Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-13013

Elytron LDAP can't set-password in Active Directory or react to external changes


      The caching realm seems to work as advertised with open ldap and Red Hat Directory Server when I add a user-password-mapper after setting:

      <user-password-mapper from="userPassword" writable="true" verifiable="true" />

      When I change the password in LDAP, the caching realm reacts, and I can login with the new password. Also when I call `set-password`:

      /subsystem=elytron/ldap-realm=ldap-realm:set-password(identity=testUser, clear=



      It changes the password correctly in LDAP.

      Neither of these work in Active Directory. Active Directory stores the password, by default using the field "UnicodePwd" rather than "userPassword", so I tried having them map the user password to that field:

      /subsystem=elytron/ldap-realm=ldap-realm:write-attribute(name=identity-mapping.user-password-mapper.from, value=UnicodePwd)

      But it it can't set the password because the password code needs to write it with a different character set when writing to active directory. See the different between the code in ldap/UserPasswordCredentialLoader.java and in the special case for Active Directory in Keycloak[1]

      It can't react to external changes to the directory because Active Directory doesn't support the listening mechanism used.

      There is a potential to be able to change the active directory settings so "userPassword" runs in compatibility mode[2], but that's not a normal thing to be able to do is most environments.

      [1] Keycloak - AD UnicodePWD https://github.com/keycloak/keycloak/blob/e12c245355f5fcbabab4a6807a9975fd8c7b04de/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.java#L320
      [2] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f3adda9f-89e1-4340-a3f2-1f0a6249f1f8

            Unassigned Unassigned
            rhn-support-dguthrie David Guthrie
            0 Vote for this issue
            2 Start watching this issue