[keycloak-dev] Support for password-only sync in user federation
Stian Thorgersen
sthorger at redhat.com
Mon Sep 24 14:32:56 EDT 2018
I thought the question was to allow password changes with read-only and my
assumption was that he wanted the change password in Keycloak only.
I'm no expert on the LDAP integration, but I believe you can control what
attributes are written back to LDAP in the protocol mappers. So could you
not achieve what you're thinking with simply setting all mappers to
read-only?
On Mon, 24 Sep 2018 at 11:43, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:
> Hello Keycloak Developers,
>
> at the end of the recent DevNation Live session [1] A Deep Dive into
> Keycloak
> a user asked whether it would be possible to only sync password changes
> back
> with a federated user store like LDAP or Kerberos.
>
> This would be very useful in integration scenarios where the user directory
> admins
> want to keep control over user profiles.
>
> I looked at the code and it seems that one needed to add a new
> UserStorageProvider.EditMode like PASSWORD_ONLY
> and update the updateCredential [2] Methods accordingly to allow credential
> updates.
>
> Would this be sufficient or am I missing something?
>
> Cheers,
> Thomas
>
> [1]
>
> https://www.youtube.com/watch?list=PLuWlr4oKSRUZj3ax5zG_t9KE6uwTb_0rU&time_continue=1&v=ZxpY_zZ52kU
> [2] org.keycloak.storage.ldap.LDAPStorageProvider#updateCredential (and
> similar methods for other providers)
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list