10:06 a.m.
Hi all,
Is LDAP Bind Credential encrypted in the database?
What algorithm is used?
How can I encrypt the configuration of the custom authenticator
(https://keycloak.gitbooks.io/server-developer-guide/content/v/2.4/topics/...
Best regards,
Michael
11:22 a.m.
Hi Michael,
On 2016-12-09, Michael Furman wrote:
Hi all,
Is LDAP Bind Credential encrypted in the database?
What algorithm is used?
Take a look at
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/th...
How can I encrypt the configuration of the custom authenticator
(https://keycloak.gitbooks.io/server-developer-guide/content/v/2.4/topics/...
It might be possible by implementing a custom authenticator SPI. TBH I
never tried. Although, I don't see the real motivation behind it.
Best regards,
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
PGP: 0x84DC9914
11:34 a.m.
Hi,
Dnia piątek, 9 grudnia 2016 08:22:50 CET Bruno Oliveira pisze:
On 2016-12-09, Michael Furman wrote:
> Hi all,
> Is LDAP Bind Credential encrypted in the database?
> What algorithm is used?
Take a look at
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/thre
at/password-db-compromised.html
I think the question was not about hashing Keycloak user passwords, but about
encrypting the password used to bind keycloak to the LDAP server configured as
an Identity Provider for Keycloak. Is that correct, Michael?
In such case, the password cannot be hashed (as Keycloak has to have access to
it to provide it to the LDAP server upon connecting).
My *guess* is that the bind password could be encrypted, but database
compromise would nonetheless let a potential attacker get to the password (if
in no other way, by setting up their own Keycloak instance and using the db
for it).
There's no way around it, I think -- Keycloak has to have access to the clear-
text LDAP password, one way or another, to bind to the LDAP server.
--
Pozdravi,
rashiq
12:02 p.m.
On 2016-12-09, Rashiq wrote:
Hi,
Dnia piątek, 9 grudnia 2016 08:22:50 CET Bruno Oliveira pisze:
> On 2016-12-09, Michael Furman wrote:
> > Hi all,
> > Is LDAP Bind Credential encrypted in the database?
> > What algorithm is used?
>
> Take a look at
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/thre
> at/password-db-compromised.html
I think the question was not about hashing Keycloak user passwords, but about
encrypting the password used to bind keycloak to the LDAP server configured as
an Identity Provider for Keycloak. Is that correct, Michael?
My bad.
In such case, the password cannot be hashed (as Keycloak has to have access to
it to provide it to the LDAP server upon connecting).
You're totally correct.
My *guess* is that the bind password could be encrypted, but database
compromise would nonetheless let a potential attacker get to the password (if
in no other way, by setting up their own Keycloak instance and using the db
for it).
Yes, if the database is compromised, they keys will be too. Which makes
the encryption of LDAP credential pointless today.
We have a Jira which I believe cover this scenario[1].
[1] - https://issues.jboss.org/browse/KEYCLOAK-3205
There's no way around it, I think -- Keycloak has to have access to the clear-
text LDAP password, one way or another, to bind to the LDAP server.
--
Pozdravi,
rashiq
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
PGP: 0x84DC9914
2716
days inactive
2716
days old
3 comments
3 participants
participants (3)
-
Bruno Oliveira -
Michael Furman -
Rashiq