[keycloak-user] another small enhancement request for MSAD password mapper
Marek Posolda
mposolda at redhat.com
Tue Jan 24 05:47:18 EST 2017
Hmm... I think this should be already working?
I've just tested the usecase:
- Keycloak with configured writable MSAD and with "MSAD Account
controls" mapper available
- User "john" from LDAP authenticated in Keycloak successfully
- Then I changed in the LDAP the "john" user record the value of
"pwdLastSet" attribute to 0
- Then login again as "john" in Keycloak. I am asked to change my
password. After this change is user authenticated successfully and also
his LDAP record has "pwdLastSet" updated back to the current time.
I am testing with latest master though.
Can you doublecheck this scenario on your side? Are you using latest
Keycloak master?
Marek
On 24/01/17 10:30, mj wrote:
> Hi,
>
> In the microsoft management tools there is a checkbox: "user must change
> password at next logon". If I check that box, keycloak 2.5 gives us a
> logon failure.
>
> Perhaps it would be only a rather small change, to map that MSAD
> checkbox ("Pwd-Last-Set" = 0) to the equivalent in keycloak:
> "credentials" / "temporary" switch. So the next time a user is asked to
> change his/her password.
>
> More MS info here:
> https://msdn.microsoft.com/en-us/library/ms679430
>
> And, and thanks very much very much for the recent fix of issue 2333, on
> MSAD password policies! Much appreciated! :-)
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list