[keycloak-user] krbLastPwdChange - can we use this attribute

Callum Smith callum at well.ox.ac.uk
Fri Nov 16 11:27:35 EST 2018


Dear All,

I've implemented this as a python script for now, hopefully this is useful to some, and hopefully something similar could be implemented for LDAP (although I imagine politically since SSSD cannot provide this data, and that's the preferred connection route for FreeIPA, it's not going to happen soon).

requirements: ldap3, python-keycloak


import python_freeipa
import json
import ldap3
from keycloak import KeycloakAdmin
from datetime import datetime

options['ipa_host']              = ''
options['ipa_admin_user']        = ''
options['ipa_base_dn']           = ''
options['ipa_admin_dn']          = ','+options['ipa_base_dn']
options['keycloak_host']         = ''
options['keycloak_admin_user']   = ''
options['keycloak_storage_id']   = ''

# Begin Keycloak Clietn
keycloakClient = KeycloakAdmin(server_url='https://'+options['keycloak_host']+'/auth/', username=options['keycloak_admin_user'], password=keycloakAdminPassword, realm_name='master<https://'+options['keycloak_host']+'/auth/',%20username=options['keycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master>', verify=False)

# Begin LDAP client
ldapServer = ldap3.Server(options['ipa_host'])
ldapClient = ldap3.Connection(ldapServer, user=options['ipa_admin_dn'], password=ipaAdminPassword, auto_bind=True)

# Generate datestamp
date = datetime.utcnow().strftime('%Y%m%d%H%M%S')+'Z'

# Perform an LDAP sync for Keycloak
keycloakClient.sync_users(storage_id=options['keycloak_storage_id'], action="triggerFullSync")

# Search LDAP for expired passwords
ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(|(krbPasswordExpiration<='+date+')(!(krbPasswordExpiration=*)))', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn'])
resetPasswordUsers = ldapClient.entries

for user in resetPasswordUsers:
  user_id = keycloakClient.get_user_id(user.uid)
  keycloakClient.update_user(user_id=user_id, payload={"requiredActions":['UPDATE_PASSWORD']})


# Search LDAP for valid passwords
ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(krbPasswordExpiration>='+date+')', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn'])
validPasswordUsers = ldapClient.entries

for user in validPasswordUsers:
  user_id = keycloakClient.get_user_id(user.uid)
  keycloakClient.update_user(user_id=user_id, payload={"requiredActions":[]})




I've chopped some domain specific stuff from this so it might not be flawless, but hopefully a start for someone. Also no error checking involved here.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk>

On 16 Nov 2018, at 09:16, Callum Smith <callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk>> wrote:

Dear Keycloakers,

I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement?

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk><mailto:callum at well.ox.ac.uk>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list