[prev in list] [next in list] [prev in thread] [next in thread]
List: keycloak-user
Subject: [keycloak-user] krbLastPwdChange - can we use this attribute
From: callum () well ! ox ! ac ! uk (Callum Smith)
Date: 2018-11-29 12:57:24
Message-ID: 4AEB555E-249E-49B0-B63D-92D12ACD3B80 () well ! ox ! ac ! uk
[Download RAW message or body]
Dear Dmitry,
Using the same method might it be possible to integrate the FreeIPA record of a \
user's OTP setup and sync that into Keycloak as well? Whilst it's possible to \
integrate OTP using LDAP or SSSD, neither of these are ideal, as the workflow is \
wrong to allow federated identity:
If a user authenticates via external provider, OTP challenge should still be \
required. If the OTP is configured in Keycloak, this is done as a second \
authentication step which is perfect. If you are using LDAP/SSSD to do your OTP \
integration, the login step is bypassed with a federated account, and therefore the \
OTP step-up authentication is not performed.
Additionally, it would be nice to expose as a SAML attribute whether the \
authentication was done with 2FA or not, which again is not possible unless Keycloak \
is the one handling the 2FA.
So, in conclusion, could i sync OTP token data via the same LDAP connector or should \
I be looking to sync these externally? Another issue that I foresee - if the user is \
required to use OTP by the identity provider, then they are likely to need to enter \
the OTP at both the login AND the OTP step in Keycloak if this sync goes ahead, \
unless they use a federated identity. Which means that OTP has to be optional for the \
service by which Keycloak connects to IPA (LDAP) - even for users who we force OTP \
use.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk>
On 19 Nov 2018, at 19:30, Dmitry Telegin <dt at acutus.pro<mailto:dt at acutus.pro>> \
wrote:
Hello Callum,
If you want a 100% pure Keycloak solution, you can implement your own mapper by \
extending this one: https://github.com/keycloak/keycloak/blob/master/federation/ldap/s \
rc/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java
and modifying it so that it uses krbLastPwdChange instead of pwdLastSet \
(LDAPConstants.PWD_LAST_SET).
Then deploy it as a provider and use on your LDAP definition instead of the built-in \
"msad-user-account-control-mapper".
Feel free to ask questions on provider development. Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71<tel:(022)%20888-30-71>
E-mail: info at acutus.pro<mailto:info at acutus.pro>
On Fri, 2018-11-16 at 16:27 +0000, Callum Smith wrote:
Dear All,
I've implemented this as a python script for now, hopefully this is useful to some, \
and hopefully something similar could be implemented for LDAP (although I imagine \
politically since SSSD cannot provide this data, and that's the preferred connection \
route for FreeIPA, it's not going to happen soon).
requirements: ldap3, python-keycloak
import python_freeipa
import json
import ldap3
from keycloak import KeycloakAdmin
from datetime import datetime
options['ipa_host'] = ''
options['ipa_admin_user'] = ''
options['ipa_base_dn'] = ''
options['ipa_admin_dn'] = ','+options['ipa_base_dn']
options['keycloak_host'] = ''
options['keycloak_admin_user'] = ''
options['keycloak_storage_id'] = ''
# Begin Keycloak Clietn
keycloakClient = KeycloakAdmin(server_url='https://'+options['keycloak_host']+'/auth/', \
username=options['keycloak_admin_user'], password=keycloakAdminPassword, \
realm_name='master<https://'+options['keycloak_host']+'/auth/',%20username=options['ke \
ycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master><https://' \
+options['keycloak_host']+'/auth/',%20username=options['keycloak_admin_user'],%20passw \
ord=keycloakAdminPassword,%20realm_name='master<https://'+options['keycloak_host']+'/a \
uth/',%20username=options['keycloak_admin_user'],%20password=keycloakAdminPassword,%20realm_name='master>>', \
verify=False)
# Begin LDAP client
ldapServer = ldap3.Server(options['ipa_host'])
ldapClient = ldap3.Connection(ldapServer, user=options['ipa_admin_dn'], \
password=ipaAdminPassword, auto_bind=True)
# Generate datestamp
date = datetime.utcnow().strftime('%Y%m%d%H%M%S')+'Z'
# Perform an LDAP sync for Keycloak
keycloakClient.sync_users(storage_id=options['keycloak_storage_id'], \
action="triggerFullSync")
# Search LDAP for expired passwords
ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], \
'(|(krbPasswordExpiration<='+date+')(!(krbPasswordExpiration=*)))', \
attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) \
resetPasswordUsers = ldapClient.entries
for user in resetPasswordUsers:
user_id = keycloakClient.get_user_id(user.uid)
keycloakClient.update_user(user_id=user_id, \
payload={"requiredActions":['UPDATE_PASSWORD']})
# Search LDAP for valid passwords
ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], \
'(krbPasswordExpiration>='+date+')', \
attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) \
validPasswordUsers = ldapClient.entries
for user in validPasswordUsers:
user_id = keycloakClient.get_user_id(user.uid)
keycloakClient.update_user(user_id=user_id, payload={"requiredActions":[]})
I've chopped some domain specific stuff from this so it might not be flawless, but \
hopefully a start for someone. Also no error checking involved here.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk><mailto:callum at \
well.ox.ac.uk>
On 16 Nov 2018, at 09:16, Callum Smith <callum at well.ox.ac.uk<mailto:callum at \
well.ox.ac.uk><mailto:callum at well.ox.ac.uk>> wrote:
Dear Keycloakers,
I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use \
krbLastPwdChange from FreeIPA to allow for better integration of password resets? \
Surely this is possible and potentially even trivial to implement?
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk><mailto:callum at \
well.ox.ac.uk><mailto:callum at well.ox.ac.uk>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at \
lists.jboss.org><mailto:keycloak-user at lists.jboss.org> \
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic