[keycloak-user] Is LDAP Bind Credential encrypted in the database?

Bruno Oliveira bruno at abstractj.org
Fri Dec 9 06:02:22 EST 2016


On 2016-12-09, Rashiq wrote:
> Hi,
>
> Dnia piątek, 9 grudnia 2016 08:22:50 CET Bruno Oliveira pisze:
> > On 2016-12-09, Michael Furman wrote:
> > > Hi all,
> > > Is LDAP Bind Credential encrypted in the database?
> > > What algorithm is used?
> >
> > Take a look at
> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/thre
> > at/password-db-compromised.html
>
> I think the question was not about hashing Keycloak user passwords, but about
> encrypting the password used to bind keycloak to the LDAP server configured as
> an Identity Provider for Keycloak. Is that correct, Michael?

My bad.

>
> In such case, the password cannot be hashed (as Keycloak has to have access to
> it to provide it to the LDAP server upon connecting).

You're totally correct.
>
> My *guess* is that the bind password could be encrypted, but database
> compromise would nonetheless let a potential attacker get to the password (if
> in no other way, by setting up their own Keycloak instance and using the db
> for it).

Yes, if the database is compromised, they keys will be too. Which makes
the encryption of LDAP credential pointless today.

We have a Jira which I believe cover this scenario[1].


[1] - https://issues.jboss.org/browse/KEYCLOAK-3205
>
> There's no way around it, I think -- Keycloak has to have access to the clear-
> text LDAP password, one way or another, to bind to the LDAP server.
>
> --
> Pozdravi,
> rashiq
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj
PGP: 0x84DC9914


More information about the keycloak-user mailing list