Problem Description:
Image Artist uses Keycloak to manage user authentication and login workflows. Upon account creation, all users - regardless of authentication method - are assigned the "Update Password" required action. This action prompts users to change their password at first login. This behaviour is appropriate for local accounts but problematic for LDAP-authenticated users, where passwords are managed centrally and should not be changed within the application.
For LDAP-authenticated users:
- Image Artist does not prompt these users to change their password.
- The "Update Password" action remains unfulfilled in Keycloak.
- As a result, the account is not marked as fully validated.
- This blocks certain functionality, such as uploads and Harmony transfers.
Recommended Solution:
To prevent these issues, administrators should disable the "Update Password" required action when LDAP authentication is in use.
Steps to Disable Password Update Requirement:
1. Log in to the Image Artist web interface as an admin user.
2. Navigate to: Administration > Users & Groups > Realm Settings > Login Actions
3. Locate the "Update Password" required action.
4. Set it to "Off".
This ensures that newly registered LDAP accounts are fully validated within Image Artist.
Remediation for Existing LDAP Accounts:
If an LDAP user was registered in Image Artist before the "Update Password" action was disabled and the account remains unvalidated, follow these steps to manually resolve the issue:
1. Log in to the Image Artist UI as the admin user.
2. Navigate to the Users & Groups section.
3. Select the Users page.
4. Search for the relevant username within the search box.
5. Go to the Details tab.
6. Under Required Actions, remove Update Password.
7. Click Save to apply the changes.
This will validate the account and restore full functionality.
Important Note:
Disabling the "Update Password" action affects all user accounts, not just LDAP-authenticated ones.
Comments
0 comments
Article is closed for comments.