Hello everyone!

Is it possible to configure FreeIPA server so it does not mark new passwords, set by Keycloak's LDAP bind user, expired?

Basically, so the user accounts synced from FreeIPA to Keycloak, could reset their passwords from Keycloak.

Here is my current setup:

FreeIPA server 4.4 as LDAP identity store

Keycloak server 2.1.0 as SAML identity provider

Keycloak has "User Federation" set up to sync user accounts from FreeIPA server.

Everything is working well, except for password reset.

For example, when a user account synced from FreeIPA, logs in to Keycloak server and resets his password at Keycloak server's user account portal, Keycloak bind user resets FreeIPA user account's password, but, as the password is set by bind user and not FreeIPA user, the password is set to be expired.

So, for password to be valid, FreeIPA user should go to FreeIPA server and reset his password once more.

Can you, please, suggest how to resolve this issue?


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to