User Federation Troubles

My environment
CentOS 8, 2 Cores, 4 GB memory, 250 HDD
Keycloak version 8.0.1
Java version 1.8.0_232

All,
This is my first time using Keycloak and everything seemed to work well. I have enable/configured a User Federation LDAP with the vendor Active Directory and configured edit mode as WRITABLE.

I have a bind DN with a domain Admin account. I was able to sync all user/s to Keycloak and no problems occurred.
When I create a user in Keycloak UI and try to resync that user to MSAD, only the first name, last name, email and domain group are synced.
The password and login name are not. I did find this but wasn’t sure if this would be the fix.

https://issues.redhat.com/projects/KEYCLOAK/issues/KEYCLOAK-12340?filter=allopenissues

I also noticed the Enable button when creating a user does not work. Once you navigate to different tab and/or save the user it disables again. I must enable through MSAD.
Pretty much have the same problems as this.

I was thinking that I may have not configured something correct on Keycloak server? or is there something I need to configure on Microsoft AD?

Any advice or direction would be appreciated
Thank you in advance

See: Keycloak, Flowable and OpenLDAP

I’m seeing the same on Keycloak 8.0.1 and Windows Server 2016 AD. Seems not to be a configuration issue, but rather a couple code issues:

  • KEYCLOAK-12340: the LDAP user password is not changed from the Keycloak Admin Console
  • KEYCLOAK-12437: AD-linked users can’t be enabled in Keycloak due to a msad-user-account-control-mapper regression

This is blocking our deployment plans for Keycloak, so we’re also waiting for that fix in 9.0.0.

Just curious (easy to overlook, but folks do it a lot with LDAP-enables applications), is your LDAP connection secure (LDAPS)? If not, AD won’t let you change your password over LDAP because it is insecure and can be sniffed, etc.

@teverson

See: Keycloak, Flowable and OpenLDAP

I have upgrade Keycloak to version 9.0.2, The User “Enable” button stays on but does not enable the user on MSAD. When creating a user on Web UI I no longer can set the password for that user . Error! Could not modify attribute for DN. My bind user for User Federation was granted all permissions for read and write on Object Unit “Users” in AD. Users imported are good but writing back attributes is failing, Again only attributes that were configured in MSAD from Keycloak are First Name, Last Name, Email, ID. Passwords attributes are not configured nor enabling the user in MSAD even thou Keycloak shows the user is enabled. Any help or suggestion would be greatly apperciated

Ah I now understand windows not changing Password Attribute,
But I’m confused on configuring LDAPS. I have a pub and private key I used for Nginx (reverse proxy), My DC has a CA . So I tried this.
https://bl.ocks.org/magnetikonline/0ccdabfec58eb1929c997d22e7341e45, No Joy
I’m very new at Certs especially between Linux & Windows.

Any help or direction would be apperciated.
Thank in advance.

Hi @gsmith

I had the same problem and solved it here using the Docker version of Keycloak.

Maybe this helps, at least for the LDAPS connection. I still can’t change passwords… :roll_eyes:

1 Like

Hi @gsmith,

Not sure if you get this working but for my side it was that we were using ADLDS instead of ADDS so the proper account controls that we should use are: msad-lds-user-account-control-mapper.

Hope this helps.

1 Like

Thank you,

My issue ended up being I need LDAPS and learn how to create the certs for a secure connection between Keycloak and MSAD. Microsoft limit what is writable and the only way is using LDAPS

This was my resolve using LDAPS from here.

1 Like