[jboss-jira] [JBoss JIRA] (WFLY-13013) Elytron LDAP can't set-password in Active Directory or react to external changes

Darran Lofthouse (Jira) issues at jboss.org
Sat Jan 25 03:11:00 EST 2020 

     [ https://issues.redhat.com/browse/WFLY-13013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse reassigned WFLY-13013:
---------------------------------------

    Assignee:     (was: Darran Lofthouse)


> Elytron LDAP can't set-password in Active Directory or react to external changes
> --------------------------------------------------------------------------------
>
>                 Key: WFLY-13013
>                 URL: https://issues.redhat.com/browse/WFLY-13013
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Security
>    Affects Versions: 18.0.1.Final, 19.0.0.Beta1
>            Reporter: David Guthrie
>            Priority: Major
>              Labels: active-directory, cache, elytron, ldap
>
> The caching realm seems to work as advertised with open ldap and Red Hat Directory Server when I add a user-password-mapper after setting:
> <user-password-mapper from="userPassword" writable="true" verifiable="true" />
> When I change the password in LDAP, the caching realm reacts, and I can login with the new password. Also when I call `set-password`:
> /subsystem=elytron/ldap-realm=ldap-realm:set-password(identity=testUser, clear=
> {password="1A3b6w"}
> )
> It changes the password correctly in LDAP.
> Neither of these work in Active Directory. Active Directory stores the password, by default using the field "UnicodePwd" rather than "userPassword", so I tried having them map the user password to that field:
> /subsystem=elytron/ldap-realm=ldap-realm:write-attribute(name=identity-mapping.user-password-mapper.from, value=UnicodePwd)
> But it it can't set the password because the password code needs to write it with a different character set when writing to active directory. See the different between the code in ldap/UserPasswordCredentialLoader.java and in the special case for Active Directory in Keycloak[1]
> It can't react to external changes to the directory because Active Directory doesn't support the listening mechanism used.
> There is a potential to be able to change the active directory settings so "userPassword" runs in compatibility mode[2], but that's not a normal thing to be able to do is most environments.
> [1] Keycloak - AD UnicodePWD https://github.com/keycloak/keycloak/blob/e12c245355f5fcbabab4a6807a9975fd8c7b04de/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.java#L320
> [2] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f3adda9f-89e1-4340-a3f2-1f0a6249f1f8



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list