We are running a keycloak v21 and have a few issues with the permissions on Windows AD side of things. The genreal functions are working without any issue, but we have our problems with the password change functionality.
We found out that we need the follwing permissions:
- Change password
- Reset password
- Write lockoutTime
- Read lockoutTime
- Write pwdLastSet
- Read pwdLastSet
- Write UserAccountControl
- Read UserAccountControl
- Write public information package
- Read public information package
This combination of permissions is working. However the problem we are facing is that our adminstrators are not allowed to enable the whole “public information” package. We need the specific permissions that keycloak need inside this package to function properly.
If we do not enable r/w on the package we are encountering the following problems:
- Password change produces error (inside the logs and UI)
- password IS still changed
- “Update Password” flag (required action) is cleared both inside the AD and in keycloak
- The required action “Update Password” can not be set inside keycloak (only inside the AD)
The logs produce in all constelation the same error message:
javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Pleasse keep in mind that I am no windows administrator and I may misphrase some terms, Sorrry about that.