[keycloak-user] password policy | federation to AD
lists
lists at merit.unu.edu
Tue Aug 22 04:38:58 EDT 2017
Hi Marek,
But I am under the impression that KEYCLOAK-4052 would not allow the
user to provide a password that does not meet the complexity
requirements configured in keycloak?
And if I would configure keycloak to require complexer passwords than
MSAD does, the user password change would succeed?
Because currently keycloak accepts 'abc' as a password, and samba
doesn't. If keycloak would require the user to provide a GOOD password,
samba would also accept it.
(because the basic password-change-functionality works fine)
I would only like keycloak to NOT accept '123' as a valid password, but
take into account it's own configured password complexity when changing
the MSAD password.
Is that not what KEYCLOAK-4052 is about?
MJ
On 22-8-2017 8:43, Marek Posolda wrote:
> KEYCLOAK-4052 will help with the case when you want to enforce Keycloak
> password policies when updating the password of Keycloak user, who is
> mapped to LDAP provider. However LDAP password policies will be applied
> too. And in your case, MSAD policies are applied already. In other
> words, KEYCLOAK-4052 won't help you with the error "Could not modify
> attribute for DN [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
>
> The case you mentioned should be already supported, but it workds just
> for MSAD. AFAIK it doesn't work for some others like Samba AD. Also you
> need to have MSAD User Account Controls mapper enabled.
>
> Marek
>
>
More information about the keycloak-user
mailing list