[keycloak-user] Multiple User Storage Providers

Marek Posolda mposolda at redhat.com
Fri Feb 9 09:04:56 EST 2018


Hi,

which Keycloak version are you using? In 3.4.3, we added support for the 
scenario when the kerberos realms are in trust with each other (hence 
you need just 1 LDAP/Kerberos UserStorageProvider and 1 keytab). Could 
you try with 3.4.3 and see if it helps? Otherwise please create JIRA 
with the steps to reproduce and ideally with server.log (with DEBUG 
option enabled on LDAP storage providers and with DEBUG logging 
described in "Troubleshooting" section of our Kerberos documentation).

Thanks,
Marek

Dne 9.2.2018 v 14:51 Ryan Slominski napsal(a):
> Hi Keycloak users,
>     I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak.  I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG.  The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms.  For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work.  Only the first one used.  What are other people doing to handle this?  Creating a custom User Storage Provider?  Client side multitenancy?  Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)?
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list