[keycloak-user] password policy | federation to AD

mj lists at merit.unu.edu
Mon Sep 4 04:23:05 EDT 2017 

Hi Marek, list,

Seeing that KEYCLOAK-4052 "Use PasswordPolicy for LDAP password updates" 
has now been postponed until 4.x, I'd like to know if it's possible to 
display some additional text on the keycloak password change page.

We would like to outline the password requiirements, so at least our 
users would understand WHY the password change did not succeed.

Something like: "Please mix upper- and lowecase, numbers and special 
characters, and make it longer than 8 characters"

I have looked at the templates, but can't see where to add/edit this.

MJ

On 08/23/2017 01:49 PM, Marek Posolda wrote:
> Ah, I see your point now.
> 
> I can't guarantee that we will fix KEYCLOAK-4052 for 3.4. At least I am 
> likely not going to look into that due to other priorities. But maybe 
> someone else will.
> 
> BTV. The error you mentioned is the known issue for Samba AD. We have 
> mapper (MSADUserAccountControlStorageMapper ), which is able to 
> translate the error message from MSAD during password update and 
> recognize if update failed due to password policy or other reason. 
> However this works just for MSAD, but doesn't work for Samba. It seems 
> that Samba has bit different error messages and hence it fails. The 
> solution might be to implement another mapper just for Samba AD 
> (hopefully subclass of MSADUserAccountControlStorageMapper, so it 
> doesn't need to be completely rewritten). If you want to contribute 
> that, it will be nice. We're not going to support Samba AD in near 
> future and hence we won't do it on our own. At least not now.
> 
> Marek
> 
> 
> On 22/08/17 10:38, lists wrote:
>> Hi Marek,
>>
>> But I am under the impression that KEYCLOAK-4052 would not allow the 
>> user to provide a password that does not meet the complexity 
>> requirements configured in keycloak?
>>
>> And if I would configure keycloak to require complexer passwords than 
>> MSAD does, the user password change would succeed?
>>
>> Because currently keycloak accepts 'abc' as a password, and samba 
>> doesn't. If keycloak would require the user to provide a GOOD 
>> password, samba would also accept it.
>>
>> (because the basic password-change-functionality works fine)
>>
>> I would only like keycloak to NOT accept '123' as a valid password, 
>> but take into account it's own configured password complexity when 
>> changing the MSAD password.
>>
>> Is that not what KEYCLOAK-4052 is about?
>>
>> MJ
>>
>> On 22-8-2017 8:43, Marek Posolda wrote:
>>> KEYCLOAK-4052 will help with the case when you want to enforce 
>>> Keycloak password policies when updating the password of Keycloak 
>>> user, who is mapped to LDAP provider. However LDAP password policies 
>>> will be applied too. And in your case, MSAD policies are applied 
>>> already. In other words, KEYCLOAK-4052 won't help you with the error 
>>> "Could not modify attribute for DN 
>>> [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
>>>
>>> The case you mentioned should be already supported, but it workds 
>>> just for MSAD. AFAIK it doesn't work for some others like Samba AD. 
>>> Also you need to have MSAD User Account Controls mapper enabled.
>>>
>>> Marek
>>>
>>>
>

More information about the keycloak-user mailing list