libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-4989 Note about LDAP password hashing

Browse source
This commit is contained in:
mposolda 2019-01-21 09:49:17 +01:00 committed by Matthew Helmke
parent 39bb3ddd91
commit 14ef0d0c5f
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
server_admin/topics/user-federation/ldap.adoc
View file

@ -152,3 +152,13 @@ MSAD User Account Mapper::
By default, there are User Attribute mappers that map basic {project_name} user attributes like username, firstname, lastname, and email to corresponding LDAP attributes.
You are free to extend these and provide additional attribute mappings.
Admin console provides tooltips, which should help with configuring the corresponding mappers.
[[_ldap_password_hashing]]
==== Password Hashing
When the password of user is updated from {project_name} and sent to LDAP, it is always sent in plain-text. This is different from
updating the password to built-in {project_name} database, when the hashing and salting is applied to the password before it is sent to DB.
In the case of LDAP, the {project_name} relies on the LDAP server to provide hashing and salting of passwords.
Most of LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some others (OpenLDAP, ApacheDS) may store the passwords
in plain-text by default and you may need to explicitly enable password hashing for them. See the documentation of your LDAP server more details.