[keycloak-user] password policy | federation to AD
Marek Posolda
mposolda at redhat.com
Mon Sep 4 05:49:13 EDT 2017
Yes, that should work at least as a workaround :/
AFAIK there is "themes" directory as a subdirectory of the main keycloak
directory of the keycloak-server distribution. AFAIK if you change it
there, it should be used. There are messages_en.properties file for the
account theme (that's one you need for the account management) and also
for the login theme (that's one you need for user's self-registration or
updatePassword required action).
We have docs for "Theme", so you can take a look there.
Marek
On 04/09/17 10:23, mj wrote:
> Hi Marek, list,
>
> Seeing that KEYCLOAK-4052 "Use PasswordPolicy for LDAP password
> updates" has now been postponed until 4.x, I'd like to know if it's
> possible to display some additional text on the keycloak password
> change page.
>
> We would like to outline the password requiirements, so at least our
> users would understand WHY the password change did not succeed.
>
> Something like: "Please mix upper- and lowecase, numbers and special
> characters, and make it longer than 8 characters"
>
> I have looked at the templates, but can't see where to add/edit this.
>
> MJ
>
> On 08/23/2017 01:49 PM, Marek Posolda wrote:
>> Ah, I see your point now.
>>
>> I can't guarantee that we will fix KEYCLOAK-4052 for 3.4. At least I
>> am likely not going to look into that due to other priorities. But
>> maybe someone else will.
>>
>> BTV. The error you mentioned is the known issue for Samba AD. We have
>> mapper (MSADUserAccountControlStorageMapper ), which is able to
>> translate the error message from MSAD during password update and
>> recognize if update failed due to password policy or other reason.
>> However this works just for MSAD, but doesn't work for Samba. It
>> seems that Samba has bit different error messages and hence it fails.
>> The solution might be to implement another mapper just for Samba AD
>> (hopefully subclass of MSADUserAccountControlStorageMapper, so it
>> doesn't need to be completely rewritten). If you want to contribute
>> that, it will be nice. We're not going to support Samba AD in near
>> future and hence we won't do it on our own. At least not now.
>>
>> Marek
>>
>>
>> On 22/08/17 10:38, lists wrote:
>>> Hi Marek,
>>>
>>> But I am under the impression that KEYCLOAK-4052 would not allow the
>>> user to provide a password that does not meet the complexity
>>> requirements configured in keycloak?
>>>
>>> And if I would configure keycloak to require complexer passwords
>>> than MSAD does, the user password change would succeed?
>>>
>>> Because currently keycloak accepts 'abc' as a password, and samba
>>> doesn't. If keycloak would require the user to provide a GOOD
>>> password, samba would also accept it.
>>>
>>> (because the basic password-change-functionality works fine)
>>>
>>> I would only like keycloak to NOT accept '123' as a valid password,
>>> but take into account it's own configured password complexity when
>>> changing the MSAD password.
>>>
>>> Is that not what KEYCLOAK-4052 is about?
>>>
>>> MJ
>>>
>>> On 22-8-2017 8:43, Marek Posolda wrote:
>>>> KEYCLOAK-4052 will help with the case when you want to enforce
>>>> Keycloak password policies when updating the password of Keycloak
>>>> user, who is mapped to LDAP provider. However LDAP password
>>>> policies will be applied too. And in your case, MSAD policies are
>>>> applied already. In other words, KEYCLOAK-4052 won't help you with
>>>> the error "Could not modify attribute for DN
>>>> [CN=username,CN=Users,DC=ad,DC=company,DC=com]" .
>>>>
>>>> The case you mentioned should be already supported, but it workds
>>>> just for MSAD. AFAIK it doesn't work for some others like Samba AD.
>>>> Also you need to have MSAD User Account Controls mapper enabled.
>>>>
>>>> Marek
>>>>
>>>>
>>
More information about the keycloak-user
mailing list