Hey rob,
thanks for quick reply. Am I doing something utterly stupid? Usually I
use ADS for ldap adminstration, I confirmed i use cn=Directory Manager
for connection, and I am not able to find
cn=ipa_pwd_extop,cn=plugins,cn=config .
Same with ldapsearch:
ldapsearch -x -D "cn=Directory Manager"
cn=ipa_pwd_extop,cn=plugins,cn=config -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=alt,dc=coop> (default) with scope subtree
# filter: cn=ipa_pwd_extop,cn=plugins,cn=config
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
Thanks a lot,
Jonatan
Am Montag, den 23.03.2020, 16:27 -0400 schrieb Rob Crittenden:
Jonatan Zint via FreeIPA-users wrote:
> Hello!
>
> I have a simple setup running keycloak 9.0.0 setup with LDAP user
> federation to my FreeIPA instance (4.8).
> Runs smooth so far, but everytime a user changes his password in
> keycloak it is marked expired in FreeIPA and gets prompted to
> change it once trying to login in FreeIPA.
>
> The very same issue popped up in this mail thread:
>
https://www.redhat.com/archives/freeipa-users/2017-January/msg00393.html
> The answer does not seem to be valid for freeipa 4.8 though, as the
> described DN doesn't even exist anymore. Searching through the
> RedHat docs i can see several configuration guides for windows AD
> password sync but not a mention how to fix it for keycloak.... Any
> hint what I could try here?
The procedure hasn't changed. You need to bind as Directory Manager
to
change (or see) this part of the tree.
rob