<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">It should be fine to remove it in
      Authenticator, but I am not sure if it addresses your usecase. We
      have another similar check in LDAPOperationManager.<span
        style="background-color:#e4e4ff;">authenticate :
        <a class="moz-txt-link-freetext" href="https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/store/ldap/LDAPOperationManager.java#L330">https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/store/ldap/LDAPOperationManager.java#L330</a>
        .<br>
        <br>
        The reason behind it was another issue related to AD. Basically
        all other LDAP servers will always throw an exception if you put
        incorrect (or empty) LDAP password. However AD in some cases
        doesn't throw an exception in case of empty password . It throws
        an exception for invalid password, but not for an empty one. So
        it will allow any AD user to login into Keycloak with empty
        password... I don't know if there is some switch in AD settings
        to disable this behaviour. <br>
        <br>
        But anyway, we need to have solution, which will work in all
        situations. So we either need to add some switch to
        configuration (true: allow empty password to be sent to LDAP
        authentication, false: not allow it and throw error as we do
        now. Default setting will be false). Or if you can figure the
        code, which works for all usecases without additional switch, it
        will be even better <span class="moz-smiley-s1"><span> :-) </span></span><br>
        <br>
        Marek</span>
      <meta http-equiv="content-type" content="text/html;
        charset=windows-1252">
      <br>
      <br>
      On 20/11/15 16:16, Michael Gerber wrote:<br>
    </div>
    <blockquote cite="mid:57a63bb6-94b0-44b0-b485-4d563fdbbdd7@me.com"
      type="cite">
      <div>AbstractUsernameFormAuthenticator.validatePassword</div>
      <div><br data-mce-bogus="1">
      </div>
      <div>
        <pre style="background-color: #2b2b2b; color: #a9b7c6; font-family: 'Courier New'; font-size: 9.0pt;" data-mce-style="background-color: #2b2b2b; color: #a9b7c6; font-family: 'Courier New'; font-size: 9.0pt;"><span style="color: #cc7832;" data-mce-style="color: #cc7832;">public boolean </span><span style="background-color: #344134;" data-mce-style="background-color: #344134;">validatePassword</span>(AuthenticationFlowContext context<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>UserModel user<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>MultivaluedMap&lt;String<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>String&gt; inputData) {
    List&lt;UserCredentialModel&gt; credentials = <span style="color: #cc7832;" data-mce-style="color: #cc7832;">new </span>LinkedList&lt;&gt;()<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;">    </span>String password = inputData.getFirst(CredentialRepresentation.<span style="color: #9876aa; font-style: italic;" data-mce-style="color: #9876aa; font-style: italic;">PASSWORD</span>)<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;">    if </span>(password == <span style="color: #cc7832;" data-mce-style="color: #cc7832;">null </span>|| password.isEmpty()) {
        invalidPassword(context<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>user)<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;">        return false;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;">    </span>}
    credentials.add(UserCredentialModel.<span style="font-style: italic;" data-mce-style="font-style: italic;">password</span>(password))<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;">    boolean </span>valid = context.getSession().users().validCredentials(context.getRealm()<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>user<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>credentials)<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;">    if </span>(!valid) {
        invalidPassword(context<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>user)<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;">        return false;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;">    </span>}
    <span style="color: #cc7832;" data-mce-style="color: #cc7832;">return true;
</span>}</pre>
      </div>
      <div>I think we can remove the first if (password == null ||
        password.isEmpty())</div>
      <div><br>
        Am 20. November 2015 um 16:11 schrieb Bill Burke
        <a class="moz-txt-link-rfc2396E" href="mailto:bburke@redhat.com">&lt;bburke@redhat.com&gt;</a>:<br>
        <br>
      </div>
      <div>
        <blockquote type="cite">
          <div class="msg-quote">
            <div class="_stretch"><span class="body-text-content">Point
                me to the code?<br>
                <br>
                On 11/20/2015 9:04 AM, Michael Gerber wrote:<br>
                <blockquote type="cite" class="quoted-plain-text">Hi
                  All,</blockquote>
                <blockquote type="cite" class="quoted-plain-text"><br>
                </blockquote>
                <blockquote type="cite" class="quoted-plain-text">keycloak
                  does not pass an empty password to the
                  validCredentials method</blockquote>
                <blockquote type="cite" class="quoted-plain-text">in the
                  UserFederationProvider class.</blockquote>
                <blockquote type="cite" class="quoted-plain-text">Is
                  there a reason for that? I would like to authenticate
                  against an AD</blockquote>
                <blockquote type="cite" class="quoted-plain-text">even
                  if the password is empty, otherwise the user won't be
                  blocked after</blockquote>
                <blockquote type="cite" class="quoted-plain-text">x
                  attempts.</blockquote>
                <blockquote type="cite" class="quoted-plain-text"><br>
                </blockquote>
                <blockquote type="cite" class="quoted-plain-text">Michael</blockquote>
                <blockquote type="cite" class="quoted-plain-text"><br>
                </blockquote>
                <blockquote type="cite" class="quoted-plain-text"><br>
                </blockquote>
                <blockquote type="cite" class="quoted-plain-text">_______________________________________________</blockquote>
                <blockquote type="cite" class="quoted-plain-text">keycloak-dev
                  mailing list</blockquote>
                <blockquote type="cite" class="quoted-plain-text"><a
                    moz-do-not-send="true"
                    href="mailto:keycloak-dev@lists.jboss.org"
                    data-mce-href="mailto:keycloak-dev@lists.jboss.org"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></a></blockquote>
                <blockquote type="cite" class="quoted-plain-text"><a
                    moz-do-not-send="true"
                    href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></a></blockquote>
                <blockquote type="cite" class="quoted-plain-text"><br>
                </blockquote>
                <br>
                -- <br>
                Bill Burke<br>
                JBoss, a division of Red Hat<br>
                <a moz-do-not-send="true"
                  href="http://bill.burkecentral.com"
                  data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br>
                _______________________________________________<br>
                keycloak-dev mailing list<br>
                <a moz-do-not-send="true"
                  href="mailto:keycloak-dev@lists.jboss.org"
                  data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
                <a moz-do-not-send="true"
                  href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
              </span></div>
          </div>
        </blockquote>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
    </blockquote>
    <br>
  </body>
</html>