[keycloak-user] active directory | change password after first login and account expiration
Marek Posolda
mposolda at redhat.com
Tue Dec 6 03:22:40 EST 2016
We are testing with MSAD and that should work. We don't test with ADUC.
Marek
On 05/12/16 18:13, lists wrote:
> More specific info, and some examples. This is on keycloak 2.3.0.Final,
> and I have configured the AD as a WRITABLE source.
>
> On 5-12-2016 17:04, lists wrote:
>> This does not seem to happen here. Is there anything else we need to do
>> to get this functionality?
> Setting the accountflag "user must change password at next logon" in
> ADUC gets imported into the keycloak's "Update-Password" flag. Good.
>
> However, when the "Update-Password"-flag is set, that user can no longer
> authenticate in keycloak at all, because of "Invalid Username or
> Password". Not expected..?
>
> Also my test account will expire in 5 days. But keycloak does not
> generate a warning like "You need to change your password in X days".
> I'm simply granted access.
>
> So, then for some more testing:
> Removing the "User must change password at next logon" in ADUC, sync AD
> into keycloak, and logging directly into the 'account' client on
> https://keycloak.company.com/auth/realms/domain/account:
>
> Access granted, now let's do some editing:
>
> - I can edit my first and lastname & changes are synced back to AD
>
> - I can edit email address, save, but the change is NOT synced back to
> AD (and afterwards I can no longer edit my email back, because "User
> with username 'test' already exists in Keycloak. It conflicts with LDAP
> user with email 'test at company.com')
> Keycloak still only lists ONE user, searching for 'test'.
>
> Then finally, trying to change a password gives an error:
>> Could not modify attribute for DN [CN=ted t. test,CN=Users,DC=samba,DC=company,DC=com]
> Are the above things working for others, or am I hitting some keycloak
> bugs here?
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list