[keycloak-user] Password expiry policy not working for federated user

kapil joshi kapilkumarjoshi001 at gmail.com
Thu May 9 02:30:47 EDT 2019 

Hi All

Gentle reminder, if any answers, clues or hints are available, will be very
helpful.

Please let us know.

Thanks & Regards
Kapil

On Thu, Apr 18, 2019 at 2:45 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
wrote:

> Hi All,
>
> Gentle reminder, on the last few questions asked, can someone from
> keycloak team answer or guide us with few hints, so that we can proceed, we
> are kind of blocked.
> Also, can someone point me the table where i can find last password change
> time in keycloak. We have integrated keycloak with postgres.
>
> Thanks & regards
> Kapil
>
> On Wed, Apr 17, 2019 at 4:43 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
> wrote:
>
>> As i understand, there is no support for OpenLDAP, can we still create
>> custom mappers and map attributes like pwdLastSet to pwdChangedTime
>>
>> such that few password policies like password expiry time works. ?
>>
>> Thanks & Regards
>> Kapil
>>
>> On Wed, Apr 17, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
>> wrote:
>>
>>> Hi All,
>>>
>>> We are using OpenLDAP.
>>>
>>> I found out that there is ldap mapper precisely
>>> user-account-control-mapper, by adding this LDAP password policy will be
>>> respected.
>>> on doing this we are getting update password UI, on login. But while
>>> updating the password we are getting below error:
>>>
>>> On update the password:
>>>
>>> On UI: Could not modify attribute for DN [uid=xxxxxxx,dc=tt,dc=zz,dc=br]
>>>
>>> On ldap.log we can see below error coming up:
>>>
>>> conn=1159 op=1 do_modify: get_ctrls failed
>>>
>>>
>>> Please suggest us what are we missing or can correct in our configuration.
>>>
>>>
>>> Thanks & Regards
>>>
>>> Kapil
>>>
>>>
>>>
>>>
>>> On Thu, Apr 11, 2019 at 7:32 PM kapil joshi <
>>> kapilkumarjoshi001 at gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> Password expiry policy not working for federated user. We can see that
>>>> the password has expired for LDAP user, which was set to 90 days, but user
>>>> can still login to UI via keycloak authentication.
>>>>
>>>> Kindly point us what are we missing.
>>>>
>>>> Please note we have enabled the switch to sync password policy with
>>>> federated user.
>>>>
>>>> Thanks & regards
>>>>
>>>> Kapil
>>>>
>>>

More information about the keycloak-user mailing list