5:06 a.m.
Hi,
REALM federated to active directory, with password requirements like:
- required 1 uppercase
- required 1 digit
- required 1 lowercase
- required 1 special character
- min 8 characters
- cannot contain username
- max age 180 days
Now, when I logon keycloak, I am asked to change my password. Correct.
But when I provide a bad password like "123", I would expect keycloak to
say something like: "ERROR: this password does not meet the password
complexity requirements, please use ..." etc.
However, the only message I receive with a password like "xyz" is:
"Could not modify attribute for DN
[CN=username,CN=Users,DC=ad,DC=company,DC=com]"
So how is the user supposed to know what the configured password
requirements are..?
This is on keycloak 3.1.0 btw.
Advise?
MJ
2:16 a.m.
Aha, I guess my question is related to my question:
https://issues.jboss.org/browse/KEYCLOAK-4052
Does the ticket mean that we can expect this to work in 3.4.0?
Thanks,
MJ
On 08/19/2017 12:06 PM, mj wrote:
But when I provide a bad password like "123", I would
expect keycloak to
say something like: "ERROR: this password does not meet the password
complexity requirements, please use ..." etc.
4:39 a.m.
Are your password policies configured on MSAD side or on Keycloak side?
KEYCLOAK-4052 is about the password policies are configured on Keycloak
side, which you want to apply even before sending password_update
request to LDAP. However if you have password policies configured on
MSAD side, it won't help you.
Marek
On 21/08/17 09:16, mj wrote:
Aha, I guess my question is related to my question:
https://issues.jboss.org/browse/KEYCLOAK-4052
Does the ticket mean that we can expect this to work in 3.4.0?
Thanks,
MJ
On 08/19/2017 12:06 PM, mj wrote:
> But when I provide a bad password like "123", I would expect keycloak to
> say something like: "ERROR: this password does not meet the password
> complexity requirements, please use ..." etc.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:58 a.m.
Hi Marek,
I have them configured on both, bith sides similar.
We have local users (with "regular" workstations logons, and thus the
password policies as configured in the MSAD side)
And we have users that (almost) never logon locally, but only though
webinterfaces secured by LDAP/OpenID Connect or SAML2. (and so: the
keycloak password policies apply)
We were under the impression that keycloak would help to enforce similar
password policies like this for (mostly) all our users.
So, is this actually expected to land in 3.4? And if yes, since keycloak
is at 3.2, any idication when 3.4 would be available?
MJ
On 21-8-2017 11:39, Marek Posolda wrote:
Are your password policies configured on MSAD side or on Keycloak
side?
KEYCLOAK-4052 is about the password policies are configured on Keycloak
side, which you want to apply even before sending password_update
request to LDAP. However if you have password policies configured on
MSAD side, it won't help you.
Marek
On 21/08/17 09:16, mj wrote:
> Aha, I guess my question is related to my question:
>
> https://issues.jboss.org/browse/KEYCLOAK-4052
>
> Does the ticket mean that we can expect this to work in 3.4.0?
>
> Thanks,
> MJ
>
> On 08/19/2017 12:06 PM, mj wrote:
>> But when I provide a bad password like "123", I would expect keycloak
to
>> say something like: "ERROR: this password does not meet the password
>> complexity requirements, please use ..." etc.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
1:43 a.m.
KEYCLOAK-4052 will help with the case when you want to enforce Keycloak
password policies when updating the password of Keycloak user, who is
mapped to LDAP provider. However LDAP password policies will be applied
too. And in your case, MSAD policies are applied already. In other
words, KEYCLOAK-4052 won't help you with the error "Could not modify
attribute for DN [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
The case you mentioned should be already supported, but it workds just
for MSAD. AFAIK it doesn't work for some others like Samba AD. Also you
need to have MSAD User Account Controls mapper enabled.
Marek
On 21/08/17 11:58, lists wrote:
Hi Marek,
I have them configured on both, bith sides similar.
We have local users (with "regular" workstations logons, and thus the
password policies as configured in the MSAD side)
And we have users that (almost) never logon locally, but only though
webinterfaces secured by LDAP/OpenID Connect or SAML2. (and so: the
keycloak password policies apply)
We were under the impression that keycloak would help to enforce
similar password policies like this for (mostly) all our users.
So, is this actually expected to land in 3.4? And if yes, since
keycloak is at 3.2, any idication when 3.4 would be available?
MJ
On 21-8-2017 11:39, Marek Posolda wrote:
> Are your password policies configured on MSAD side or on Keycloak side?
>
> KEYCLOAK-4052 is about the password policies are configured on
> Keycloak side, which you want to apply even before sending
> password_update request to LDAP. However if you have password
> policies configured on MSAD side, it won't help you.
>
> Marek
>
>
> On 21/08/17 09:16, mj wrote:
>> Aha, I guess my question is related to my question:
>>
>> https://issues.jboss.org/browse/KEYCLOAK-4052
>>
>> Does the ticket mean that we can expect this to work in 3.4.0?
