[keycloak-user] keucloak Hash Algorithm

Dmitry Telegin dt at acutus.pro
Thu Nov 22 06:14:47 EST 2018


Hello Dimitris,

Is it correct that your LDAP directory expects simple bind with username and password already hashed with SHA1 on the client side? This is very odd and not how LDAP normally operates. I'd suggest that you consider reconfiguring your LDAP to accept plain-text passwords, store them hashed (like "{SHA1}...") and use transport-layer security to protect them en route.

Otherwise, you will have to implement your own UserStorageProvider by extending org.keycloak.storage.ldap.LDAPStorageProvider and overriding isValid() method.

The mechanism for pluggable hash algorithms defines how Keycloak stores credentials inside its database, and therefore is irrelevant here.

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-11-22 at 11:33 +0200, Dimitris Charlaftis wrote:
> Hello,
> I use keykloak 4.5 and i have set up a user federation to an ldap directory
> that uses SHA-1 password encoding.
> 
> In order to login to a realm that is connected to that ldap, I use the ldap
> username and the SHA-1 encoded password in the login form for the time
> being.
> 
> This is not good for common users!
> 
>   All i want is this:
> 
> The user puts his username / password in plain text and keycloak transforms
> that password in plain text in the login form to the SHA-1 equivalent (that's how our ldap directory works..) , so
> that the ldap authorization succeeds.
> 
> In your password policy docs you state "See the Server Developer
> > Guide<https://keycloak.gitbooks.io/server-developer-guide/content/>  on how
> to plug in your own algorithm". Server dev guide does not have that
> information, where is it?
> 
> Thanks in advance,
> Dimitris
> 


More information about the keycloak-user mailing list