[keycloak-user] Multiple User Storage Providers
Marek Posolda
mposolda at redhat.com
Fri Feb 9 09:04:56 EST 2018
Hi,
which Keycloak version are you using? In 3.4.3, we added support for the
scenario when the kerberos realms are in trust with each other (hence
you need just 1 LDAP/Kerberos UserStorageProvider and 1 keytab). Could
you try with 3.4.3 and see if it helps? Otherwise please create JIRA
with the steps to reproduce and ideally with server.log (with DEBUG
option enabled on LDAP storage providers and with DEBUG logging
described in "Troubleshooting" section of our Kerberos documentation).
Thanks,
Marek
Dne 9.2.2018 v 14:51 Ryan Slominski napsal(a):
> Hi Keycloak users,
> I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak. I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG. The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms. For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work. Only the first one used. What are other people doing to handle this? Creating a custom User Storage Provider? Client side multitenancy? Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)?
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list