[keycloak-dev] Use LDAP's PasswordPolicy

Cédric Couralet cedric.couralet at gmail.com
Thu Nov 9 01:58:36 EST 2017 

Hello,

For the password policy, I think Keycloak's password is more easily
extensible than openldap's. I'm not sure that the openldap
implementation is the one adopted by other ldap servers.
So, I think, as Marek says, having both options would be a good choice.

For ldap account for the change of password, it would be a real
benefits to use that of the end user, since this would allow to
configure an anonymous connection at the level of the federation
keycloak, which is rather a good point in security term.

Kind regards,
Cédric

2017-11-08 10:42 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
> Hi Rafael,
>
> Thanks a lot for sharing this!
>
> Few points:
> - The https://issues.jboss.org/browse/KEYCLOAK-4052 adds the optional
> config switch whether Keycloak password policies should be checked for
> LDAP password updates. You mentioned it doesn't make too much sense for
> you, however as you can see, there were few people, who want this. Hence
> the switch is optional and it's up to you whether you rely just on LDAP
> password policies or want to use the Keycloak policies too.
>
> - It's great you found the solution for the issue by yourself!
> Unfortunately it looks that solution is specific for OpenLDAP. Is it
> correct? TBH OpenLDAP is not the priority for the Keycloak team. We are
> doing some basic testing with it and it should work, but don't want to
> add the fix, which is specific for OpenLDAP and which contains a bigger
> amount of changes/refactoring as it adds a risk of breaking the other
> things. However if your change doesn't involve too much refactoring in
> the existing code (ideally just the new mapper impl), feel free to send
> the PR.
>
> Maybe you can create JIRA with the description of your requirement and
> the work done and ideally send PR? Then we can discuss whether the PR
> can be accepted or not.
>
> - Some time ago, I worked on support this for MSAD (that one is big
> priority for us). I was also looking at the delete+add approach, but
> that didn't work well. Mainly because the LDAP connection needed to be
> under the user himself as you mentioned and also because you needed to
> know the old password. Not sure if in OpenLDAP you need to know the old
> password too? So in the end, it was possible to just add some request
> controls to the updatePassword LDAP request and the MSAD policies are
> preserved. More details in class LDAPServerPolicyHintsDecorator and some
> background here [1] . Wonder if something possible can be used for
> OpenLDAP too?
>
> [1]
> https://blogs.technet.microsoft.com/fieldcoding/2013/01/09/resetting-passwords-honoring-password-history-or-whats-happening-under-the-hood-when-changing-resetting-passwords/
>
> Marek
>
> On 30/10/17 01:13, Rafael Ladislau wrote:
>> Hello, I'm pretty new here, but I've been using Keycloak with an OpenLDAP
>> as the user federation and I've noted some problems that I had to fix by
>> myself and I would like to share with the community the fixes I've made.
>>
>> I'm Software Developer at NYU and I had to change the Keycloak source code
>> to make it works in one of our Projects. It's not a big refactoring. It's
>> reasonable.
>>
>>
>> Problems and my solutions:
>>
>> 1 - Keycloak changes the password of the users coming from LDAP sending a
>> replace command to LDAP using a connection bound to the LDAP administrator.
>> (WRITE mode). It allows the users not respect the
>> password policy installed in LDAP if it has it installed. In order to fix
>> it, you need to use a connection bound to the user changing the password,
>> and Keyucloak should send two commands to LDAP: a command to delete the
>> password field with the current password value and a command to add the
>> password field with the new value. It makes Keycloak respect the password
>> policy installed in LDAP, the operation raises an exception when the
>> password is not compliant, after my fixes, I'm handling this exception and
>> I'm letting the user knows about the error. (I'm doing this in the
>> UPDATE_PASSWORD required action and in the manage account screen)
>>
>>
>> 2 - Because I was making Keycloak respect the password policy in LDAP, I
>> had to create a Password Policy User Account Control Mapper. This Mapper is
>> based on the MSAD User Account Control Mapper. It has the same idea, but it
>> writes the properties "pwdReset" and "pwdAccountLockedTime" to make
>> Keycloak knows and let OpenLDAP knows when the user must reset his password
>> and when the user is locked.
>>
>>
>> 3 - The step 2 is necessary because when you have a password policy in LDAP
>> saying the min age is one day, and you set a temporary password for the
>> user. If Keycloak doesn't set the pwdReset flag, the user will not be able
>> to change his password. (only after 24 hours)
>>
>>
>> 4 - I've made some changes in the User Federation Configuration in order to
>> allow the Keycloak administrator turn on and turn off this feature.
>>
>>
>> The issue https://issues.jboss.org/browse/KEYCLOAK-4052 has made the users
>> coming from LDAP go through the Keycloak's Password Policy before they
>> change their passwords, but what I'm proposing is making Keycloak be aware
>> of the Password Policy installed in LDAP.
>>
>>
>> Do you think it would be a good feature?
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list