Sure, that would be fine. But again, it's important that with default
settings, LDAPOperationManager.authenticate won't automatically
authenticate AD users with empty password (which may happen when
anonymous bind is enabled on AD side).
Marek
On 20/11/15 18:22, Michael Gerber wrote:
We’ve got a custom UserFederationProvider, which authenticate users
against an AD or DB. Therefore, we need to know if a user entered an empty password.
I will create a PR and jira ticket for that, ok?
> On 20.11.2015, at 17:50, Marek Posolda <mposolda(a)redhat.com> wrote:
>
> That will be the easiest path to use our BruteForceProtector.
>
> However AD also has some "BruteForceProtector" of it's own, which
disables user in AD when he reach some count of invalid attempts. And I guess Michael
wants to use that one and disable user in AD as well.
>
> Marek
>
> On 20/11/15 17:40, Bill Burke wrote:
>> You can I guess, but why does it matter? invalidPassword hits the brute
>> force detector if it is turned on.
>>
>> On 11/20/2015 10:16 AM, Michael Gerber wrote:
>>> AbstractUsernameFormAuthenticator.validatePassword
>>>
>>> public boolean validatePassword(AuthenticationFlowContext context, UserModel
user, MultivaluedMap<String, String> inputData) {
>>> List<UserCredentialModel> credentials =new LinkedList<>();
>>> String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
>>> if (password ==null || password.isEmpty()) {
>>> invalidPassword(context, user);
>>> return false;
>>> }
>>> credentials.add(UserCredentialModel.password(password));
>>> boolean valid =
context.getSession().users().validCredentials(context.getRealm(), user, credentials);
>>> if (!valid) {
>>> invalidPassword(context, user);
>>> return false;
>>> }
>>> return true;
>>> }
>>>
>>> I think we can remove the first if (password == null || password.isEmpty())
>>>
>>> Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke(a)redhat.com>:
>>>
>>>> Point me to the code?
>>>>
>>>> On 11/20/2015 9:04 AM, Michael Gerber wrote:
>>>>> Hi All,
>>>>>
>>>>> keycloak does not pass an empty password to the validCredentials
method
>>>>> in the UserFederationProvider class.
>>>>> Is there a reason for that? I would like to authenticate against an
AD
>>>>> even if the password is empty, otherwise the user won't be
blocked after
>>>>> x attempts.
>>>>>
>>>>> Michael
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>>
http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev