[keycloak-dev] User prinicipal name with multiple backend MSAD servers
Marek Posolda
mposolda at redhat.com
Wed Jan 10 03:26:48 EST 2018
Yes, it's possible that we need some more flexibility here. Feel free to
create JIRA for better support this, but not sure when it's fixed. For
the meantime, yes. You can create your own provider.
Marek
On 09/01/18 19:44, Mariusz Godlewski wrote:
> Hello,
>
> I'm considering deployement of Keycloak serving as an OAuth2 / Open ID
> provider for users managed in multiple MS Active Directory and Active
> Directory Lightweight services. For internal desktop users Kerberos should
> be used to prevent credentials re-entry following log-on to domain-joined
> computer.
>
> The tricky part is that usernames are considered to be unique only withing
> single AD domain, so username 'godlewsm' can exists both in Kerberos realm
> ACMEPL.LOCAL AND ACMECZ.LOCAL. For LDAP storage provider (
> https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProvider.java#L684
> )
> there is assumption that only username part of principal name would be used
> further, which prevents distinguishing accounts properly.
>
> Is there plan to change this behaviour or the only way would be implement a
> custom UserStorageProvider based on LDAPStorageProvider ?
>
> Best regards,
> Mariusz Godlewski
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list