Is it possible to configure FreeIPA server so it does not mark new
passwords, set by Keycloak's LDAP bind user, expired?
Basically, so the user accounts synced from FreeIPA to Keycloak, could
reset their passwords from Keycloak.
Here is my current setup:
FreeIPA server 4.4 as LDAP identity store
Keycloak server 2.1.0 as SAML identity provider
Keycloak has "User Federation" set up to sync user accounts from FreeIPA
Everything is working well, except for password reset.
For example, when a user account synced from FreeIPA, logs in to
Keycloak server and resets his password at Keycloak server's user
account portal, Keycloak bind user resets FreeIPA user account's
password, but, as the password is set by bind user and not FreeIPA user,
the password is set to be expired.
So, for password to be valid, FreeIPA user should go to FreeIPA server
and reset his password once more.
Can you, please, suggest how to resolve this issue?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project