[keycloak-user] Keycloak self registration and Active Directory issues
Chris Smith
chris.smith at cmfirstgroup.com
Wed Jul 31 19:09:29 EDT 2019
After much googling, I stumbled a post where it was suggested the what I needed was not to set Active Directory policies, but rather to use a LDAPS URL in my AD federation instead of just a LDAP URL
A default fresh AD Domain controller was setup, then everything just seemed to work
-----Original Message-----
From: Chris Smith
Sent: Thursday, July 11, 2019 12:56 PM
To: keycloak-user at lists.jboss.org
Subject: Keycloak self registration and Active Directory issues
My requirements are
1. Active Directory federation (really only as a Kerberos Server... I have a Windoze Only requirement imposed on me)
2. Keycloak self-regestration for users
3. Application and user maintenance done in as much Out Of Box Keycloak as possible
4. Application Admins should never have access to AD management.
I've set as many AD password policies as I can easily find or google to be as permissive as possible
Policy
Enforce password history, 0
passwords remembered, 0
Maximum password age, 0
Minimum password age, 0 days
Minimum password length, 1 characters
Password must meet complexity requirements, Disabled
Store passwords using reversible encryption, Not Defined
I've set KC password policies
Minimum Length 8
Uppercase Characters 1
Lowercase Characters 1
Expire Password 30
Special Characters 1
Not Username
Not Recently Used 25
Digits 1
KC Authentication
Required Action
Update Password disabled
So when a new user users self-registration, in AD, the user account is set to require password Change
Any advice on how to Change that
In Active Directory I remove the "Require password Change" on the user account
The KC user login fails with "invalid User or Password" error
If I try to Change the new Users Password in the KC Console,
Error! Could not modify attribute for DN [CN=xxx.yyyy,CN=Users,DC=xxx-sso,DC=com]
Any Advice on what is going on?
More information about the keycloak-user
mailing list