[keycloak-dev] User prinicipal name with multiple backend MSAD servers
Mariusz Godlewski
m.godlewski at gmail.com
Tue Jan 9 13:44:37 EST 2018
Hello,
I'm considering deployement of Keycloak serving as an OAuth2 / Open ID
provider for users managed in multiple MS Active Directory and Active
Directory Lightweight services. For internal desktop users Kerberos should
be used to prevent credentials re-entry following log-on to domain-joined
computer.
The tricky part is that usernames are considered to be unique only withing
single AD domain, so username 'godlewsm' can exists both in Kerberos realm
ACMEPL.LOCAL AND ACMECZ.LOCAL. For LDAP storage provider (
https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java#L684
)
there is assumption that only username part of principal name would be used
further, which prevents distinguishing accounts properly.
Is there plan to change this behaviour or the only way would be implement a
custom UserStorageProvider based on LDAPStorageProvider ?
Best regards,
Mariusz Godlewski
More information about the keycloak-dev
mailing list