On 2016-12-09, Rashiq wrote:
Hi,
Dnia piątek, 9 grudnia 2016 08:22:50 CET Bruno Oliveira pisze:
> On 2016-12-09, Michael Furman wrote:
> > Hi all,
> > Is LDAP Bind Credential encrypted in the database?
> > What algorithm is used?
>
> Take a look at
>
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/thre
> at/password-db-compromised.html
I think the question was not about hashing Keycloak user passwords, but about
encrypting the password used to bind keycloak to the LDAP server configured as
an Identity Provider for Keycloak. Is that correct, Michael?
My bad.
In such case, the password cannot be hashed (as Keycloak has to have access to
it to provide it to the LDAP server upon connecting).
You're totally correct.
My *guess* is that the bind password could be encrypted, but database
compromise would nonetheless let a potential attacker get to the password (if
in no other way, by setting up their own Keycloak instance and using the db
for it).
Yes, if the database is compromised, they keys will be too. Which makes
the encryption of LDAP credential pointless today.
We have a Jira which I believe cover this scenario[1].
[1] -
https://issues.jboss.org/browse/KEYCLOAK-3205
There's no way around it, I think -- Keycloak has to have access to the clear-
text LDAP password, one way or another, to bind to the LDAP server.
--
Pozdravi,
rashiq
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
PGP: 0x84DC9914