[keycloak-dev] User federation to Active Directory/LDAP and password policies

Edgar Vonk - Info.nl Edgar at info.nl
Wed Jan 13 07:40:07 EST 2016


Hi all,

We use Keycloak’s user federation to integrate with a (Windows 2012) Active Directory (AD) server. We want to store all users and groups in AD and also want to manage the password policies from AD so we do not have any password policies in Keycloak set up. We also want to use Keycloak for all user management functionality. We have set up the password policies in AD at the domain level where we connect to from Keycloak.

Our password policies in AD are as follows:
- password complexity (min length + special chars)
- account lock out after 3 attempts
- password history (not allowed to use previous 5 passwords)

Users and admins can set and change passwords in AD from Keycloak fine. However the password policies do not quite do what we want them to:
- Password complexity policy seems to work fine.
- Account is indeed locked in AD after three failed attempts. However the ‘Unlock users’ functionality in Keycloak does not unlock the users in AD. Users can only be unlocked in AD itself it seems. We would like to be able to do this from Keycloak however (and really per user and not for all users in one go). Should this work in Keycloak or is this a new feature request?
- The password history policy does not seem to work at all. Users can currently set their password to a previous password without a problem. Does anyone have an idea why this policy in AD does not work from Keycloak?

cheers

Edgar




More information about the keycloak-dev mailing list