Hi, Further to my email below can you have a password policy assigned to a realm role?  Regards, Jamie On Thursday, 16 August 2018, 15:32:22 BST, Jamie McDowell <jambo_mcd(a)yahoo.co.uk&gt; wrote: Hi, Can you have multiple password policies on the same realm where you are using an LDAP instance (Federated) We have Keycloak set up federating to an OpenLDAP server. On the LDAP server we have 2 OU's, 1 for users and the other for service accounts - Both of these need to have different passwords such as length and complexity.  We have the password policy defined on the OpenLDAP. Can Keycloak have multiple policies? Has anyone configured this before or can suggest alternatives? Regards, Jamie

Thanks for your reply.  What i have tried to do is Keycloak to use the password policy which has been defined on my OpenLDAP server however this does not seem to work either. See my email below which i have sent to keycloak-dev's. From: Jamie McDowell <jambo_mcd(a)yahoo.co.uk&gt; To: Keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; Sent: Friday, 24 August 2018, 10:15:08 BST Subject: Keycloak to OpenLDAP - Password Policies   Hi Dev's,   Appreciate if you can help me with an issue i have with password policies federating from Keycloak (v3.4.3) to OpenLDAP. I have created 2 password policies on the OpenLDAP server, where i require one for end users and one for service accounts - these are defined in the specific OU's to where the accounts are held.    I have set the password policies for both users and service accounts (policy module, schema, overlay etc..) and can confirm that the policy is being picked up on the OpenLDAP host when i run the command ldappasswd for the user and enter less characters than the required password length (for example)   The issue i have is that within keycloak i haven't set any password policies as i would like this to use the one i have created within the OpenLDAP server. Can Keycloak be configured that this must check against the OpenLDAP password policy? I have one realm set up along with a client.   I have been trying to get this working now for the last 10 days and not getting very far.    Within my LDAP Mapper i have tried creating a msad-user-account-control-mapper however this does not work, i get provided with an error when resetting my user password "Failed to update password in Active Directory. Exception message: [LDAP: error code 17 - pwdLastSet: attribute type undefined"   I would have expected something like this considering i am not using AD.    Any suggestions would be appreciated  Regards, Jamie On Tuesday, 21 August 2018, 13:28:19 BST, Marek Posolda <mposolda(a)redhat.com&gt; wrote: No, neither of the things you mentioned is available OOTB. I wonder that we may need something like FilterPasswordPolicy, which will allow to configure child/delegate password policy and the filter (for example with usage of the scripting engine like our ScriptBasedAuthenticator is using)? The filter may allow you to specify for example that: - User in role "admin" must have password of at least 10 characters - User, who is not in the role "admin" must have password of at least 7 characters etc. Fact is, that it's not available OOTB at this moment. You may either try to create some custom PasswordPolicyProvider(s) by yourself. Or you can try to contribute something generic (like the FilterPasswordPolicy provider I mentioned above) and contribute to Keycloak? Marek On 17/08/18 12:32, Jamie McDowell wrote: