[NOT MERGE] support AD attributes userAccountControl, msDS-UserAccountDisabled and pwdLastSet #45
Conversation
Dieken
changed the title
|
This PR is just for your reference, it's a rude hack, so I suggest not merging. It's better the code is separated into a new authentication interceptor, but: (1) There is no gap between (2) (3) the |
|
I'm ok if you close this PR, it's just for the record, maybe somebody is interested in this patch. Although the patch is not pefect, it serves me well, I don't have to maintain a complex real Active Directory service 😄️ Thanks for your work on ApacheDS! |
We can import required LDAP schema into any LDAP server to make it support AD specific attributes `userAccountControl`, `msDS-UserAccountDisabled` and `pwdLastSet`, so that Keycloak can store use disabling status into LDAP server. But plain LDAP server won't automatically change `pwdLastSet = -1` to `pwdLastSet = now()`, so we need disable the check `getPwdLastSet() > 0` in these two AD mappers References: * https://github.com/Dieken/directory-server/tree/active-directory * apache/directory-server#45 * https://dieken.gitlab.io/posts/howto-disable-user-in-ldap/
We can import required LDAP schema into any LDAP server to make it support AD specific attributes `userAccountControl`, `msDS-UserAccountDisabled` and `pwdLastSet`, so that Keycloak can store use disabling status into LDAP server. But plain LDAP server won't automatically change `pwdLastSet = -1` to `pwdLastSet = now()`, so we need disable the check `getPwdLastSet() > 0` in these two AD mappers. References: * https://github.com/Dieken/directory-server/tree/active-directory * apache/directory-server#45 * https://dieken.gitlab.io/posts/howto-disable-user-in-ldap/
…d pwdLastSet It's a pity LDAP doesn't have standard attribute to represent disabling an user account, Redhat's Keycloak supports an AD mapper to read and write attribute `userAccountControl`, and an AD LDS mapper to read and write attribute `msDS-UserAccountDisabled`, both mappers support attribute `pwdLastSet` too. With this patch, these three attributes basically work like AD and AD LDS: * AD: if (userAccountControl & 2L) != 0, then the user account is disabled for binding. * AD LDS: if msDS-UserAccountDisabled is TRUE, then the user account is disabled for binding. * Both AD and AD LDS: * new user added: if pwdLastSet != 0, it's automatically set to current time. * user password modified: if new pwdLastSet != 0, it's automatically set to current time. * pwdLastSet changed: if new pwdLastSet != 0, it's automatically set to current time. * pwdLastSet deleted: pwdLastSet is automatically set to current time. References: * https://docs.microsoft.com/en-us/windows/win32/adschema/a-useraccountcontrol * https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-useraccountdisabled * https://docs.microsoft.com/en-us/windows/win32/adschema/a-pwdlastset
Dieken
force-pushed
the
active-directory
branch
from
c5dfab3
to
693d591
Compare
We can import required LDAP schema into any LDAP server to make it support AD specific attributes `userAccountControl`, `msDS-UserAccountDisabled` and `pwdLastSet`, so that Keycloak can store use disabling status into LDAP server. But plain LDAP server won't automatically change `pwdLastSet = -1` to `pwdLastSet = now()`, so we need disable the check `getPwdLastSet() > 0` in these two AD mappers. References: * https://github.com/Dieken/directory-server/tree/active-directory * apache/directory-server#45 * https://dieken.gitlab.io/posts/howto-disable-user-in-ldap/
It's a pity LDAP doesn't have standard attribute to represent disabling
an user account, Redhat's Keycloak supports an AD mapper to read and write
attribute
userAccountControl, and an AD LDS mapper to read and writeattribute
msDS-UserAccountDisabled, both mappers support attributepwdLastSettoo.With this patch, these three attributes basically work like AD and AD LDS:
References: