[keycloak-user] Password expiry policy not working for federated user

[kapil joshi]

Hi All,

Gentle reminder, on the last few questions asked, can someone from keycloak
team answer or guide us with few hints, so that we can proceed, we are kind
of blocked.
Also, can someone point me the table where i can find last password change
time in keycloak. We have integrated keycloak with postgres.

Thanks & regards
Kapil

On Wed, Apr 17, 2019 at 4:43 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
wrote:

> As i understand, there is no support for OpenLDAP, can we still create
> custom mappers and map attributes like pwdLastSet to pwdChangedTime
>
> such that few password policies like password expiry time works. ?
>
> Thanks & Regards
> Kapil
>
> On Wed, Apr 17, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
> wrote:
>
>> Hi All,
>>
>> We are using OpenLDAP.
>>
>> I found out that there is ldap mapper precisely
>> user-account-control-mapper, by adding this LDAP password policy will be
>> respected.
>> on doing this we are getting update password UI, on login. But while
>> updating the password we are getting below error:
>>
>> On update the password:
>>
>> On UI: Could not modify attribute for DN [uid=xxxxxxx,dc=tt,dc=zz,dc=br]
>>
>> On ldap.log we can see below error coming up:
>>
>> conn=1159 op=1 do_modify: get_ctrls failed
>>
>>
>> Please suggest us what are we missing or can correct in our configuration.
>>
>>
>> Thanks & Regards
>>
>> Kapil
>>
>>
>>
>>
>> On Thu, Apr 11, 2019 at 7:32 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
>> wrote:
>>
>>> Hi All,
>>>
>>> Password expiry policy not working for federated user. We can see that
>>> the password has expired for LDAP user, which was set to 90 days, but user
>>> can still login to UI via keycloak authentication.
>>>
>>> Kindly point us what are we missing.
>>>
>>> Please note we have enabled the switch to sync password policy with
>>> federated user.
>>>
>>> Thanks & regards
>>>
>>> Kapil
>>>
>>