Hi,
Keycloak 2.5.0, added MSAD (samba4) as a writeable federation provider,
verified that the MSAD account controls mapper is added.
When an end-user logs into the keycloak account client
(/auth/realms/ourrealm/account) he/she has the option to change his/her
password.
However, keycloak says:
Could not modify attribute for DN [CN=ted t.
test,CN=Users,DC=samba,DC=company,DC=com]
Note: I used "ABC-def123_*%#" as a password, so I guess MSAD password
policies are not the problem here.
Additionally, I was under the impression that I should be able to logon
when in MSAD the "user is required to change password on next login",
and keycloak would require me to change it. However, in that case I'm
just getting an "Invalid username or password".
I asked about these things before, but was told to test the new 2.5.0,
because the problem could have been solved already. However, I'm trying
with 2.5.0, and the behaviour is still there.
Is this functionality working for others using MSAD here? (perhaps
others with samba4 AD?)
Best regards,
MJ