>>
>> Thanks,
>> MJ
>>
>> On 08/19/2017 12:06 PM, mj wrote:
>>> But when I provide a bad password like "123", I would expect
>>> keycloak to
>>> say something like: "ERROR: this password does not meet the password
>>> complexity requirements, please use ..." etc.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
3:38 a.m.
Hi Marek,
But I am under the impression that KEYCLOAK-4052 would not allow the
user to provide a password that does not meet the complexity
requirements configured in keycloak?
And if I would configure keycloak to require complexer passwords than
MSAD does, the user password change would succeed?
Because currently keycloak accepts 'abc' as a password, and samba
doesn't. If keycloak would require the user to provide a GOOD password,
samba would also accept it.
(because the basic password-change-functionality works fine)
I would only like keycloak to NOT accept '123' as a valid password, but
take into account it's own configured password complexity when changing
the MSAD password.
Is that not what KEYCLOAK-4052 is about?
MJ
On 22-8-2017 8:43, Marek Posolda wrote:
KEYCLOAK-4052 will help with the case when you want to enforce
Keycloak
password policies when updating the password of Keycloak user, who is
mapped to LDAP provider. However LDAP password policies will be applied
too. And in your case, MSAD policies are applied already. In other
words, KEYCLOAK-4052 won't help you with the error "Could not modify
attribute for DN [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
The case you mentioned should be already supported, but it workds just
for MSAD. AFAIK it doesn't work for some others like Samba AD. Also you
need to have MSAD User Account Controls mapper enabled.
Marek
6:49 a.m.
Ah, I see your point now.
I can't guarantee that we will fix KEYCLOAK-4052 for 3.4. At least I am
likely not going to look into that due to other priorities. But maybe
someone else will.
BTV. The error you mentioned is the known issue for Samba AD. We have
mapper (MSADUserAccountControlStorageMapper ), which is able to
translate the error message from MSAD during password update and
recognize if update failed due to password policy or other reason.
However this works just for MSAD, but doesn't work for Samba. It seems
that Samba has bit different error messages and hence it fails. The
solution might be to implement another mapper just for Samba AD
(hopefully subclass of MSADUserAccountControlStorageMapper, so it
doesn't need to be completely rewritten). If you want to contribute
that, it will be nice. We're not going to support Samba AD in near
future and hence we won't do it on our own. At least not now.
Marek
On 22/08/17 10:38, lists wrote:
Hi Marek,
But I am under the impression that KEYCLOAK-4052 would not allow the
user to provide a password that does not meet the complexity
requirements configured in keycloak?
And if I would configure keycloak to require complexer passwords than
MSAD does, the user password change would succeed?
Because currently keycloak accepts 'abc' as a password, and samba
doesn't. If keycloak would require the user to provide a GOOD
password, samba would also accept it.
(because the basic password-change-functionality works fine)
I would only like keycloak to NOT accept '123' as a valid password,
but take into account it's own configured password complexity when
changing the MSAD password.
Is that not what KEYCLOAK-4052 is about?
MJ
On 22-8-2017 8:43, Marek Posolda wrote:
> KEYCLOAK-4052 will help with the case when you want to enforce
> Keycloak password policies when updating the password of Keycloak
> user, who is mapped to LDAP provider. However LDAP password policies
> will be applied too. And in your case, MSAD policies are applied
> already. In other words, KEYCLOAK-4052 won't help you with the error
> "Could not modify attribute for DN
> [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
>
> The case you mentioned should be already supported, but it workds
> just for MSAD. AFAIK it doesn't work for some others like Samba AD.
> Also you need to have MSAD User Account Controls mapper enabled.
>
> Marek
>
>
3:23 a.m.
Hi Marek, list,
Seeing that KEYCLOAK-4052 "Use PasswordPolicy for LDAP password updates"
has now been postponed until 4.x, I'd like to know if it's possible to
display some additional text on the keycloak password change page.
We would like to outline the password requiirements, so at least our
users would understand WHY the password change did not succeed.
Something like: "Please mix upper- and lowecase, numbers and special
characters, and make it longer than 8 characters"
I have looked at the templates, but can't see where to add/edit this.
MJ
On 08/23/2017 01:49 PM, Marek Posolda wrote:
Ah, I see your point now.
I can't guarantee that we will fix KEYCLOAK-4052 for 3.4. At least I am
likely not going to look into that due to other priorities. But maybe
someone else will.
BTV. The error you mentioned is the known issue for Samba AD. We have
mapper (MSADUserAccountControlStorageMapper ), which is able to
translate the error message from MSAD during password update and
recognize if update failed due to password policy or other reason.
However this works just for MSAD, but doesn't work for Samba. It seems
that Samba has bit different error messages and hence it fails. The
solution might be to implement another mapper just for Samba AD
(hopefully subclass of MSADUserAccountControlStorageMapper, so it
doesn't need to be completely rewritten). If you want to contribute
that, it will be nice. We're not going to support Samba AD in near
future and hence we won't do it on our own. At least not now.
