[keycloak-user] password policy | federation to AD

Marek Posolda mposolda at redhat.com
Tue Aug 22 02:43:53 EDT 2017


KEYCLOAK-4052 will help with the case when you want to enforce Keycloak 
password policies when updating the password of Keycloak user, who is 
mapped to LDAP provider. However LDAP password policies will be applied 
too. And in your case, MSAD policies are applied already. In other 
words, KEYCLOAK-4052 won't help you with the error "Could not modify 
attribute for DN [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .

The case you mentioned should be already supported, but it workds just 
for MSAD. AFAIK it doesn't work for some others like Samba AD. Also you 
need to have MSAD User Account Controls mapper enabled.

Marek


On 21/08/17 11:58, lists wrote:
> Hi Marek,
>
> I have them configured on both, bith sides similar.
>
> We have local users (with "regular" workstations logons, and thus the 
> password policies as configured in the MSAD side)
>
> And we have users that (almost) never logon locally, but only though 
> webinterfaces secured by LDAP/OpenID Connect or SAML2. (and so: the 
> keycloak password policies apply)
>
> We were under the impression that keycloak would help to enforce 
> similar password policies like this for (mostly) all our users.
>
> So, is this actually expected to land in 3.4? And if yes, since 
> keycloak is at 3.2, any idication when 3.4 would be available?
>
> MJ
>
> On 21-8-2017 11:39, Marek Posolda wrote:
>> Are your password policies configured on MSAD side or on Keycloak side?
>>
>> KEYCLOAK-4052 is about the password policies are configured on 
>> Keycloak side, which you want to apply even before sending 
>> password_update request to LDAP. However if you have password 
>> policies configured on MSAD side, it won't help you.
>>
>> Marek
>>
>>
>> On 21/08/17 09:16, mj wrote:
>>> Aha, I guess my question is related to my question:
>>>
>>> https://issues.jboss.org/browse/KEYCLOAK-4052
>>>
>>> Does the ticket mean that we can expect this to work in 3.4.0?
>>>
>>> Thanks,
>>> MJ
>>>
>>> On 08/19/2017 12:06 PM, mj wrote:
>>>> But when I provide a bad password like "123", I would expect 
>>>> keycloak to
>>>> say something like: "ERROR: this password does not meet the password
>>>> complexity requirements, please use ..." etc.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>



More information about the keycloak-user mailing list