[Freeipa-users] Keycloak + FreeIPA New password expiry
Georgijs Radovs
georgijsr at scandiweb.com
Wed Jan 25 13:48:54 UTC 2017
Hello everyone!
Is it possible to configure FreeIPA server so it does not mark new
passwords, set by Keycloak's LDAP bind user, expired?
Basically, so the user accounts synced from FreeIPA to Keycloak, could
reset their passwords from Keycloak.
Here is my current setup:
FreeIPA server 4.4 as LDAP identity store
Keycloak server 2.1.0 as SAML identity provider
Keycloak has "User Federation" set up to sync user accounts from FreeIPA
server.
Everything is working well, except for password reset.
For example, when a user account synced from FreeIPA, logs in to
Keycloak server and resets his password at Keycloak server's user
account portal, Keycloak bind user resets FreeIPA user account's
password, but, as the password is set by bind user and not FreeIPA user,
the password is set to be expired.
So, for password to be valid, FreeIPA user should go to FreeIPA server
and reset his password once more.
Can you, please, suggest how to resolve this issue?
--
<https://www.youtube.com/watch?v=coVJlV1LJ84>
More information about the Freeipa-users
mailing list