[keycloak-user] Multiple User Storage Providers

Ryan Slominski ryans at jlab.org
Fri Feb 9 09:46:25 EST 2018 

Thanks Marek,
    I am using 3.4.3, but the two Kerberos realms are not configured in a cross realm trust (I want the web apps in one specific Keycloak realm to trust either realm, but that trust shouldn't be universal and System Admins don't want to trust other realms for Workstation logins and cross realm trust would require new authorization considerations as it changes what "anyone with an account" means).  Is cross realm trusts the only way to do what I'm after?

Ryan

----- Original Message -----
From: "Marek Posolda" <mposolda at redhat.com>
To: "Ryan Slominski" <ryans at jlab.org>, "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Friday, February 9, 2018 9:04:56 AM
Subject: Re: [keycloak-user] Multiple User Storage Providers

Hi,

which Keycloak version are you using? In 3.4.3, we added support for the 
scenario when the kerberos realms are in trust with each other (hence 
you need just 1 LDAP/Kerberos UserStorageProvider and 1 keytab). Could 
you try with 3.4.3 and see if it helps? Otherwise please create JIRA 
with the steps to reproduce and ideally with server.log (with DEBUG 
option enabled on LDAP storage providers and with DEBUG logging 
described in "Troubleshooting" section of our Kerberos documentation).

Thanks,
Marek

Dne 9.2.2018 v 14:51 Ryan Slominski napsal(a):
> Hi Keycloak users,
>     I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak.  I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG.  The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms.  For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work.  Only the first one used.  What are other people doing to handle this?  Creating a custom User Storage Provider?  Client side multitenancy?  Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)?
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICBA&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=9_qBWrxq5tF_Bbe0PAmmj-8rJvJEqkjkYTpziWQCTcU&s=jJplqt7pC9jx8uJECGPSSPspXnqit8NW_PCQsYQLpug&e=

More information about the keycloak-user mailing list