KEYCLOAK-10927 update documentation

This commit is contained in:
Lars Uffmann 2020-04-05 19:02:41 +02:00 committed by Marek Posolda
parent 7f8c4c89d3
commit 86f9e12e8e

View file

@ -189,5 +189,9 @@ When the password of user is updated from {project_name} and sent to LDAP, it is
updating the password to built-in {project_name} database, when the hashing and salting is applied to the password before it is sent to DB. updating the password to built-in {project_name} database, when the hashing and salting is applied to the password before it is sent to DB.
In the case of LDAP, the {project_name} relies on the LDAP server to provide hashing and salting of passwords. In the case of LDAP, the {project_name} relies on the LDAP server to provide hashing and salting of passwords.
Most of LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some others (OpenLDAP, ApacheDS) may store the passwords Most LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some others (OpenLDAP, ApacheDS) may store the passwords
in plain-text by default and you may need to explicitly enable password hashing for them. See the documentation of your LDAP server more details. in plain-text by default unless you use the _LDAPv3 Password Modify Extended Operation_ as per *RFC3062*. The LDAPv3 Password Modify Extended Operation
must be enabled explicitly in the LDAP configuration page. See the documentation of your LDAP server for more details.
WARNING: Always verify that user passwords are properly hashed and not stored as plaintext by inspecting a changed
directory entry using `ldapsearch` and base64 decode the `userPassword` attribute value.