libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-17146 : Fix reset password MS AD LDS mapper

Browse source
This commit is contained in:
Mathieu CLAUDEL 2021-02-16 09:04:14 +01:00 committed by Marek Posolda
parent 40efbb0f9c
commit 197b34889c
1 changed files with 7 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msadlds/MSADLDSUserAccountControlStorageMapper.java
View file

@ -80,15 +80,15 @@ public class MSADLDSUserAccountControlStorageMapper extends AbstractLDAPStorageM
public void passwordUpdated(UserModel user, LDAPObject ldapUser, UserCredentialModel password) { public void passwordUpdated(UserModel user, LDAPObject ldapUser, UserCredentialModel password) {
logger.debugf("Going to update pwdLastSet for ldap user '%s' after successful password update", ldapUser.getDn().toString()); logger.debugf("Going to update pwdLastSet for ldap user '%s' after successful password update", ldapUser.getDn().toString());
// Normally it's read-only // Normally it's read-only and adlds do this automaticly
ldapUser.removeReadOnlyAttributeName(LDAPConstants.PWD_LAST_SET); ldapUser.removeReadOnlyAttributeName(LDAPConstants.PWD_LAST_SET);
// set but not commit in AD LDS (-1 set pwdLastSet time to now)
ldapUser.setSingleAttribute(LDAPConstants.PWD_LAST_SET, "-1"); ldapUser.setSingleAttribute(LDAPConstants.PWD_LAST_SET, "-1");
if (user.isEnabled()) { if (user.isEnabled()) {
// TODO: Use removeAttribute once available // TODO: Use removeAttribute once available
ldapUser.setSingleAttribute(LDAPConstants.MSDS_USER_ACCOUNT_DISABLED, "FALSE"); ldapUser.setSingleAttribute(LDAPConstants.MSDS_USER_ACCOUNT_DISABLED, "FALSE");
logger.debugf("Removing msDS-UserPasswordExpired of user '%s'", ldapUser.getDn().toString()); logger.debugf("Removing %s of user '%s'",LDAPConstants.MSDS_USER_ACCOUNT_DISABLED, ldapUser.getDn().toString());
} }
ldapProvider.getLdapIdentityStore().update(ldapUser); ldapProvider.getLdapIdentityStore().update(ldapUser);
@ -180,7 +180,9 @@ public class MSADLDSUserAccountControlStorageMapper extends AbstractLDAPStorageM
public boolean isEnabled() { public boolean isEnabled() {
boolean kcEnabled = super.isEnabled(); boolean kcEnabled = super.isEnabled();
if (getPwdLastSet() > 0) { // getPwdLastSet() == -1 when is set but not commit in AD LDS (-1 set pwdLastSet time to now)
if (getPwdLastSet() > 0
|| getPwdLastSet() == -1) {
// Merge KC and MSAD LDS // Merge KC and MSAD LDS
return kcEnabled && !Boolean.parseBoolean(ldapUser.getAttributeAsString(LDAPConstants.MSDS_USER_ACCOUNT_DISABLED)); return kcEnabled && !Boolean.parseBoolean(ldapUser.getAttributeAsString(LDAPConstants.MSDS_USER_ACCOUNT_DISABLED));
} else { } else {