[keycloak-dev] Use LDAP's PasswordPolicy

Marek Posolda mposolda at redhat.com
Wed Nov 8 04:42:56 EST 2017 

Hi Rafael,

Thanks a lot for sharing this!

Few points:
- The https://issues.jboss.org/browse/KEYCLOAK-4052 adds the optional 
config switch whether Keycloak password policies should be checked for 
LDAP password updates. You mentioned it doesn't make too much sense for 
you, however as you can see, there were few people, who want this. Hence 
the switch is optional and it's up to you whether you rely just on LDAP 
password policies or want to use the Keycloak policies too.

- It's great you found the solution for the issue by yourself! 
Unfortunately it looks that solution is specific for OpenLDAP. Is it 
correct? TBH OpenLDAP is not the priority for the Keycloak team. We are 
doing some basic testing with it and it should work, but don't want to 
add the fix, which is specific for OpenLDAP and which contains a bigger 
amount of changes/refactoring as it adds a risk of breaking the other 
things. However if your change doesn't involve too much refactoring in 
the existing code (ideally just the new mapper impl), feel free to send 
the PR.

Maybe you can create JIRA with the description of your requirement and 
the work done and ideally send PR? Then we can discuss whether the PR 
can be accepted or not.

- Some time ago, I worked on support this for MSAD (that one is big 
priority for us). I was also looking at the delete+add approach, but 
that didn't work well. Mainly because the LDAP connection needed to be 
under the user himself as you mentioned and also because you needed to 
know the old password. Not sure if in OpenLDAP you need to know the old 
password too? So in the end, it was possible to just add some request 
controls to the updatePassword LDAP request and the MSAD policies are 
preserved. More details in class LDAPServerPolicyHintsDecorator and some 
background here [1] . Wonder if something possible can be used for 
OpenLDAP too?

[1] 
https://blogs.technet.microsoft.com/fieldcoding/2013/01/09/resetting-passwords-honoring-password-history-or-whats-happening-under-the-hood-when-changing-resetting-passwords/

Marek

On 30/10/17 01:13, Rafael Ladislau wrote:
> Hello, I'm pretty new here, but I've been using Keycloak with an OpenLDAP
> as the user federation and I've noted some problems that I had to fix by
> myself and I would like to share with the community the fixes I've made.
>
> I'm Software Developer at NYU and I had to change the Keycloak source code
> to make it works in one of our Projects. It's not a big refactoring. It's
> reasonable.
>
>
> Problems and my solutions:
>
> 1 - Keycloak changes the password of the users coming from LDAP sending a
> replace command to LDAP using a connection bound to the LDAP administrator.
> (WRITE mode). It allows the users not respect the
> password policy installed in LDAP if it has it installed. In order to fix
> it, you need to use a connection bound to the user changing the password,
> and Keyucloak should send two commands to LDAP: a command to delete the
> password field with the current password value and a command to add the
> password field with the new value. It makes Keycloak respect the password
> policy installed in LDAP, the operation raises an exception when the
> password is not compliant, after my fixes, I'm handling this exception and
> I'm letting the user knows about the error. (I'm doing this in the
> UPDATE_PASSWORD required action and in the manage account screen)
>
>
> 2 - Because I was making Keycloak respect the password policy in LDAP, I
> had to create a Password Policy User Account Control Mapper. This Mapper is
> based on the MSAD User Account Control Mapper. It has the same idea, but it
> writes the properties "pwdReset" and "pwdAccountLockedTime" to make
> Keycloak knows and let OpenLDAP knows when the user must reset his password
> and when the user is locked.
>
>
> 3 - The step 2 is necessary because when you have a password policy in LDAP
> saying the min age is one day, and you set a temporary password for the
> user. If Keycloak doesn't set the pwdReset flag, the user will not be able
> to change his password. (only after 24 hours)
>
>
> 4 - I've made some changes in the User Federation Configuration in order to
> allow the Keycloak administrator turn on and turn off this feature.
>
>
> The issue https://issues.jboss.org/browse/KEYCLOAK-4052 has made the users
> coming from LDAP go through the Keycloak's Password Policy before they
> change their passwords, but what I'm proposing is making Keycloak be aware
> of the Password Policy installed in LDAP.
>
>
> Do you think it would be a good feature?
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list