7:18 p.m.
I'm trying to setup ldap & kerberos for username/password auth.
I have a slightly unusual setup so maybe I've hit a strange edge case bug.
I have a read only ldap replica with users in it, that sources from Active Directory.
I setup User Federation of type ldap. I set it up with Vendor: Active Directory so the
schema was right. Authentication Type is set to none.
I then turned on "Use Kerberos For Password Authentication" and have Allow
Kerberos authentication set to false.
I ensured a proper krb5.conf and can kinit.
I checked the logs and do see the proper kerberosRelm printed out of
org.keycloak.storage.ldap.LDAPIdentityStoreRegistry
User authentication is failing though. Through some stracing, I can see it trying to send
the password to ldap. the ldap replica has no password info though, so this will always
fail.
Is this expected behavior in this config? It was surprising to me.
Thanks,
Kevin
1:57 a.m.
On 10/08/18 02:18, Fox, Kevin M wrote:
I'm trying to setup ldap & kerberos for username/password
auth.
I have a slightly unusual setup so maybe I've hit a strange edge case bug.
I have a read only ldap replica with users in it, that sources from Active Directory.
I setup User Federation of type ldap. I set it up with Vendor: Active Directory so the
schema was right. Authentication Type is set to none.
I then turned on "Use Kerberos For Password Authentication" and have Allow
Kerberos authentication set to false.
I've just checked that this currently
won't work. If you want to use
KErberos for password validation, it requires to set both "Use Kerberos
For Password Authentication" and "Allow Kerberos authentication" to true.
If you want to use Kerberos just for username/password validations and
not for SPNEGO login, you can manually disable the "Kerberos"
authenticator in the
"Authentication" tab. Also if you don't set "Server Principal" and
KeyTab, the SPNEGO will be effectively disabled (even though using
Kerberos for username/password validation should still work)
Marek
I ensured a proper krb5.conf and can kinit.
I checked the logs and do see the proper kerberosRelm printed out of
org.keycloak.storage.ldap.LDAPIdentityStoreRegistry
User authentication is failing though. Through some stracing, I can see it trying to send
the password to ldap. the ldap replica has no password info though, so this will always
fail.
Is this expected behavior in this config? It was surprising to me.
Thanks,
Kevin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2344
days inactive
2344
days old
1 comments
2 participants
participants (2)
-
Fox, Kevin M -
Marek Posolda