KEYCLOAK-4989 Note about LDAP password hashing
This commit is contained in:
parent
39bb3ddd91
commit
14ef0d0c5f
1 changed files with 10 additions and 0 deletions
|
@ -152,3 +152,13 @@ MSAD User Account Mapper::
|
||||||
By default, there are User Attribute mappers that map basic {project_name} user attributes like username, firstname, lastname, and email to corresponding LDAP attributes.
|
By default, there are User Attribute mappers that map basic {project_name} user attributes like username, firstname, lastname, and email to corresponding LDAP attributes.
|
||||||
You are free to extend these and provide additional attribute mappings.
|
You are free to extend these and provide additional attribute mappings.
|
||||||
Admin console provides tooltips, which should help with configuring the corresponding mappers.
|
Admin console provides tooltips, which should help with configuring the corresponding mappers.
|
||||||
|
|
||||||
|
[[_ldap_password_hashing]]
|
||||||
|
==== Password Hashing
|
||||||
|
|
||||||
|
When the password of user is updated from {project_name} and sent to LDAP, it is always sent in plain-text. This is different from
|
||||||
|
updating the password to built-in {project_name} database, when the hashing and salting is applied to the password before it is sent to DB.
|
||||||
|
In the case of LDAP, the {project_name} relies on the LDAP server to provide hashing and salting of passwords.
|
||||||
|
|
||||||
|
Most of LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some others (OpenLDAP, ApacheDS) may store the passwords
|
||||||
|
in plain-text by default and you may need to explicitly enable password hashing for them. See the documentation of your LDAP server more details.
|
||||||
|
|
Loading…
Reference in a new issue