[keycloak-user] another small enhancement request for MSAD password mapper

Mon Jan 30 03:07:04 EST 2017

On 27/01/17 21:15, mj wrote:
> Hi Marek, list,
>
>> Actually we don't test and officially support Samba AD, just the MSAD.
> Yeah I know. And (usually, so far) everything that works with MSAD 
> works also with samba4, this is actually the first time we are running 
> into a compatibility issue like this.
>
>> You can send PR to contribute the mapper for Samba AD if you manage to
>> have it working. Ideally also with the writable scenarios like
>> passwordUpdate, disable user in KC will disable him in AD etc.
> All those things should normally work exactly as they do with MSAD.
>
> Andrew Bartlett (core samba dev) pointed me to the following file:
> https://github.com/keycloak/keycloak/blob/b2d1a1a17fc8f665f4ba83d62e3c22d4dfa0048a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java 
>
> written by you.
>
> I was thinking (being no programmer at all!!!) that I could simple 
> edit a line slightly, to watch for "NT_STATUS_PWD_MUST_CHANGE" instead 
> of the MSAD output.
>
> That would give me a MSADUserAccountControlStorageMapper 'version' 
> targetted for samba4, as for the rest no changes should be required at 
> all.
>
> However...in my keycloak install, I cannot find the file 
> MSADUserAccountControlStorageMapper.java, so I guess that bright idea 
> is also not an option.
The java files are not inside the server distribution. Java works in a 
way, that Java files (sources) are compiled to the class files and then 
packed in JAR archives. There is no easy way to change the source of the 
existing class inside the archive and rewrite something directly.
>
> It seems such a waist of energy to create a complete subclass of 
> MSADUserAccountControlStorageMapper, given that the only difference is 
> to look for "NT_STATUS_PWD_MUST_CHANGE"....
>
> Any place I could edit, to change that in an installed keycloak?
Well, if logic is really the same, the Samba4 specific subclass doesn't 
need to have everything forked (copy/pasted). It can just override one 
single method (onAuthenticationFailure). That's one of the benefits of 
inheritance. So the way to go is really to create separate mapper for 
Samba4 and deploy it as a Keycloak provider.

You can take a look at Server Developer Guide [1] and "provider" 
examples in our example distribution. Unfortunately it requires to have 
some programmer and Java knowledge, so not sure if helpful for you. 
However I don't have anything better ATM, sorry... Our position is to 
not add more supported LDAP servers, like Samba4, by ourselves. So 
Samba4 would need to be community contribution (from you or someone 
else). Also we will need to rely on community for additional maintenance 
and testing.

[1] https://keycloak.gitbooks.io/server-developer-guide/content/

Marek

>
> MJ