Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-18706

UPDATE_PASSWORD does not sync with pwdLastSet

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 15.0.0
    • Component/s: LDAP
    • Labels:
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Environment:
      Env 1: RH-SSO 7.4.6 deployed on premise (VM)
      Env 2: RH-SSO 7.4.6 on OpenShift 3.11
      2 scenarios:
      ============

      Scenario 1: Two RH-SSO instances
      Description:

      • User password expired with natural expiration.
      • Setup 2 RH-SSO with same AD.
      • 1 user used.
      • RH-SSO-A and RH-SSO-B instances are not in cluster.
      • Both RH-SSO-A, RH-SSO-B have same setup.
      • RH-SSO-A: User access the Intranet instance to get token
      • RH-SSO-B : User uses the Internet instance to reset password
      • Edit mode: Writable
      • Cache Policy: DEFAULT or NO_CACHE (no differences)

      Steps to reproduce:

      1. Generated token from RH-SSO-A with user having password naturally expired.
      2. Following error response was received : "Account is not fully set up". UPDATE_PASSWORD required action was added in RH-SSO-A. Following message was received in logs : "MSAD Error code is '532' after failed LDAP login of user '<user name>'". The pwdLastSet was set to 0 on AD end.
      3. Use RH-SSO-B to reset the password of the user, using account page (/auth/realms/demo/account/). Password was reset on AD and the pwdLastSet was set to present timestamp. UPDATE_PASSWORD action was also removed from RH-SSO-B
      4. Accessing RH-SSO-A for token generation fails with the same exception : "Account is not fully set up". UPDATE_PASSWORD action is still set for the user.

      ============
      Scenario 2: One RH-SSO instance
      Description:

      • RH-SSO-A: User access this instance to get token
      • IT Support : Reset password directly on AD

      Steps to reproduce:

      1. Generated token from RH-SSO-A with user having password naturally expired.
      2. Following error response was received : "Account is not fully set up". UPDATE_PASSWORD required action was added in RH-SSO-A. Following message was received in logs : "MSAD Error code is '532' after failed LDAP login of user '<user name>'". The pwdLastSet was set to 0 on AD end.
      3. User call IT Support directly and IT Support changed their password on AD DC side.
      4. On RH-SSO-A, sync the change.
      5. Found the UPDATE_PASSWORD action was still not removed.
      6. End user accessing RH-SSO-A for token generation fails with the same exception : "Account is not fully set up". UPDATE_PASSWORD action is still set for the user.

        Attachments

          Activity

            People

            Assignee:
            mposolda Marek Posolda
            Reporter:
            hisanobu.okuda Hisanobu Okuda
            Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: