[keycloak-dev] Support for password-only sync in user federation

Marek Posolda mposolda at redhat.com
Tue Sep 25 02:45:34 EDT 2018 

Yes, exactly.

For LDAP, you can already achieve this. You just need to make sure that 
LDAP provider is configured with WRITABLE edit mode and then mappers for 
various attributes (firstName, lastName, email) are configured with 
"Read Only" switch ON and "Always Read from LDAP" switch to OFF. That 
way, if you update user profile in Keycloak, the updates will go just to 
the Keycloak DB, not to LDAP. And Keycloak will read the values from DB 
with bigger preference than from LDAP. However when password is written 
in Keycloak, it will be updated in LDAP and also password verifications 
will be triggered against LDAP. I've just tried it and works as expected.

For Kerberos Provider, we don't yet have support for updating password. 
This will require implementation of "Kerberos Password Update" protocol. 
We have JIRA already opened for it (We had PR for this some time ago, 
but it added bunch of ApacheDS dependencies, so we couldn't accept it).

For custom UserStorage providers written by you, you don't need separate 
editMode as well. In this case, you have control over your 
implementation and you can implement updates and reads exactly how you want.

IMO there is no need to introduce another EditMode value.

Marek


On 24/09/18 20:32, Stian Thorgersen wrote:
> I thought the question was to allow password changes with read-only and my
> assumption was that he wanted the change password in Keycloak only.
>
> I'm no expert on the LDAP integration, but I believe you can control what
> attributes are written back to LDAP in the protocol mappers. So could you
> not achieve what you're thinking with simply setting all mappers to
> read-only?
>
> On Mon, 24 Sep 2018 at 11:43, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> Hello Keycloak Developers,
>>
>> at the end of the recent DevNation Live session [1] A Deep Dive into
>> Keycloak
>> a user asked whether it would be possible to only sync password changes
>> back
>> with a federated user store like LDAP or Kerberos.
>>
>> This would be very useful in integration scenarios where the user directory
>> admins
>> want to keep control over user profiles.
>>
>> I looked at the code and it seems that one needed to add a new
>> UserStorageProvider.EditMode like PASSWORD_ONLY
>> and update the updateCredential [2] Methods accordingly to allow credential
>> updates.
>>
>> Would this be sufficient or am I missing something?
>>
>> Cheers,
>> Thomas
>>
>> [1]
>>
>> https://www.youtube.com/watch?list=PLuWlr4oKSRUZj3ax5zG_t9KE6uwTb_0rU&time_continue=1&v=ZxpY_zZ52kU
>> [2] org.keycloak.storage.ldap.LDAPStorageProvider#updateCredential (and
>> similar methods for other providers)
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list