[keycloak-user] Add optional LDAP userPassword hashing
Dmitry Telegin
dt at acutus.pro
Fri Feb 1 15:13:17 EST 2019
Hello Jean-Damien,
When deploying via the standalone/deployments dir, you'll need to provide a META-INF/jboss-deployment-structure.xml similar to this:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="org.keycloak.keycloak-ldap-federation" />
</dependencies>
</deployment>
</jboss-deployment-structure>
AFAIK other dependencies (keycloak-core, keycloak-services, keycloak-server-spi) should be provided implicitly, so no need to declare them.
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Wed, 2019-01-30 at 11:50 +0000, BOUVIER Jean-Damien wrote:
> Hi all !
>
> My problem is described in the KEYCLOAK-4989 issue, titled < add optional LDAP userPassword hashing >
>
> I'm in the worst case scenario as I use OpenLDAP that doesn't hash password by default and the way it has been installed, I don't have the < ppolicy overlay > available.
> So Keycloak sends password in clear text and I thought that I could add specific OpenLDAP configuration to hash the password before.
> The LDAP administration has already some specific configuration for AD and I thought that I could start from here. (org.keycloak.storage.ldap.mappers.msad. MSADUserAccountControlStorageMapperFactory for example)
>
> So, I've written my own StorageMapperFactory :
>
> public class OpenLDAPUserAccountControlStorageMapperFactory implements LDAPStorageMapperFactory<LDAPStorageMapper>
>
> That needs these dependencies :
>
> <dependencies>
> <dependency>
> <groupId>org.keycloak</groupId>
> <artifactId>keycloak-core</artifactId>
> <version>${version.keycloak}</version>
> <scope>provided</scope>
> </dependency>
> <dependency>
> <groupId>org.keycloak</groupId>
> <artifactId>keycloak-services</artifactId>
> <version>${version.keycloak}</version>
> <scope>provided</scope>
> </dependency>
> <dependency>
> <groupId>org.keycloak</groupId>
> <artifactId>keycloak-server-spi</artifactId>
> <version>${version.keycloak}</version>
> <scope>provided</scope>
> </dependency>
> <dependency>
> <groupId>org.keycloak</groupId>
> <artifactId>keycloak-ldap-federation</artifactId>
> <version>${version.keycloak}</version>
> <scope>provided</scope>
> </dependency>
> </dependencies>
>
> But whenever I try to deploy the jar, I get :
>
> cat hash-password-openldap-provider.jar.failed
> {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"hash-password-openldap-provider.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"hash-password-openldap-provider.jar\"
> Caused by: java.lang.NoClassDefFoundError: Failed to link fr/calvados/keycloak/storage/ldap/mappers/openldap/OpenLDAPUserAccountControlStorageMapperFactory (Module \"deployment.hash-password-openldap-provider.jar\" from Service Module Loader): org/keycloak/storage/ldap/mappers/LDAPStorageMapperFactory"}}
>
> I probably lack one dependence but I can't find which one as the error message doesn't give a clue and my maven project compiles.
>
> Could you help me to find out what is wrong ?
>
> Regards,
> Jean-Damien Bouvier
>
>
> > <a href="http://www.calvados.fr" target="_blank"><img src="https://www.calvados.fr/files/live/sites/calvados/files/signature-departement-calvados.gif" alt="Calvados Département - www.calvados.fr" border=0/></a>
> **************************************************************************************************
> « Cette transmission contient des informations confidentielles et/ou personnelles
> appartenant au conseil départemental du Calvados pour être utilisées exclusivement par le
> destinataire. Toute utilisation, reproduction, publication, diffusion en l'état ou
> partiellement par une autre personne que le destinataire est interdite, sauf autorisation
> expresse du conseil départemental du Calvados. En cas d'erreur de transmission, merci de
> détruire le(s) document(s) reçu(s). Le conseil départemental du Calvados n'est pas
> responsable des virus, altérations, falsifications.
> Droits réservés - conseil départemental du Calvados».
> **************************************************************************************************
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list