[keycloak-user] active directory | end user password change

Marek Posolda mposolda at redhat.com
Wed Jan 11 16:36:00 EST 2017


There is JIRA created on that subject 
https://issues.jboss.org/browse/KEYCLOAK-2333 . I hope to look at it for 
this release, but not sure due to other tasks... Thanks for the update.

Marek

On 11/01/17 12:21, mj wrote:
> Ok, after testing some more, it seems things DO work.
>
> Unexpectedly for us, for password changes for END-USERS to work, the
> keycloak AD service account needs "Domain Admins" permissions.
>
> We expected the end-user password change to be done logged on *as* the
> end-user himself, with a a delete and an add operation. No need
> for Domain Admin access level.
>
> This is what microsoft says on that subject:
>
>> There are two possible ways to modify the unicodePwd attribute. The
>> first is similar to a normal "user change password" operation. In
>> this case, the modify request must contain both a delete and an add
>> operation. The delete operation must contain the current password
>> with quotes around it. The add operation must contain the desired new
>> password with quotes around it.
>>
>> The second way to modify this attribute is analogous to an
>> administrator resetting a password for a user. In order to do this,
>> the client must bind as a user with sufficient permissions to modify
>> another user's password. This modify request should contain a single
>> replace operation with the new desired password surrounded by quotes.
>> If the client has sufficient permissions, this password become the
>> new password, regardless of what the old password was.
>
> Anyway: the password change works for us (on samba AD) too. Thanks.
>
> Best regards,
> MJ




More information about the keycloak-user mailing list