From 14ef0d0c5fd3b040dc4512e128d16c52f3ffb9b0 Mon Sep 17 00:00:00 2001 From: mposolda Date: Mon, 21 Jan 2019 09:49:17 +0100 Subject: [PATCH] KEYCLOAK-4989 Note about LDAP password hashing --- server_admin/topics/user-federation/ldap.adoc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/server_admin/topics/user-federation/ldap.adoc b/server_admin/topics/user-federation/ldap.adoc index f2b23ada55..649100a2d6 100644 --- a/server_admin/topics/user-federation/ldap.adoc +++ b/server_admin/topics/user-federation/ldap.adoc @@ -152,3 +152,13 @@ MSAD User Account Mapper:: By default, there are User Attribute mappers that map basic {project_name} user attributes like username, firstname, lastname, and email to corresponding LDAP attributes. You are free to extend these and provide additional attribute mappings. Admin console provides tooltips, which should help with configuring the corresponding mappers. + +[[_ldap_password_hashing]] +==== Password Hashing + +When the password of user is updated from {project_name} and sent to LDAP, it is always sent in plain-text. This is different from +updating the password to built-in {project_name} database, when the hashing and salting is applied to the password before it is sent to DB. +In the case of LDAP, the {project_name} relies on the LDAP server to provide hashing and salting of passwords. + +Most of LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some others (OpenLDAP, ApacheDS) may store the passwords +in plain-text by default and you may need to explicitly enable password hashing for them. See the documentation of your LDAP server more details.