[keycloak-user] Keycloak LDAP federation (FreeIPA) and expired passwords
Ryan King
ryan.king at yagi.space
Thu May 17 10:09:17 EDT 2018
Hello,
We're trying to use Keycloak as the main portal for users (to access
services + manage their accounts) - but I've been struggling to come up
with the best solution for handling expired passwords (for federated users
- FreeIPA LDAP). We are using Keycloak (3.4.3).
As far as I am aware, expired passwords are currently only handled
correctly with Active Directory (using the msad-user-account-control
mapper). It looks like someone was interested in implementing for other
LDAP providers, but didn't:
https://issues.jboss.org/browse/KEYCLOAK-4052
I've also tried configuring keycloak to use Kerberos password
authentication (LDAP + Kerberos integration..) - but that still didn't seem
to detect the expired password (even though from a console, kinit prompts
the user to change their password).
So, currently I have put in a workaround by:
1. Under the realm Authentication - Required Actions - set "Update
Password" to default (so "new" users - ie: those who are given a temp
password - are prompted to set a new password... keycloak has been given
access to set non-expired passwords on our FreeIPA servers)
2. Set a password policy on the realm - 90 days expiry (matches that of the
FreeIPA password policy).
Some issues with this are - if the user sets their password via FreeIPA
directly (kpasswd, ldap, etc) - then keycloak won't know about the new
expiry - hence, the user may have to set their password again on Keycloak
sooner than they would expect.
So, my questions are:
1. Is there a better way to handle this? We'd just like to avoid sending
our users around to different places (ie: to the freeIPA UI) to work around
an expired password & we'd like to make sure it's clear _when_ their
password has expired... to the best of our ability.
2. I'm also not 100% certain if this Keycloak password policy is actually
implemented on federated ldap users? Does anyone know? I came across a
few issues that discussed implementing it - but so far haven't come up with
anything conclusive (I'm setting the password expiry to 1 day now to test
it out). I checked a dump of the database, and could not see anything that
looked like a timestamp or anything (to indicate a 90 day expiry) for a
user who just changed their password in Keycloak... so, I'm not sure how
that's tracked? (if I could find it in the DB, I was thinking of another
dirty hack to sync the password expiry from freeipa -> keycloak via a hook
if someone does update their account in freeipa).
Thanks,
Ryan
More information about the keycloak-user
mailing list