[keycloak-user] Add optional LDAP userPassword hashing

Fri Feb 1 15:13:17 EST 2019

Hello Jean-Damien,

When deploying via the standalone/deployments dir, you'll need to provide a META-INF/jboss-deployment-structure.xml similar to this:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
    <deployment>
          <dependencies>
              <module name="org.keycloak.keycloak-ldap-federation" />
          </dependencies>
    </deployment>
</jboss-deployment-structure>

AFAIK other dependencies (keycloak-core, keycloak-services, keycloak-server-spi) should be provided implicitly, so no need to declare them.

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-01-30 at 11:50 +0000, BOUVIER Jean-Damien wrote:
> Hi all !
> 
> My problem is described in the KEYCLOAK-4989 issue, titled < add optional LDAP userPassword hashing >
> 
> I'm in the worst case scenario as I use OpenLDAP that doesn't hash password by default and the way it has been installed, I don't have the < ppolicy overlay > available.
> So Keycloak sends password in clear text and I thought that I could add specific OpenLDAP configuration to hash the password before.
> The LDAP administration has already some specific configuration for AD and I thought that I could start from here. (org.keycloak.storage.ldap.mappers.msad. MSADUserAccountControlStorageMapperFactory for example)
> 
> So, I've written my own StorageMapperFactory :
> 
> public class OpenLDAPUserAccountControlStorageMapperFactory implements LDAPStorageMapperFactory<LDAPStorageMapper>
> 
> That needs these dependencies :
> 
>    <dependencies>
>         <dependency>
>             <groupId>org.keycloak</groupId>
>             <artifactId>keycloak-core</artifactId>
>             <version>${version.keycloak}</version>
>             <scope>provided</scope>
>         </dependency>
>         <dependency>
>             <groupId>org.keycloak</groupId>
>             <artifactId>keycloak-services</artifactId>
>             <version>${version.keycloak}</version>
>             <scope>provided</scope>
>         </dependency>
>         <dependency>
>             <groupId>org.keycloak</groupId>
>             <artifactId>keycloak-server-spi</artifactId>
>             <version>${version.keycloak}</version>
>             <scope>provided</scope>
>         </dependency>
>         <dependency>
>             <groupId>org.keycloak</groupId>
>             <artifactId>keycloak-ldap-federation</artifactId>
>             <version>${version.keycloak}</version>
>             <scope>provided</scope>
>         </dependency>
>     </dependencies>
> 
> But whenever I try to deploy the jar, I get :
> 
> cat hash-password-openldap-provider.jar.failed
> {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"hash-password-openldap-provider.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"hash-password-openldap-provider.jar\"
>     Caused by: java.lang.NoClassDefFoundError: Failed to link fr/calvados/keycloak/storage/ldap/mappers/openldap/OpenLDAPUserAccountControlStorageMapperFactory (Module \"deployment.hash-password-openldap-provider.jar\" from Service Module Loader): org/keycloak/storage/ldap/mappers/LDAPStorageMapperFactory"}}
> 
> I probably lack one dependence but I can't find which one as the error message doesn't give a clue and my maven project compiles.
> 
> Could you help me to find out what is wrong ?
> 
> Regards,
> Jean-Damien Bouvier
> 
> 
> > <a href="http://www.calvados.fr" target="_blank"><img src="https://www.calvados.fr/files/live/sites/calvados/files/signature-departement-calvados.gif" alt="Calvados Département - www.calvados.fr" border=0/></a>
> **************************************************************************************************
> « Cette transmission contient des informations confidentielles et/ou personnelles
> appartenant au conseil départemental du Calvados pour être utilisées exclusivement par le
> destinataire. Toute utilisation, reproduction, publication, diffusion en l'état ou
> partiellement par une autre personne que le destinataire est interdite, sauf autorisation
> expresse du conseil départemental du Calvados. En cas d'erreur de transmission, merci de
> détruire le(s) document(s) reçu(s). Le conseil départemental du Calvados n'est pas
> responsable des virus, altérations, falsifications.
> Droits réservés - conseil départemental du Calvados».
> **************************************************************************************************
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user