[keycloak-dev] Use LDAP's PasswordPolicy

Rafael Ladislau rafa.ladis at gmail.com
Sun Oct 29 20:13:57 EDT 2017 

Hello, I'm pretty new here, but I've been using Keycloak with an OpenLDAP
as the user federation and I've noted some problems that I had to fix by
myself and I would like to share with the community the fixes I've made.

I'm Software Developer at NYU and I had to change the Keycloak source code
to make it works in one of our Projects. It's not a big refactoring. It's
reasonable.


Problems and my solutions:

1 - Keycloak changes the password of the users coming from LDAP sending a
replace command to LDAP using a connection bound to the LDAP administrator.
(WRITE mode). It allows the users not respect the
password policy installed in LDAP if it has it installed. In order to fix
it, you need to use a connection bound to the user changing the password,
and Keyucloak should send two commands to LDAP: a command to delete the
password field with the current password value and a command to add the
password field with the new value. It makes Keycloak respect the password
policy installed in LDAP, the operation raises an exception when the
password is not compliant, after my fixes, I'm handling this exception and
I'm letting the user knows about the error. (I'm doing this in the
UPDATE_PASSWORD required action and in the manage account screen)


2 - Because I was making Keycloak respect the password policy in LDAP, I
had to create a Password Policy User Account Control Mapper. This Mapper is
based on the MSAD User Account Control Mapper. It has the same idea, but it
writes the properties "pwdReset" and "pwdAccountLockedTime" to make
Keycloak knows and let OpenLDAP knows when the user must reset his password
and when the user is locked.


3 - The step 2 is necessary because when you have a password policy in LDAP
saying the min age is one day, and you set a temporary password for the
user. If Keycloak doesn't set the pwdReset flag, the user will not be able
to change his password. (only after 24 hours)


4 - I've made some changes in the User Federation Configuration in order to
allow the Keycloak administrator turn on and turn off this feature.


The issue https://issues.jboss.org/browse/KEYCLOAK-4052 has made the users
coming from LDAP go through the Keycloak's Password Policy before they
change their passwords, but what I'm proposing is making Keycloak be aware
of the Password Policy installed in LDAP.


Do you think it would be a good feature?

More information about the keycloak-dev mailing list