[keycloak-user] password policy | federation to AD

Marek Posolda mposolda at redhat.com
Mon Sep 4 05:49:13 EDT 2017


Yes, that should work at least as a workaround :/

AFAIK there is "themes" directory as a subdirectory of the main keycloak 
directory of the keycloak-server distribution. AFAIK if you change it 
there, it should be used. There are messages_en.properties file for the 
account theme (that's one you need for the account management) and also 
for the login theme (that's one you need for user's self-registration or 
updatePassword required action).

We have docs for "Theme", so you can take a look there.

Marek

On 04/09/17 10:23, mj wrote:
> Hi Marek, list,
>
> Seeing that KEYCLOAK-4052 "Use PasswordPolicy for LDAP password 
> updates" has now been postponed until 4.x, I'd like to know if it's 
> possible to display some additional text on the keycloak password 
> change page.
>
> We would like to outline the password requiirements, so at least our 
> users would understand WHY the password change did not succeed.
>
> Something like: "Please mix upper- and lowecase, numbers and special 
> characters, and make it longer than 8 characters"
>
> I have looked at the templates, but can't see where to add/edit this.
>
> MJ
>
> On 08/23/2017 01:49 PM, Marek Posolda wrote:
>> Ah, I see your point now.
>>
>> I can't guarantee that we will fix KEYCLOAK-4052 for 3.4. At least I 
>> am likely not going to look into that due to other priorities. But 
>> maybe someone else will.
>>
>> BTV. The error you mentioned is the known issue for Samba AD. We have 
>> mapper (MSADUserAccountControlStorageMapper ), which is able to 
>> translate the error message from MSAD during password update and 
>> recognize if update failed due to password policy or other reason. 
>> However this works just for MSAD, but doesn't work for Samba. It 
>> seems that Samba has bit different error messages and hence it fails. 
>> The solution might be to implement another mapper just for Samba AD 
>> (hopefully subclass of MSADUserAccountControlStorageMapper, so it 
>> doesn't need to be completely rewritten). If you want to contribute 
>> that, it will be nice. We're not going to support Samba AD in near 
>> future and hence we won't do it on our own. At least not now.
>>
>> Marek
>>
>>
>> On 22/08/17 10:38, lists wrote:
>>> Hi Marek,
>>>
>>> But I am under the impression that KEYCLOAK-4052 would not allow the 
>>> user to provide a password that does not meet the complexity 
>>> requirements configured in keycloak?
>>>
>>> And if I would configure keycloak to require complexer passwords 
>>> than MSAD does, the user password change would succeed?
>>>
>>> Because currently keycloak accepts 'abc' as a password, and samba 
>>> doesn't. If keycloak would require the user to provide a GOOD 
>>> password, samba would also accept it.
>>>
>>> (because the basic password-change-functionality works fine)
>>>
>>> I would only like keycloak to NOT accept '123' as a valid password, 
>>> but take into account it's own configured password complexity when 
>>> changing the MSAD password.
>>>
>>> Is that not what KEYCLOAK-4052 is about?
>>>
>>> MJ
>>>
>>> On 22-8-2017 8:43, Marek Posolda wrote:
>>>> KEYCLOAK-4052 will help with the case when you want to enforce 
>>>> Keycloak password policies when updating the password of Keycloak 
>>>> user, who is mapped to LDAP provider. However LDAP password 
>>>> policies will be applied too. And in your case, MSAD policies are 
>>>> applied already. In other words, KEYCLOAK-4052 won't help you with 
>>>> the error "Could not modify attribute for DN 
>>>> [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
>>>>
>>>> The case you mentioned should be already supported, but it workds 
>>>> just for MSAD. AFAIK it doesn't work for some others like Samba AD. 
>>>> Also you need to have MSAD User Account Controls mapper enabled.
>>>>
>>>> Marek
>>>>
>>>>
>>



More information about the keycloak-user mailing list