Custom LDAP integration

[Nikola Radovanovic]

Hi,

I have to make some custom LDAP integration in Keycloak. This assumes reading some LDAP attributes and if certain values are met, to either allow user to login or in case password is expired, to prompt user with new password dialog, which shall use REST to actually both validate and store it.

Atm, I played with custom LDAP mapper, similar to one in MSAD. It assumes however, LDAP connection is writable (when I want to update password it fails at public boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input)), which I don't actually want. I would like also to skip changing/adding workflows. 

My current guess is that I have to extend and alter LDAPStorageProvider/UserMapStorage, but I am unsure are UserAccountControlStorageMapper, LDAPStorageProvider and UserMapStorage way to go or there is a simpler solution . I would like to allow only general LDAP settings, but to use change/update password via some action(s) administrator does not have to set explicitly (bcs I would be reading necessary stuff from host where KC is running).

Thank you in advance.

Kindest regards

[Nikola Radovanovic]

As additional explanation:

I am researching a way to allow user change expired password. OpenLDAP is used as user-federation and so far we manage to make custom LDAP mapper (not sure is it necessary though) that reads required attributes and "decides" shall user change his password. As a starting point, we used MSAD mapper.

Now, I think (hope) adding custom RequiredAction in cases when user have to change password is sufficient. I am not sure how to programatically add this action (I would like to avoid changing flows if possible)?

Also, I am unsure how to avoid connection type (read/write/unsync) in LDAP provider - I don't need this at all, since changing password will be done by admin REST API available on the host PC, so it is not related to LDAP at all. Do I need custom provider for this also?

Kindest regards