Hello, I'm considering deployement of Keycloak serving as an OAuth2 / Open ID provider for users managed in multiple MS Active Directory and Active Directory Lightweight services. For internal desktop users Kerberos should be used to prevent credentials re-entry following log-on to domain-joined computer. The tricky part is that usernames are considered to be unique only withing single AD domain, so username 'godlewsm' can exists both in Kerberos realm ACMEPL.LOCAL AND ACMECZ.LOCAL. For LDAP storage provider ( https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main... ) there is assumption that only username part of principal name would be used further, which prevents distinguishing accounts properly. Is there plan to change this behaviour or the only way would be implement a custom UserStorageProvider based on LDAPStorageProvider ? Best regards, Mariusz Godlewski _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev