Description
The caching realm seems to work as advertised with open ldap and Red Hat Directory Server when I add a user-password-mapper after setting:
<user-password-mapper from="userPassword" writable="true" verifiable="true" />
When I change the password in LDAP, the caching realm reacts, and I can login with the new password. Also when I call `set-password`:
/subsystem=elytron/ldap-realm=ldap-realm:set-password(identity=testUser, clear=
{password="1A3b6w"})
It changes the password correctly in LDAP.
Neither of these work in Active Directory. Active Directory stores the password, by default using the field "UnicodePwd" rather than "userPassword", so I tried having them map the user password to that field:
/subsystem=elytron/ldap-realm=ldap-realm:write-attribute(name=identity-mapping.user-password-mapper.from, value=UnicodePwd)
But it it can't set the password because the password code needs to write it with a different character set when writing to active directory. See the different between the code in ldap/UserPasswordCredentialLoader.java and in the special case for Active Directory in RH-SSO[1]
It can't react to external changes to the directory because Active Directory doesn't support the listening mechanism used.
The documentation doesn't specify that Active Directory isn't supported, and it's on the supported/tested LDAP server list. Since it would need special case code and potentially configuration to do that, so this needs to be documented.
Note: There is a potential to be able to change the active directory settings so "userPassword" runs in compatibility mode[2], but that's not a normal thing to be able to do.
[1] RH-SSO - AD UnicodePWD https://github.com/keycloak/keycloak/blob/e12c245355f5fcbabab4a6807a9975fd8c7b04de/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.java#L320
[2] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f3adda9f-89e1-4340-a3f2-1f0a6249f1f8
Attachments
Issue Links
- links to