[keycloak-user] password policy | federation to AD

Marek Posolda mposolda at redhat.com
Wed Aug 23 07:49:14 EDT 2017 

Ah, I see your point now.

I can't guarantee that we will fix KEYCLOAK-4052 for 3.4. At least I am 
likely not going to look into that due to other priorities. But maybe 
someone else will.

BTV. The error you mentioned is the known issue for Samba AD. We have 
mapper (MSADUserAccountControlStorageMapper ), which is able to 
translate the error message from MSAD during password update and 
recognize if update failed due to password policy or other reason. 
However this works just for MSAD, but doesn't work for Samba. It seems 
that Samba has bit different error messages and hence it fails. The 
solution might be to implement another mapper just for Samba AD 
(hopefully subclass of MSADUserAccountControlStorageMapper, so it 
doesn't need to be completely rewritten). If you want to contribute 
that, it will be nice. We're not going to support Samba AD in near 
future and hence we won't do it on our own. At least not now.

Marek


On 22/08/17 10:38, lists wrote:
> Hi Marek,
>
> But I am under the impression that KEYCLOAK-4052 would not allow the 
> user to provide a password that does not meet the complexity 
> requirements configured in keycloak?
>
> And if I would configure keycloak to require complexer passwords than 
> MSAD does, the user password change would succeed?
>
> Because currently keycloak accepts 'abc' as a password, and samba 
> doesn't. If keycloak would require the user to provide a GOOD 
> password, samba would also accept it.
>
> (because the basic password-change-functionality works fine)
>
> I would only like keycloak to NOT accept '123' as a valid password, 
> but take into account it's own configured password complexity when 
> changing the MSAD password.
>
> Is that not what KEYCLOAK-4052 is about?
>
> MJ
>
> On 22-8-2017 8:43, Marek Posolda wrote:
>> KEYCLOAK-4052 will help with the case when you want to enforce 
>> Keycloak password policies when updating the password of Keycloak 
>> user, who is mapped to LDAP provider. However LDAP password policies 
>> will be applied too. And in your case, MSAD policies are applied 
>> already. In other words, KEYCLOAK-4052 won't help you with the error 
>> "Could not modify attribute for DN 
>> [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
>>
>> The case you mentioned should be already supported, but it workds 
>> just for MSAD. AFAIK it doesn't work for some others like Samba AD. 
>> Also you need to have MSAD User Account Controls mapper enabled.
>>
>> Marek
>>
>>

More information about the keycloak-user mailing list