Hello!
I have a simple setup running keycloak 9.0.0 setup with LDAP user federation to my FreeIPA instance (4.8). Runs smooth so far, but everytime a user changes his password in keycloak it is marked expired in FreeIPA and gets prompted to change it once trying to login in FreeIPA.
The very same issue popped up in this mail thread: https://www.redhat.com/archives/freeipa-users/2017-January/msg00393.html The answer does not seem to be valid for freeipa 4.8 though, as the described DN doesn't even exist anymore. Searching through the RedHat docs i can see several configuration guides for windows AD password sync but not a mention how to fix it for keycloak.... Any hint what I could try here?
Best regards,
Jonatan
Jonatan Zint via FreeIPA-users wrote:
Hello!
I have a simple setup running keycloak 9.0.0 setup with LDAP user federation to my FreeIPA instance (4.8). Runs smooth so far, but everytime a user changes his password in keycloak it is marked expired in FreeIPA and gets prompted to change it once trying to login in FreeIPA.
The very same issue popped up in this mail thread: https://www.redhat.com/archives/freeipa-users/2017-January/msg00393.html The answer does not seem to be valid for freeipa 4.8 though, as the described DN doesn't even exist anymore. Searching through the RedHat docs i can see several configuration guides for windows AD password sync but not a mention how to fix it for keycloak.... Any hint what I could try here?
The procedure hasn't changed. You need to bind as Directory Manager to change (or see) this part of the tree.
rob
Hey rob,
thanks for quick reply. Am I doing something utterly stupid? Usually I use ADS for ldap adminstration, I confirmed i use cn=Directory Manager for connection, and I am not able to find cn=ipa_pwd_extop,cn=plugins,cn=config .
Same with ldapsearch:
ldapsearch -x -D "cn=Directory Manager" cn=ipa_pwd_extop,cn=plugins,cn=config -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=alt,dc=coop> (default) with scope subtree # filter: cn=ipa_pwd_extop,cn=plugins,cn=config # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Thanks a lot,
Jonatan
Am Montag, den 23.03.2020, 16:27 -0400 schrieb Rob Crittenden:
Jonatan Zint via FreeIPA-users wrote:
Hello!
I have a simple setup running keycloak 9.0.0 setup with LDAP user federation to my FreeIPA instance (4.8). Runs smooth so far, but everytime a user changes his password in keycloak it is marked expired in FreeIPA and gets prompted to change it once trying to login in FreeIPA.
The very same issue popped up in this mail thread: https://www.redhat.com/archives/freeipa-users/2017-January/msg00393.html The answer does not seem to be valid for freeipa 4.8 though, as the described DN doesn't even exist anymore. Searching through the RedHat docs i can see several configuration guides for windows AD password sync but not a mention how to fix it for keycloak.... Any hint what I could try here?
The procedure hasn't changed. You need to bind as Directory Manager to change (or see) this part of the tree.
rob
Jonatan Zint via FreeIPA-users wrote:
Hey rob,
thanks for quick reply. Am I doing something utterly stupid? Usually I use ADS for ldap adminstration, I confirmed i use cn=Directory Manager for connection, and I am not able to find cn=ipa_pwd_extop,cn=plugins,cn=config .
Same with ldapsearch:
ldapsearch -x -D "cn=Directory Manager" cn=ipa_pwd_extop,cn=plugins,cn=config -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=alt,dc=coop> (default) with scope subtree # filter: cn=ipa_pwd_extop,cn=plugins,cn=config # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Thanks a lot,
Add -b before cn=ipa_pwd_extop...
rob
Jonatan
Am Montag, den 23.03.2020, 16:27 -0400 schrieb Rob Crittenden:
Jonatan Zint via FreeIPA-users wrote:
Hello!
I have a simple setup running keycloak 9.0.0 setup with LDAP user federation to my FreeIPA instance (4.8). Runs smooth so far, but everytime a user changes his password in keycloak it is marked expired in FreeIPA and gets prompted to change it once trying to login in FreeIPA.
The very same issue popped up in this mail thread: https://www.redhat.com/archives/freeipa-users/2017-January/msg00393.html The answer does not seem to be valid for freeipa 4.8 though, as the described DN doesn't even exist anymore. Searching through the RedHat docs i can see several configuration guides for windows AD password sync but not a mention how to fix it for keycloak.... Any hint what I could try here?
The procedure hasn't changed. You need to bind as Directory Manager to change (or see) this part of the tree.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hey,
m-( thanks a bunch that did the trick. Now everything works smoothly as expected, thanks!
Is there some place this is documented? Besides the extensive Manual on how to set it up with AD I did not find any documentation on this procedure.
Anyways, thanks a lot for guiding me.
Jonatan
Am Montag, den 23.03.2020, 18:18 -0400 schrieb Rob Crittenden:
Jonatan Zint via FreeIPA-users wrote:
Hey rob,
thanks for quick reply. Am I doing something utterly stupid? Usually I use ADS for ldap adminstration, I confirmed i use cn=Directory Manager for connection, and I am not able to find cn=ipa_pwd_extop,cn=plugins,cn=config .
Same with ldapsearch:
ldapsearch -x -D "cn=Directory Manager" cn=ipa_pwd_extop,cn=plugins,cn=config -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=alt,dc=coop> (default) with scope subtree # filter: cn=ipa_pwd_extop,cn=plugins,cn=config # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Thanks a lot,
Add -b before cn=ipa_pwd_extop...
rob
Jonatan
Am Montag, den 23.03.2020, 16:27 -0400 schrieb Rob Crittenden:
Jonatan Zint via FreeIPA-users wrote:
Hello!
I have a simple setup running keycloak 9.0.0 setup with LDAP user federation to my FreeIPA instance (4.8). Runs smooth so far, but everytime a user changes his password in keycloak it is marked expired in FreeIPA and gets prompted to change it once trying to login in FreeIPA.
The very same issue popped up in this mail thread: https://www.redhat.com/archives/freeipa-users/2017-January/msg00393.html The answer does not seem to be valid for freeipa 4.8 though, as the described DN doesn't even exist anymore. Searching through the RedHat docs i can see several configuration guides for windows AD password sync but not a mention how to fix it for keycloak.... Any hint what I could try here?
The procedure hasn't changed. You need to bind as Directory Manager to change (or see) this part of the tree.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org