KeyCloak User Credentials Encryption

Question

I am using KeyCloak to automatically import the users included to an existing LDAP. Right now, I need to know how do the KeyCloak communicate to the LDAP. Specifically how do the KeyCloak pass the password to LDAP to authenticate the user credentials.

I tried to search all over the internet but I cannot find a forum, blog, or documentation about this. I need this to pass our security requirement.

Answer 1

It depends on the protocol used.

When adding an LDAP user federation, it is possible to use both ldap and ldaps protocols.

When setting the Connection URL to ldap://ldapserver.domain.com, the ldap protocol is used and Keycloak communicates to the server via port 389 (by default), which means all data pulled from the LDAP server will be through plain-text, including passwords whenever authentication requests are made.

On the other hand, setting the Connection URL to ldaps://ldapserver.domain.com, would make use of LDAP over SSL/TLS (not to be confused with LDAP+STARTTLS, which is another way of encrypting LDAP communication) and Keycloak communicates to the server via port 636 (by default). Which would mean all communication between Keycloak and the LDAP server would be via an encrypted SSL/TLS tunnel, similiar to how a browser and an HTTPS website communicates.

14.3.4. Connect to LDAP over SSL

When you configure a secured connection URL to your LDAP store(for example ldaps://myhost.com:636 ), Keycloak will use SSL for the communication with LDAP server. ...

Regarding passwords, which appears to be OP's specific concern, according to the documentation, passwords are sent to the provide as-is, which of course are transmitted through encrypted TLS tunnels if ldaps is used.

14.3.7. Password Hashing

When the password of user is updated from Keycloak and sent to LDAP, it is always sent in plain-text. This is different from updating the password to built-in Keycloak database, when the hashing and salting is applied to the password before it is sent to DB. In the case of LDAP, the Keycloak relies on the LDAP server to provide hashing and salting of passwords.

Most of LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some others (OpenLDAP, ApacheDS) may store the passwords in plain-text by default and you may need to explicitly enable password hashing for them. See the documentation of your LDAP server more details.

Answer 2

Keycloak communicates with the LDAP-compliant directory service via (drumroll, please) LDAP protocol. Keycloak docs talk about Active Directory as the LDAP service but any LDAP-compliant server could work. LDAP as a protocol allows connections to be made to the server in an unencrypted mode as well as secure mode over SSL (aka LDAPS). Keycloak supports LDAPS in addition to the plain old LDAP:

14.3.4. Connect to LDAP over SSL

When you configure a secured connection URL to your LDAP store(for example ldaps://myhost.com:636), Keycloak will use SSL for the communication with LDAP server.

Here are some configuration examples: one two

Keycloak docs go on to say that when a password is updated in Keycloak and pushed back to LDAP, it is done so in plaintext. This is somewhat misleading. If you use LDAPS, the password is indeed sent as plaintext in some cases but it's wrapped in SSL as a transport layer.