Yes, it's possible that we need some more flexibility here. Feel free to
create JIRA for better support this, but not sure when it's fixed. For
the meantime, yes. You can create your own provider.
On 09/01/18 19:44, Mariusz Godlewski wrote:
I'm considering deployement of Keycloak serving as an OAuth2 / Open ID
provider for users managed in multiple MS Active Directory and Active
Directory Lightweight services. For internal desktop users Kerberos should
be used to prevent credentials re-entry following log-on to domain-joined
The tricky part is that usernames are considered to be unique only withing
single AD domain, so username 'godlewsm' can exists both in Kerberos realm
ACMEPL.LOCAL AND ACMECZ.LOCAL. For LDAP storage provider (
there is assumption that only username part of principal name would be used
further, which prevents distinguishing accounts properly.
Is there plan to change this behaviour or the only way would be implement a
custom UserStorageProvider based on LDAPStorageProvider ?
keycloak-dev mailing list