[keycloak-user] active directory | change password after first login and account expiration
lists
lists at merit.unu.edu
Tue Dec 6 05:07:50 EST 2016
Hi Marek,
Thanks for the info.
On 6-12-2016 10:41, Marek Posolda wrote:
> We are testing with MSAD as an LDAP server and we use just the LDAP
> connection from Keycloak to CRUD users (and other data). I personally
> never saw the ADUC tool. It seems it is just something like
> user-friendly frontend editory, but the actual user data are saved in
> MSAD server, right? So is it using MSAD under the hood?
Exactly. It's the most regular, standard way to access MSAD to edit the
accounts it contains. :-)
We are running a samba4 AD, but we're still using the default MS tools
to maintain the AD.
> - The bug you reported related to email might be already fixed in latest
> master. See https://issues.jboss.org/browse/KEYCLOAK-4028 . You can
> either re-test with latest master and/or wait for the 2.5.0.CR1
Yep, will do.
> - The dialog like "You need to change your password in X days" - we
> don't have any support for it and we don't plan it ATM. However in case
> that user authenticates into Keycloak with his MSAD password, which is
> already expired, we allow the authentication, but user must immediatelly
> change his password (Required action "Update Password" is added to him
> and he is then required by Keycloak to update his password. Updated
> password is then propagated to MSAD).
Right. I'll try that.
Is there also support for password age? Like: every half year a user
should change his password? Could be done using the Pwd-Last-Set
attribute in MSAD.
(https://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx)
Reason we ask: In a regular MSAD domain, with windows workstations
logging on, you can set those policies, and a workstation will prompt
the user that his password will expire in X days, and he needs to change it.
However, we have many remote users, who only use various web logons, and
who never logon locally on a domain joined windows workstation. For
these users, we currently have no way to make them change their
passwords regularly.
If keycloak could check Pwd-Last-Set, and start prompting the user to
change it when it's older then X months/weeks, we would have a unified
password policy for *all* users, local and remote.
It's a gap in functionality in MSAD, that no tool offers in the case of
ldap-based web access.
MJ
More information about the keycloak-user
mailing list