[keycloak-dev] Password Changes with Kerberos

Marek Posolda mposolda at redhat.com
Mon Jan 30 03:51:25 EST 2017

Yes, we don't yet have support for this. The problems I can see is:

- It seems that both ApacheDS based solution and "embeddded kpasswd 
process" based solution requires the old password of user. But In 
Keycloak we don't usually have the old password of user (eg. when admin 
changes password, or during UPDATE_PASSWORD require action etc. Just the 
account management is the only place where existing password is available).
- Another question is, if ApacheDS based approach really uses just the 
kerberos standards and works for the other Kerberos vendors besides 
ApacheDS (MSAD, FreeIPA, MIT Kerberos)

Feel free to create a JIRA, however not sure if we add that in the near 


On 26/01/17 22:16, Steven Mirabito wrote:
> Hi all,
> I didn't see anything in Jira regarding this, so I figured I'd ask here. I
> have an organization that uses OpenLDAP and Kerberos to authenticate users,
> and have set up an LDAP federation provider and enabled Kerberos
> integration. That part works great, but if I enable write on the federation
> provider and try to change a user's password, it attempts to update the
> password through LDAP and not Kerberos. I took a look
> at LDAPStorageProvider.java and it appears that there isn't support for
> updating credentials via Kerberos when Kerberos integration is enabled, and
> the Kerberos federation provider itself doesn't currently support password
> changes.
> As this is necessary to enable password changes through Keycloak for my
> organization, I wanted to reach out and see if there were any suggestions
> as to how I could go about implementing this and to get any feedback or
> concerns regarding this feature. It looks fairly simple to implement with
> the ApacheDS kerberos-client: http://stackoverflow.com/a/34575316
> Thanks!
> -Steven
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list