[keycloak-user] another small enhancement request for MSAD password mapper
mj
lists at merit.unu.edu
Fri Jan 27 15:15:03 EST 2017
Hi Marek, list,
> Actually we don't test and officially support Samba AD, just the MSAD.
Yeah I know. And (usually, so far) everything that works with MSAD works
also with samba4, this is actually the first time we are running into a
compatibility issue like this.
> You can send PR to contribute the mapper for Samba AD if you manage to
> have it working. Ideally also with the writable scenarios like
> passwordUpdate, disable user in KC will disable him in AD etc.
All those things should normally work exactly as they do with MSAD.
Andrew Bartlett (core samba dev) pointed me to the following file:
https://github.com/keycloak/keycloak/blob/b2d1a1a17fc8f665f4ba83d62e3c22d4dfa0048a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java
written by you.
I was thinking (being no programmer at all!!!) that I could simple edit
a line slightly, to watch for "NT_STATUS_PWD_MUST_CHANGE" instead of the
MSAD output.
That would give me a MSADUserAccountControlStorageMapper 'version'
targetted for samba4, as for the rest no changes should be required at all.
However...in my keycloak install, I cannot find the file
MSADUserAccountControlStorageMapper.java, so I guess that bright idea is
also not an option.
It seems such a waist of energy to create a complete subclass of
MSADUserAccountControlStorageMapper, given that the only difference is
to look for "NT_STATUS_PWD_MUST_CHANGE"....
Any place I could edit, to change that in an installed keycloak?
MJ
More information about the keycloak-user
mailing list