[keycloak-user] password policy | federation to AD

lists lists at merit.unu.edu
Tue Aug 22 04:38:58 EDT 2017


Hi Marek,

But I am under the impression that KEYCLOAK-4052 would not allow the 
user to provide a password that does not meet the complexity 
requirements configured in keycloak?

And if I would configure keycloak to require complexer passwords than 
MSAD does, the user password change would succeed?

Because currently keycloak accepts 'abc' as a password, and samba 
doesn't. If keycloak would require the user to provide a GOOD password, 
samba would also accept it.

(because the basic password-change-functionality works fine)

I would only like keycloak to NOT accept '123' as a valid password, but 
take into account it's own configured password complexity when changing 
the MSAD password.

Is that not what KEYCLOAK-4052 is about?

MJ

On 22-8-2017 8:43, Marek Posolda wrote:
> KEYCLOAK-4052 will help with the case when you want to enforce Keycloak 
> password policies when updating the password of Keycloak user, who is 
> mapped to LDAP provider. However LDAP password policies will be applied 
> too. And in your case, MSAD policies are applied already. In other 
> words, KEYCLOAK-4052 won't help you with the error "Could not modify 
> attribute for DN [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
> 
> The case you mentioned should be already supported, but it workds just 
> for MSAD. AFAIK it doesn't work for some others like Samba AD. Also you 
> need to have MSAD User Account Controls mapper enabled.
> 
> Marek
> 
> 


More information about the keycloak-user mailing list