[keycloak-user] UPDATE_PASSWORD won't go away for AD imported users...
Adrian Matei
adrianmatei at gmail.com
Mon Oct 9 10:44:00 EDT 2017
Hi Marek,
Thank you for the extensive answer. Before I imported the users in Keycloak
I moved them from a different OU, and half of them got marked with
Upate_password flag and deactivated in AD (I am still wondering what caused
that...) Once they've been corrected at the AD level the UPDATE_PASSWORD
required action was gone, in accordance with your explanation.
Adrian
On Mon, Oct 9, 2017 at 3:21 PM, Marek Posolda <mposolda at redhat.com> wrote:
> It's added by MSAD account controls mapper. The mapper see the state in
> which the MSAD account is (based on userAccountControls or pwdLastSet
> attributes) and once it requires updating the password, it is required from
> the Keycloak as well. Hence Keycloak adds the requiredAction
> UPDATE_PASSWORD to the user.
>
> What is the mode of your LDAP (WRITABLE, READ_ONLY or UNSYNCED)? In case
> that your MSAD is read-only, then removing the requiredAction likely
> doesn't work as MSAD can't be updated from Keycloak. Does Keycloak displays
> some error message in the admin console? Is it something in the log when
> you enable DEBUG logging for class org.keycloak.storage.ldap.mappers.msad.
> MSADUserAccountControlStorageMapper ?
>
> You can manually remove the mapper and then requiredAction shouldn't be
> present. However your users likely won't be able to login to the MSAD in
> case that their account is not in the proper state, which allows login
> (Mapper impl is supposed the catch the MSAD error message and handle it and
> convert to the Keycloak requiredAction).
>
> Marek
>
>
> On 09/10/17 09:55, Adrian Matei wrote:
>
> Hi Guys,
>
> We've imported some Users from AD and they now have UPDATE_PASSWORD action
> required, although this was not marked as *default_action*. The thing is
> that we cannot click that away as admins - on top of that the
> UPDATE_PASSWORD is not present in the USER_REQUIRED_ACTION table...
>
> Any ideas? Would be very much appreciated...
>
> Best regards,
> Adrian
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list