontend editory, but the actual user data are saved in
MSAD server, right? So is it using MSAD under the hood?
Few other comments:
- The bug you reported related to email might be already fixed in latest
master. See https://issues.jboss.org/browse/KEYCLOAK-4028 . You can
either re-test with latest master and/or wait for the 2.5.0.CR1
- The dialog like "You need to change your password in X days" - we
don't have any support for it and we don't plan it ATM. However in case
that user authenticates into Keycloak with his MSAD password, which is
already expired, we allow the authentication, but user must immediatelly
change his password (Required action "Update Password" is added to him
and he is then required by Keycloak to update his password. Updated
password is then propagated to MSAD).
Marek
On 06/12/16 10:23, lists wrote:
Hi,
On 6-12-2016 9:22, Marek Posolda wrote:
> We are testing with MSAD and that should work. We don't test with ADUC.
I'm not sure I understand... You're testing with MSAD (="Micro Soft
Active Directory"?) and not ADUC ("Active Directory Users and
Computers") the default microsoft tool to add/edit users in an active
directory environment?
MJ
11:07 a.m.
Hi Marek,
Thanks for the info.
On 6-12-2016 10:41, Marek Posolda wrote:
We are testing with MSAD as an LDAP server and we use just the LDAP
connection from Keycloak to CRUD users (and other data). I personally
never saw the ADUC tool. It seems it is just something like
user-friendly frontend editory, but the actual user data are saved in
MSAD server, right? So is it using MSAD under the hood?
Exactly. It's the most
regular, standard way to access MSAD to edit the
accounts it contains. :-)
We are running a samba4 AD, but we're still using the default MS tools
to maintain the AD.
- The bug you reported related to email might be already fixed in
latest
master. See https://issues.jboss.org/browse/KEYCLOAK-4028 . You can
either re-test with latest master and/or wait for the 2.5.0.CR1
Yep, will do.
- The dialog like "You need to change your password in X
days" - we
don't have any support for it and we don't plan it ATM. However in case
that user authenticates into Keycloak with his MSAD password, which is
already expired, we allow the authentication, but user must immediatelly
change his password (Required action "Update Password" is added to him
and he is then required by Keycloak to update his password. Updated
password is then propagated to MSAD).
Right. I'll try that.
Is there also support for password age? Like: every half year a user
should change his password? Could be done using the Pwd-Last-Set
attribute in MSAD.
(https://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx)
Reason we ask: In a regular MSAD domain, with windows workstations
logging on, you can set those policies, and a workstation will prompt
the user that his password will expire in X days, and he needs to change it.
However, we have many remote users, who only use various web logons, and
who never logon locally on a domain joined windows workstation. For
these users, we currently have no way to make them change their
passwords regularly.
If keycloak could check Pwd-Last-Set, and start prompting the user to
change it when it's older then X months/weeks, we would have a unified
password policy for *all* users, local and remote.
It's a gap in functionality in MSAD, that no tool offers in the case of
ldap-based web access.
MJ
11:21 a.m.
Hi,
Is there also support for password age? Like: every half year a user
should change his password? Could be done using the Pwd-Last-Set
attribute in MSAD.
(https://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx)
Correct link:
https://msdn.microsoft.com/en-us/library/ms679430.aspx
Searching jira, i found some more MSAD related issues.
Seems we're also hitting this bug, in the case of users changing their
own password:
https://issues.jboss.org/browse/KEYCLOAK-2333
Last update on that bug: "Provisionally set to 2.5.0.CR1 to investigate
effort required."
Is it already decided/clear if end-users changing their own MSAD
passwords will work in keycloak 2.5.0?
MJ
2706
days inactive
2707
days old
6 comments
2 participants
participants (2)
-
lists -
Marek Posolda