subject:"\[Freeipa\-users\] Keycloak \+ FreeIPA New password expiry"

Re: [Freeipa-users] Keycloak + FreeIPA New password expiry

2017-01-25 Thread Georgijs Radovs

Thank you very much, Brian!





Georgijs Radovs
Junior Sysadmin


On Wed, Jan 25, 2017 at 7:13 PM, Brian Candler  wrote:

> On 25/01/2017 13:48, Georgijs Radovs wrote:
>
> Is it possible to configure FreeIPA server so it does not mark new
> passwords, set by Keycloak's LDAP bind user, expired?
>
> Yes, you need to configure the privileged LDAP bind user in
> passSyncManagersDNs:
>
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> passSyncManagersDNs: uid=
>
> Note that this setting does not replicate - it needs to be applied to all
> replicas by hand.
>
> See:
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Windows_Integration_Guide/
> pass-sync.html#password-sync
>

-- 
 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Keycloak + FreeIPA New password expiry

2017-01-25 Thread Brian Candler


On 25/01/2017 13:48, Georgijs Radovs wrote:
Is it possible to configure FreeIPA server so it does not mark new 
passwords, set by Keycloak's LDAP bind user, expired?


Yes, you need to configure the privileged LDAP bind user in 
passSyncManagersDNs:


dn: cn=ipa_pwd_extop,cn=plugins,cn=config
passSyncManagersDNs: uid=

Note that this setting does not replicate - it needs to be applied to 
all replicas by hand.


See:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Keycloak + FreeIPA New password expiry

2017-01-25 Thread Georgijs Radovs


Hello everyone!

Is it possible to configure FreeIPA server so it does not mark new 
passwords, set by Keycloak's LDAP bind user, expired?


Basically, so the user accounts synced from FreeIPA to Keycloak, could 
reset their passwords from Keycloak.


Here is my current setup:

FreeIPA server 4.4 as LDAP identity store

Keycloak server 2.1.0 as SAML identity provider

Keycloak has "User Federation" set up to sync user accounts from FreeIPA 
server.


Everything is working well, except for password reset.

For example, when a user account synced from FreeIPA, logs in to 
Keycloak server and resets his password at Keycloak server's user 
account portal, Keycloak bind user resets FreeIPA user account's 
password, but, as the password is set by bind user and not FreeIPA user, 
the password is set to be expired.


So, for password to be valid, FreeIPA user should go to FreeIPA server 
and reset his password once more.


Can you, please, suggest how to resolve this issue?


--


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Keycloak + FreeIPA New password expiry

Re: [Freeipa-users] Keycloak + FreeIPA New password expiry

[Freeipa-users] Keycloak + FreeIPA New password expiry

3 matches

Site Navigation

Mail list logo

Footer information