[keycloak-user] Multiple password policies

Jamie McDowell jambo_mcd at yahoo.co.uk
Fri Aug 24 05:32:05 EDT 2018 

Thanks for your reply. 
What i have tried to do is Keycloak to use the password policy which has been defined on my OpenLDAP server however this does not seem to work either. See my email below which i have sent to keycloak-dev's.

From: Jamie McDowell <jambo_mcd at yahoo.co.uk>

To: Keycloak-dev <keycloak-dev at lists.jboss.org>

Sent: Friday, 24 August 2018, 10:15:08 BST

Subject: Keycloak to OpenLDAP - Password Policies

 

Hi Dev's,

 

Appreciate if you can help me with an issue i have with password policies federating from Keycloak (v3.4.3) to OpenLDAP. I have created 2 password policies on the OpenLDAP server, where i require one for end users and one for service accounts - these are defined in the specific OU's to where the accounts are held. 

 

I have set the password policies for both users and service accounts (policy module, schema, overlay etc..) and can confirm that the policy is being picked up on the OpenLDAP host when i run the command ldappasswd for the user and enter less characters than the required password length (for example)

 

The issue i have is that within keycloak i haven't set any password policies as i would like this to use the one i have created within the OpenLDAP server. Can Keycloak be configured that this must check against the OpenLDAP password policy? I have one realm set up along with a client.

 

I have been trying to get this working now for the last 10 days and not getting very far. 

 

Within my LDAP Mapper i have tried creating a msad-user-account-control-mapper however this does not work, i get provided with an error when resetting my user password "Failed to update password in Active Directory. Exception message: [LDAP: error code 17 - pwdLastSet: attribute type undefined"

 

I would have expected something like this considering i am not using AD. 

 

Any suggestions would be appreciated 
 
Regards,
Jamie
    On Tuesday, 21 August 2018, 13:28:19 BST, Marek Posolda <mposolda at redhat.com> wrote:  
 
 No, neither of the things you mentioned is available OOTB.

I wonder that we may need something like FilterPasswordPolicy, which 
will allow to configure child/delegate password policy and the filter 
(for example with usage of the scripting engine like our 
ScriptBasedAuthenticator is using)? The filter may allow you to specify 
for example that:
- User in role "admin" must have password of at least 10 characters
- User, who is not in the role "admin" must have password of at least 7 
characters

etc.

Fact is, that it's not available OOTB at this moment. You may either try 
to create some custom PasswordPolicyProvider(s) by yourself. Or you can 
try to contribute something generic (like the FilterPasswordPolicy 
provider I mentioned above) and contribute to Keycloak?

Marek


On 17/08/18 12:32, Jamie McDowell wrote:
> Hi,
> Further to my email below can you have a password policy assigned to a realm role?
>
> Regards,
> Jamie
>
>      On Thursday, 16 August 2018, 15:32:22 BST, Jamie McDowell <jambo_mcd at yahoo.co.uk> wrote:
>  
>  Hi,
>
> Can you have multiple password policies on the same realm where you are using an LDAP instance (Federated)
> We have Keycloak set up federating to an OpenLDAP server. On the LDAP server we have 2 OU's, 1 for users and the other for service accounts - Both of these need to have different passwords such as length and complexity.
> We have the password policy defined on the OpenLDAP. Can Keycloak have multiple policies?
> Has anyone configured this before or can suggest alternatives?
> Regards,
> Jamie
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list