[keycloak-dev] Use LDAP's PasswordPolicy

Cédric Couralet cedric.couralet at gmail.com
Thu Nov 9 03:07:43 EST 2017


2017-11-09 8:53 GMT+01:00 Marek Posolda <mposolda at redhat.com>:

>
> Maybe yes, but I am not sure. I can also see some cons/limitations of the
> "LDAP Connection dedicated to the user" approach like:
>
> - Admin requests will still need to use the global federation connection.
> For example when admin updates user attributes (or user password) from the
> Keycloak admin console. The LDAP connection would need to be the "global"
> federation connection. In case that global connection is the anonymous
> connection, it won't work.
>
> - Performance: With the federation connection used everywhere, there is
> single LDAP connection pool and all the requests can use the cached
> connections from this pool. With connections dedicated to each user, the
> connections can't be reused, hence lots of connection open/close.
>

Right, I was thinking egoistically about my use case, where keycloak
is used only for the authentication/authorization mechanism and not
for account management.
Actually, like Rafel proposed, you could just update the credential
with an user bound connection.


More information about the keycloak-dev mailing list