New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[NOT MERGE] support AD attributes userAccountControl, msDS-UserAccountDisabled and pwdLastSet #45
base: master
Are you sure you want to change the base?
Conversation
This PR is just for your reference, it's a rude hack, so I suggest not merging. It's better the code is separated into a new authentication interceptor, but: (1) There is no gap between (2) (3) the |
I'm ok if you close this PR, it's just for the record, maybe somebody is interested in this patch. Although the patch is not pefect, it serves me well, I don't have to maintain a complex real Active Directory service 😄️ Thanks for your work on ApacheDS! |
We can import required LDAP schema into any LDAP server to make it support AD specific attributes `userAccountControl`, `msDS-UserAccountDisabled` and `pwdLastSet`, so that Keycloak can store use disabling status into LDAP server. But plain LDAP server won't automatically change `pwdLastSet = -1` to `pwdLastSet = now()`, so we need disable the check `getPwdLastSet() > 0` in these two AD mappers References: * https://github.com/Dieken/directory-server/tree/active-directory * apache/directory-server#45 * https://dieken.gitlab.io/posts/howto-disable-user-in-ldap/
We can import required LDAP schema into any LDAP server to make it support AD specific attributes `userAccountControl`, `msDS-UserAccountDisabled` and `pwdLastSet`, so that Keycloak can store use disabling status into LDAP server. But plain LDAP server won't automatically change `pwdLastSet = -1` to `pwdLastSet = now()`, so we need disable the check `getPwdLastSet() > 0` in these two AD mappers. References: * https://github.com/Dieken/directory-server/tree/active-directory * apache/directory-server#45 * https://dieken.gitlab.io/posts/howto-disable-user-in-ldap/
…d pwdLastSet It's a pity LDAP doesn't have standard attribute to represent disabling an user account, Redhat's Keycloak supports an AD mapper to read and write attribute `userAccountControl`, and an AD LDS mapper to read and write attribute `msDS-UserAccountDisabled`, both mappers support attribute `pwdLastSet` too. With this patch, these three attributes basically work like AD and AD LDS: * AD: if (userAccountControl & 2L) != 0, then the user account is disabled for binding. * AD LDS: if msDS-UserAccountDisabled is TRUE, then the user account is disabled for binding. * Both AD and AD LDS: * new user added: if pwdLastSet != 0, it's automatically set to current time. * user password modified: if new pwdLastSet != 0, it's automatically set to current time. * pwdLastSet changed: if new pwdLastSet != 0, it's automatically set to current time. * pwdLastSet deleted: pwdLastSet is automatically set to current time. References: * https://docs.microsoft.com/en-us/windows/win32/adschema/a-useraccountcontrol * https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-useraccountdisabled * https://docs.microsoft.com/en-us/windows/win32/adschema/a-pwdlastset
c5dfab3
to
693d591
Compare
We can import required LDAP schema into any LDAP server to make it support AD specific attributes `userAccountControl`, `msDS-UserAccountDisabled` and `pwdLastSet`, so that Keycloak can store use disabling status into LDAP server. But plain LDAP server won't automatically change `pwdLastSet = -1` to `pwdLastSet = now()`, so we need disable the check `getPwdLastSet() > 0` in these two AD mappers. References: * https://github.com/Dieken/directory-server/tree/active-directory * apache/directory-server#45 * https://dieken.gitlab.io/posts/howto-disable-user-in-ldap/
It's a pity LDAP doesn't have standard attribute to represent disabling
an user account, Redhat's Keycloak supports an AD mapper to read and write
attribute
userAccountControl
, and an AD LDS mapper to read and writeattribute
msDS-UserAccountDisabled
, both mappers support attributepwdLastSet
too.With this patch, these three attributes basically work like AD and AD LDS:
References: