3:33 a.m.
Hello,
I use keykloak 4.5 and i have set up a user federation to an ldap directory
that uses SHA-1 password encoding.
In order to login to a realm that is connected to that ldap, I use the ldap
username and the SHA-1 encoded password in the login form for the time
being.
This is not good for common users!
All i want is this:
The user puts his username / password in plain text and keycloak transforms
that password in plain text in the login form to the SHA-1 equivalent (that's how our
ldap directory works..) , so
that the ldap authorization succeeds.
In your password policy docs you state "See the Server Developer
Guide<https://keycloak.gitbooks.io/server-developer-guide/content/> on how
to plug in your own algorithm". Server dev guide does not have that
information, where is it?
Thanks in advance,
Dimitris
--
_____________________________
Dimitris Charlaftis
Software Engineer
National Documentation Center
email: dharlaftis(a)ekt.gr
_____________________________
5:14 a.m.
Hello Dimitris,
Is it correct that your LDAP directory expects simple bind with username and password
already hashed with SHA1 on the client side? This is very odd and not how LDAP normally
operates. I'd suggest that you consider reconfiguring your LDAP to accept plain-text
passwords, store them hashed (like "{SHA1}...") and use transport-layer security
to protect them en route.
Otherwise, you will have to implement your own UserStorageProvider by extending
org.keycloak.storage.ldap.LDAPStorageProvider and overriding isValid() method.
The mechanism for pluggable hash algorithms defines how Keycloak stores credentials inside
its database, and therefore is irrelevant here.
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-11-22 at 11:33 +0200, Dimitris Charlaftis wrote:
Hello,
I use keykloak 4.5 and i have set up a user federation to an ldap directory
that uses SHA-1 password encoding.
In order to login to a realm that is connected to that ldap, I use the ldap
username and the SHA-1 encoded password in the login form for the time
being.
This is not good for common users!
All i want is this:
The user puts his username / password in plain text and keycloak transforms
that password in plain text in the login form to the SHA-1 equivalent (that's how our
ldap directory works..) , so
that the ldap authorization succeeds.
In your password policy docs you state "See the Server Developer
> Guide<https://keycloak.gitbooks.io/server-developer-guide/content/> on how
to plug in your own algorithm". Server dev guide does not have that
information, where is it?
Thanks in advance,
Dimitris
2236
days inactive
2236
days old
1 comments
2 participants
participants (2)
-
Dimitris Charlaftis -
Dmitry Telegin