[keycloak-user] active directory | end user password change
mj
lists at merit.unu.edu
Wed Jan 11 06:21:09 EST 2017
Ok, after testing some more, it seems things DO work.
Unexpectedly for us, for password changes for END-USERS to work, the
keycloak AD service account needs "Domain Admins" permissions.
We expected the end-user password change to be done logged on *as* the
end-user himself, with a a delete and an add operation. No need
for Domain Admin access level.
This is what microsoft says on that subject:
> There are two possible ways to modify the unicodePwd attribute. The
> first is similar to a normal "user change password" operation. In
> this case, the modify request must contain both a delete and an add
> operation. The delete operation must contain the current password
> with quotes around it. The add operation must contain the desired new
> password with quotes around it.
>
> The second way to modify this attribute is analogous to an
> administrator resetting a password for a user. In order to do this,
> the client must bind as a user with sufficient permissions to modify
> another user's password. This modify request should contain a single
> replace operation with the new desired password surrounded by quotes.
> If the client has sufficient permissions, this password become the
> new password, regardless of what the old password was.
Anyway: the password change works for us (on samba AD) too. Thanks.
Best regards,
MJ
More information about the keycloak-user
mailing list