[keycloak-user] Multiple password policies
Jamie McDowell
jambo_mcd at yahoo.co.uk
Fri Aug 24 05:32:05 EDT 2018
Thanks for your reply.
What i have tried to do is Keycloak to use the password policy which has been defined on my OpenLDAP server however this does not seem to work either. See my email below which i have sent to keycloak-dev's.
From: Jamie McDowell <jambo_mcd at yahoo.co.uk>
To: Keycloak-dev <keycloak-dev at lists.jboss.org>
Sent: Friday, 24 August 2018, 10:15:08 BST
Subject: Keycloak to OpenLDAP - Password Policies
Hi Dev's,
Appreciate if you can help me with an issue i have with password policies federating from Keycloak (v3.4.3) to OpenLDAP. I have created 2 password policies on the OpenLDAP server, where i require one for end users and one for service accounts - these are defined in the specific OU's to where the accounts are held.
I have set the password policies for both users and service accounts (policy module, schema, overlay etc..) and can confirm that the policy is being picked up on the OpenLDAP host when i run the command ldappasswd for the user and enter less characters than the required password length (for example)
The issue i have is that within keycloak i haven't set any password policies as i would like this to use the one i have created within the OpenLDAP server. Can Keycloak be configured that this must check against the OpenLDAP password policy? I have one realm set up along with a client.
I have been trying to get this working now for the last 10 days and not getting very far.
Within my LDAP Mapper i have tried creating a msad-user-account-control-mapper however this does not work, i get provided with an error when resetting my user password "Failed to update password in Active Directory. Exception message: [LDAP: error code 17 - pwdLastSet: attribute type undefined"
I would have expected something like this considering i am not using AD.
Any suggestions would be appreciated
Regards,
Jamie
On Tuesday, 21 August 2018, 13:28:19 BST, Marek Posolda <mposolda at redhat.com> wrote:
No, neither of the things you mentioned is available OOTB.
I wonder that we may need something like FilterPasswordPolicy, which
will allow to configure child/delegate password policy and the filter
(for example with usage of the scripting engine like our
ScriptBasedAuthenticator is using)? The filter may allow you to specify
for example that:
- User in role "admin" must have password of at least 10 characters
- User, who is not in the role "admin" must have password of at least 7
characters
etc.
Fact is, that it's not available OOTB at this moment. You may either try
to create some custom PasswordPolicyProvider(s) by yourself. Or you can
try to contribute something generic (like the FilterPasswordPolicy
provider I mentioned above) and contribute to Keycloak?
Marek
On 17/08/18 12:32, Jamie McDowell wrote:
> Hi,
> Further to my email below can you have a password policy assigned to a realm role?
>
> Regards,
> Jamie
>
> On Thursday, 16 August 2018, 15:32:22 BST, Jamie McDowell <jambo_mcd at yahoo.co.uk> wrote:
>
> Hi,
>
> Can you have multiple password policies on the same realm where you are using an LDAP instance (Federated)
> We have Keycloak set up federating to an OpenLDAP server. On the LDAP server we have 2 OU's, 1 for users and the other for service accounts - Both of these need to have different passwords such as length and complexity.
> We have the password policy defined on the OpenLDAP. Can Keycloak have multiple policies?
> Has anyone configured this before or can suggest alternatives?
> Regards,
> Jamie
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list