Maintaining secure integrations between Active Directory (AD) and identity management platforms like Keycloak is a crucial task in any modern IT environment. Password management for service accounts, especially those used in sensitive environments such as LDAP integrations, can become tedious when performed manually. However, automating the process reduces errors, enhances security, and saves time.
In this post, we will walk through a PowerShell script that automates the process of updating the password for a service account in both Active Directory and Keycloak, ensuring that your LDAP bind credentials remain synchronized.
Disclaimer
The script provided in this post is for educational purposes only and is provided “as is,” without any warranty. The author assumes no liability for any damage or data loss caused by using the script. Please thoroughly review and test the script in a non-production environment before applying it in your infrastructure.
What Does This Script Do?
At a high level, the script performs the following steps:
- Generates a new random password for the AD service account used to bind LDAP queries in Keycloak.
- Updates the password in Active Directory using the
Set-ADAccountPassword
cmdlet. - Connects to Keycloak by retrieving an access token using the admin credentials.
- Finds the LDAP component in Keycloak associated with the specified realm.
- Updates the bind password in Keycloak, ensuring the integration remains intact after the AD password change.
Prerequisites and Permissions
To successfully execute this script, you’ll need the following:
- Active Directory Admin Rights: The user executing the script must have the necessary permissions to reset passwords for service accounts in Active Directory.
- Keycloak Admin API Access: The script requires admin-level access to Keycloak’s API to retrieve the LDAP component and update the bind password.
- PowerShell Modules: The script assumes that PowerShell is running on a machine where Active Directory modules are available (
Set-ADAccountPassword
– I ran this on my AD server itself and there were already installed) - Keycloak Network Access: The script will need access to the Keycloak instance over the network from wherever the script is ran from.
- Environment-Specific Parameters: Make sure to customize the script to your environment by updating the following parameters:
BaseUrl
: The base URL for your Keycloak instance.Username
: The Keycloak admin username.AdminPassword
: The Keycloak admin password.BindUserName
: The Active Directory service account used for LDAP binding.
Additionally, since the script disables SSL certificate validation, it is strongly recommended to only use this in a trusted network, or ideally, ensure proper certificate validation in production environments.
Code Examples
I have already created a PowerShell example script, you can find it here https://github.com/recklessop/keycloak-helpers/blob/main/powershell/rotate-bind-pw.ps1
Bonus: if you want to schedule this script as a task on the system, I have a helper script to create that scheduled task here
https://github.com/recklessop/keycloak-helpers/blob/main/powershell/rotate-bind-pw-task-create.ps1
How It Works
Let’s break down the key components of the script:
- Test Connectivity to Both systems: We need to make sure we can connect to AD as well as Keycloak before proceeding, otherwise we may update the password in one, but not both systems.
- Generate a Random Password: The script uses a function
Generate-RandomPassword
to create a password with a mix of lowercase, uppercase, numbers, and special characters, ensuring a secure random password for the service account. - Update Active Directory Password: Using the
Set-ADAccountPassword
cmdlet, the script securely updates the AD password for the bind user account. This is achieved through a secure string conversion. - Get Keycloak Access Token: The script sends a request to Keycloak’s OpenID Connect endpoint to retrieve an access token, which is used for authenticated API requests. By default, Keycloak’s admin realm only generates tokens for 60 seconds. So if you modify the script make sure that it takes less than 59 seconds to complete the run from the time the script gets a token until it is finished. (or update keycloak admin realm to generate keys for longer time periods)
- Identify the LDAP Component: The script looks for the LDAP component within the specified Keycloak realm to identify where the password update is required.
- Update Keycloak’s LDAP Password: Once the correct LDAP component is found, the script sends an HTTP
PUT
request to update the bind password within Keycloak, ensuring that the LDAP integration remains functional with the new credentials.
Conclusion
This PowerShell script simplifies the process of securely updating the bind account password for both Active Directory and Keycloak’s LDAP integration. By automating this process, you can ensure your environment stays secure while reducing the manual overhead typically required for such tasks.
Remember to customize the script for your specific environment, test thoroughly before deployment, and review any security implications, such as the use of self-signed SSL certificates. This approach ensures that your LDAP credentials remain in sync across your infrastructure, improving both security and operational efficiency.
Happy automating!