[keycloak-dev] Keycloak to OpenLDAP - Password Policies

[Jamie McDowell]

Hi Dev's,
Appreciate if you can help me with an issue i have with password policies federating from Keycloak (v3.4.3) to OpenLDAP. I have created 2 password policies on the OpenLDAP server, where i require one for end users and one for service accounts - these are defined in the specific OU's to where the accounts are held. 
I have set the password policies for both users and service accounts (policy module, schema, overlay etc..) and can confirm that the policy is being picked up on the OpenLDAP host when i run the command ldappasswd for the user and enter less characters than the required password length (for example)
The issue i have is that within keycloak i haven't set any password policies as i would like this to use the one i have created within the OpenLDAP server. Can Keycloak be configured that this must check against the OpenLDAP password policy? I have one realm set up along with a client.
I have been trying to get this working now for the last 10 days and not getting very far. 
Within my LDAP Mapper i have tried creating a msad-user-account-control-mapper however this does not work, i get provided with an error when resetting my user password "Failed to update password in Active Directory. Exception message: [LDAP: error code 17 - pwdLastSet: attribute type undefined"
I would have expected something like this considering i am not using AD. 
Any suggestions would be appreciated 
Regards,Jamie