[keycloak-user] UPDATE_PASSWORD won't go away for AD imported users...
Marek Posolda
mposolda at redhat.com
Mon Oct 9 09:21:46 EDT 2017
It's added by MSAD account controls mapper. The mapper see the state in
which the MSAD account is (based on userAccountControls or pwdLastSet
attributes) and once it requires updating the password, it is required
from the Keycloak as well. Hence Keycloak adds the requiredAction
UPDATE_PASSWORD to the user.
What is the mode of your LDAP (WRITABLE, READ_ONLY or UNSYNCED)? In case
that your MSAD is read-only, then removing the requiredAction likely
doesn't work as MSAD can't be updated from Keycloak. Does Keycloak
displays some error message in the admin console? Is it something in the
log when you enable DEBUG logging for class
org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper ?
You can manually remove the mapper and then requiredAction shouldn't be
present. However your users likely won't be able to login to the MSAD in
case that their account is not in the proper state, which allows login
(Mapper impl is supposed the catch the MSAD error message and handle it
and convert to the Keycloak requiredAction).
Marek
On 09/10/17 09:55, Adrian Matei wrote:
> Hi Guys,
>
> We've imported some Users from AD and they now have UPDATE_PASSWORD action
> required, although this was not marked as *default_action*. The thing is
> that we cannot click that away as admins - on top of that the
> UPDATE_PASSWORD is not present in the USER_REQUIRED_ACTION table...
>
> Any ideas? Would be very much appreciated...
>
> Best regards,
> Adrian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list