KEYCLOAK-4989 Note about LDAP password hashing

This commit is contained in:
mposolda 2019-01-21 09:49:17 +01:00 committed by Matthew Helmke
parent 39bb3ddd91
commit 14ef0d0c5f

View file

@ -152,3 +152,13 @@ MSAD User Account Mapper::
By default, there are User Attribute mappers that map basic {project_name} user attributes like username, firstname, lastname, and email to corresponding LDAP attributes. By default, there are User Attribute mappers that map basic {project_name} user attributes like username, firstname, lastname, and email to corresponding LDAP attributes.
You are free to extend these and provide additional attribute mappings. You are free to extend these and provide additional attribute mappings.
Admin console provides tooltips, which should help with configuring the corresponding mappers. Admin console provides tooltips, which should help with configuring the corresponding mappers.
[[_ldap_password_hashing]]
==== Password Hashing
When the password of user is updated from {project_name} and sent to LDAP, it is always sent in plain-text. This is different from
updating the password to built-in {project_name} database, when the hashing and salting is applied to the password before it is sent to DB.
In the case of LDAP, the {project_name} relies on the LDAP server to provide hashing and salting of passwords.
Most of LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some others (OpenLDAP, ApacheDS) may store the passwords
in plain-text by default and you may need to explicitly enable password hashing for them. See the documentation of your LDAP server more details.