Marek
On 22/08/17 10:38, lists wrote:
> Hi Marek,
>
> But I am under the impression that KEYCLOAK-4052 would not allow the
> user to provide a password that does not meet the complexity
> requirements configured in keycloak?
>
> And if I would configure keycloak to require complexer passwords than
> MSAD does, the user password change would succeed?
>
> Because currently keycloak accepts 'abc' as a password, and samba
> doesn't. If keycloak would require the user to provide a GOOD
> password, samba would also accept it.
>
> (because the basic password-change-functionality works fine)
>
> I would only like keycloak to NOT accept '123' as a valid password,
> but take into account it's own configured password complexity when
> changing the MSAD password.
>
> Is that not what KEYCLOAK-4052 is about?
>
> MJ
>
> On 22-8-2017 8:43, Marek Posolda wrote:
>> KEYCLOAK-4052 will help with the case when you want to enforce
>> Keycloak password policies when updating the password of Keycloak
>> user, who is mapped to LDAP provider. However LDAP password policies
>> will be applied too. And in your case, MSAD policies are applied
>> already. In other words, KEYCLOAK-4052 won't help you with the error
>> "Could not modify attribute for DN
>> [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
>>
>> The case you mentioned should be already supported, but it workds
>> just for MSAD. AFAIK it doesn't work for some others like Samba AD.
>> Also you need to have MSAD User Account Controls mapper enabled.
>>
>> Marek
>>
>>
4:49 a.m.
Yes, that should work at least as a workaround :/
AFAIK there is "themes" directory as a subdirectory of the main keycloak
directory of the keycloak-server distribution. AFAIK if you change it
there, it should be used. There are messages_en.properties file for the
account theme (that's one you need for the account management) and also
for the login theme (that's one you need for user's self-registration or
updatePassword required action).
We have docs for "Theme", so you can take a look there.
Marek
On 04/09/17 10:23, mj wrote:
Hi Marek, list,
Seeing that KEYCLOAK-4052 "Use PasswordPolicy for LDAP password
updates" has now been postponed until 4.x, I'd like to know if it's
possible to display some additional text on the keycloak password
change page.
We would like to outline the password requiirements, so at least our
users would understand WHY the password change did not succeed.
Something like: "Please mix upper- and lowecase, numbers and special
characters, and make it longer than 8 characters"
I have looked at the templates, but can't see where to add/edit this.
MJ
On 08/23/2017 01:49 PM, Marek Posolda wrote:
> Ah, I see your point now.
>
> I can't guarantee that we will fix KEYCLOAK-4052 for 3.4. At least I
> am likely not going to look into that due to other priorities. But
> maybe someone else will.
>
> BTV. The error you mentioned is the known issue for Samba AD. We have
> mapper (MSADUserAccountControlStorageMapper ), which is able to
> translate the error message from MSAD during password update and
> recognize if update failed due to password policy or other reason.
> However this works just for MSAD, but doesn't work for Samba. It
> seems that Samba has bit different error messages and hence it fails.
> The solution might be to implement another mapper just for Samba AD
> (hopefully subclass of MSADUserAccountControlStorageMapper, so it
> doesn't need to be completely rewritten). If you want to contribute
> that, it will be nice. We're not going to support Samba AD in near
> future and hence we won't do it on our own. At least not now.
>
> Marek
>
>
> On 22/08/17 10:38, lists wrote:
>> Hi Marek,
>>
>> But I am under the impression that KEYCLOAK-4052 would not allow the
>> user to provide a password that does not meet the complexity
>> requirements configured in keycloak?
>>
>> And if I would configure keycloak to require complexer passwords
>> than MSAD does, the user password change would succeed?
>>
>> Because currently keycloak accepts 'abc' as a password, and samba
>> doesn't. If keycloak would require the user to provide a GOOD
>> password, samba would also accept it.
>>
>> (because the basic password-change-functionality works fine)
>>
>> I would only like keycloak to NOT accept '123' as a valid password,
>> but take into account it's own configured password complexity when
>> changing the MSAD password.
>>
>> Is that not what KEYCLOAK-4052 is about?
>>
>> MJ
>>
>> On 22-8-2017 8:43, Marek Posolda wrote:
>>> KEYCLOAK-4052 will help with the case when you want to enforce
>>> Keycloak password policies when updating the password of Keycloak
>>> user, who is mapped to LDAP provider. However LDAP password
>>> policies will be applied too. And in your case, MSAD policies are
>>> applied already. In other words, KEYCLOAK-4052 won't help you with
>>> the error "Could not modify attribute for DN
>>> [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
>>>
>>> The case you mentioned should be already supported, but it workds
>>> just for MSAD. AFAIK it doesn't work for some others like Samba AD.
>>> Also you need to have MSAD User Account Controls mapper enabled.
>>>
>>> Marek
>>>
>>>
>
2674
days inactive
2690
days old
8 comments
3 participants
participants (3)
-
lists -
Marek Posolda -
mj