[keycloak-dev] Use LDAP's PasswordPolicy

Marek Posolda mposolda at redhat.com
Thu Nov 9 02:53:25 EST 2017 

On 09/11/17 07:58, Cédric Couralet wrote:
> Hello,
>
> For the password policy, I think Keycloak's password is more easily
> extensible than openldap's. I'm not sure that the openldap
> implementation is the one adopted by other ldap servers.
> So, I think, as Marek says, having both options would be a good choice.
>
> For ldap account for the change of password, it would be a real
> benefits to use that of the end user, since this would allow to
> configure an anonymous connection at the level of the federation
> keycloak, which is rather a good point in security term.
Maybe yes, but I am not sure. I can also see some cons/limitations of 
the "LDAP Connection dedicated to the user" approach like:

- Admin requests will still need to use the global federation 
connection. For example when admin updates user attributes (or user 
password) from the Keycloak admin console. The LDAP connection would 
need to be the "global" federation connection. In case that global 
connection is the anonymous connection, it won't work.

- Performance: With the federation connection used everywhere, there is 
single LDAP connection pool and all the requests can use the cached 
connections from this pool. With connections dedicated to each user, the 
connections can't be reused, hence lots of connection open/close.

Feel free to create JIRA, but I think that it won't be a big priority. 
Also I think that we would still need to support the "global connections 
used for everything" approach at least because of the performance.

Marek
>
> Kind regards,
> Cédric
>
> 2017-11-08 10:42 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
>> Hi Rafael,
>>
>> Thanks a lot for sharing this!
>>
>> Few points:
>> - The https://issues.jboss.org/browse/KEYCLOAK-4052 adds the optional
>> config switch whether Keycloak password policies should be checked for
>> LDAP password updates. You mentioned it doesn't make too much sense for
>> you, however as you can see, there were few people, who want this. Hence
>> the switch is optional and it's up to you whether you rely just on LDAP
>> password policies or want to use the Keycloak policies too.
>>
>> - It's great you found the solution for the issue by yourself!
>> Unfortunately it looks that solution is specific for OpenLDAP. Is it
>> correct? TBH OpenLDAP is not the priority for the Keycloak team. We are
>> doing some basic testing with it and it should work, but don't want to
>> add the fix, which is specific for OpenLDAP and which contains a bigger
>> amount of changes/refactoring as it adds a risk of breaking the other
>> things. However if your change doesn't involve too much refactoring in
>> the existing code (ideally just the new mapper impl), feel free to send
>> the PR.
>>
>> Maybe you can create JIRA with the description of your requirement and
>> the work done and ideally send PR? Then we can discuss whether the PR
>> can be accepted or not.
>>
>> - Some time ago, I worked on support this for MSAD (that one is big
>> priority for us). I was also looking at the delete+add approach, but
>> that didn't work well. Mainly because the LDAP connection needed to be
>> under the user himself as you mentioned and also because you needed to
>> know the old password. Not sure if in OpenLDAP you need to know the old
>> password too? So in the end, it was possible to just add some request
>> controls to the updatePassword LDAP request and the MSAD policies are
>> preserved. More details in class LDAPServerPolicyHintsDecorator and some
>> background here [1] . Wonder if something possible can be used for
>> OpenLDAP too?
>>
>> [1]
>> https://blogs.technet.microsoft.com/fieldcoding/2013/01/09/resetting-passwords-honoring-password-history-or-whats-happening-under-the-hood-when-changing-resetting-passwords/
>>
>> Marek
>>
>> On 30/10/17 01:13, Rafael Ladislau wrote:
>>> Hello, I'm pretty new here, but I've been using Keycloak with an OpenLDAP
>>> as the user federation and I've noted some problems that I had to fix by
>>> myself and I would like to share with the community the fixes I've made.
>>>
>>> I'm Software Developer at NYU and I had to change the Keycloak source code
>>> to make it works in one of our Projects. It's not a big refactoring. It's
>>> reasonable.
>>>
>>>
>>> Problems and my solutions:
>>>
>>> 1 - Keycloak changes the password of the users coming from LDAP sending a
>>> replace command to LDAP using a connection bound to the LDAP administrator.
>>> (WRITE mode). It allows the users not respect the
>>> password policy installed in LDAP if it has it installed. In order to fix
>>> it, you need to use a connection bound to the user changing the password,
>>> and Keyucloak should send two commands to LDAP: a command to delete the
>>> password field with the current password value and a command to add the
>>> password field with the new value. It makes Keycloak respect the password
>>> policy installed in LDAP, the operation raises an exception when the
>>> password is not compliant, after my fixes, I'm handling this exception and
>>> I'm letting the user knows about the error. (I'm doing this in the
>>> UPDATE_PASSWORD required action and in the manage account screen)
>>>
>>>
>>> 2 - Because I was making Keycloak respect the password policy in LDAP, I
>>> had to create a Password Policy User Account Control Mapper. This Mapper is
>>> based on the MSAD User Account Control Mapper. It has the same idea, but it
>>> writes the properties "pwdReset" and "pwdAccountLockedTime" to make
>>> Keycloak knows and let OpenLDAP knows when the user must reset his password
>>> and when the user is locked.
>>>
>>>
>>> 3 - The step 2 is necessary because when you have a password policy in LDAP
>>> saying the min age is one day, and you set a temporary password for the
>>> user. If Keycloak doesn't set the pwdReset flag, the user will not be able
>>> to change his password. (only after 24 hours)
>>>
>>>
>>> 4 - I've made some changes in the User Federation Configuration in order to
>>> allow the Keycloak administrator turn on and turn off this feature.
>>>
>>>
>>> The issue https://issues.jboss.org/browse/KEYCLOAK-4052 has made the users
>>> coming from LDAP go through the Keycloak's Password Policy before they
>>> change their passwords, but what I'm proposing is making Keycloak be aware
>>> of the Password Policy installed in LDAP.
>>>
>>>
>>> Do you think it would be a good feature?
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list