[keycloak-user] active directory | change password after first login and account expiration
lists
lists at merit.unu.edu
Mon Dec 5 12:13:36 EST 2016
More specific info, and some examples. This is on keycloak 2.3.0.Final,
and I have configured the AD as a WRITABLE source.
On 5-12-2016 17:04, lists wrote:
> This does not seem to happen here. Is there anything else we need to do
> to get this functionality?
Setting the accountflag "user must change password at next logon" in
ADUC gets imported into the keycloak's "Update-Password" flag. Good.
However, when the "Update-Password"-flag is set, that user can no longer
authenticate in keycloak at all, because of "Invalid Username or
Password". Not expected..?
Also my test account will expire in 5 days. But keycloak does not
generate a warning like "You need to change your password in X days".
I'm simply granted access.
So, then for some more testing:
Removing the "User must change password at next logon" in ADUC, sync AD
into keycloak, and logging directly into the 'account' client on
https://keycloak.company.com/auth/realms/domain/account:
Access granted, now let's do some editing:
- I can edit my first and lastname & changes are synced back to AD
- I can edit email address, save, but the change is NOT synced back to
AD (and afterwards I can no longer edit my email back, because "User
with username 'test' already exists in Keycloak. It conflicts with LDAP
user with email 'test at company.com')
Keycloak still only lists ONE user, searching for 'test'.
Then finally, trying to change a password gives an error:
> Could not modify attribute for DN [CN=ted t. test,CN=Users,DC=samba,DC=company,DC=com]
Are the above things working for others, or am I hitting some keycloak
bugs here?
MJ
More information about the keycloak-user
mailing list