My environment
CentOS 8, 2 Cores, 4 GB memory, 250 HDD
Keycloak version 8.0.1
Java version 1.8.0_232
All,
This is my first time using Keycloak and everything seemed to work well. I have enable/configured a User Federation LDAP with the vendor Active Directory and configured edit mode as WRITABLE.
I have a bind DN with a domain Admin account. I was able to sync all user/s to Keycloak and no problems occurred.
When I create a user in Keycloak UI and try to resync that user to MSAD, only the first name, last name, email and domain group are synced.
The password and login name are not. I did find this but wasn’t sure if this would be the fix.
I also noticed the Enable button when creating a user does not work. Once you navigate to different tab and/or save the user it disables again. I must enable through MSAD.
Pretty much have the same problems as this.
I was thinking that I may have not configured something correct on Keycloak server? or is there something I need to configure on Microsoft AD?
Any advice or direction would be appreciated
Thank you in advance
Just curious (easy to overlook, but folks do it a lot with LDAP-enables applications), is your LDAP connection secure (LDAPS)? If not, AD won’t let you change your password over LDAP because it is insecure and can be sniffed, etc.
I have upgrade Keycloak to version 9.0.2, The User “Enable” button stays on but does not enable the user on MSAD. When creating a user on Web UI I no longer can set the password for that user . Error! Could not modify attribute for DN. My bind user for User Federation was granted all permissions for read and write on Object Unit “Users” in AD. Users imported are good but writing back attributes is failing, Again only attributes that were configured in MSAD from Keycloak are First Name, Last Name, Email, ID. Passwords attributes are not configured nor enabling the user in MSAD even thou Keycloak shows the user is enabled. Any help or suggestion would be greatly apperciated
Ah I now understand windows not changing Password Attribute,
But I’m confused on configuring LDAPS. I have a pub and private key I used for Nginx (reverse proxy), My DC has a CA . So I tried this. https://bl.ocks.org/magnetikonline/0ccdabfec58eb1929c997d22e7341e45, No Joy
I’m very new at Certs especially between Linux & Windows.
Any help or direction would be apperciated.
Thank in advance.
Not sure if you get this working but for my side it was that we were using ADLDS instead of ADDS so the proper account controls that we should use are: msad-lds-user-account-control-mapper.
My issue ended up being I need LDAPS and learn how to create the certs for a secure connection between Keycloak and MSAD. Microsoft limit what is writable and the only way is using LDAPS