[keycloak-user] Multiple User Storage Providers
Ryan Slominski
ryans at jlab.org
Wed May 2 10:41:36 EDT 2018
Hey Dominik,
Now I understand: the multiple user storage providers is for when you have multiple database of **unique** usernames. In my case I have two databases and one is a subset of the other (100% duplicates) and there is a one-to-one match of usernames/email addresses. In other words the company has an LDAP database and the department has its own database with a subset of global users so we can enforce a separate unique password for some "special" systems. However, on the web either password should work. It sounds like the custom authenticator might be a good option. Would SPNEGO still work for either (the example doesn't show an API for dealing with that)?
Thanks,
Ryan
----- Original Message -----
From: "Dominik Guhr" <pinguwien at gmail.com>
To: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Wednesday, May 2, 2018 3:53:20 AM
Subject: Re: [keycloak-user] Multiple User Storage Providers
Hi Ryan,
here a few thoughts and suggestions from my side:
For a customer, I implemented a kc 3.4.3 custom user storage provider
for his "old" applicationdb, together with 2 Kerberos-using ldap
providers which I added via admin page. This works very well, so-far, so
what exactly does not work with your providers and priority?! Why is
"only the first one used"? What you mention in 3., is the "normal" way
to go in keycloak(*)
That said, there are several examples on github here:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_keycloak_keycloak_tree_master_examples&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=bPuihQi6FebCvHuJGaT1rDWdzTD42bMpITuAcUq9ugI&s=rVRfGKour9FxxtowmX-BextsQy1Mftw7plhn2paK_44&e= which are a
great starting point.
(*) Might have something to do with this:
In the scenario I mentioned, it's possible that the usernames are not as
unique as they should be. There's a john.doe in ldap1 and a john.doe in
ldap2, different companies etc..
So, keycloaks "normal" flow is: look in provider 1 -> username matches?
great! Password matches? Nope! -> send error!
we had the requirement to use a multi-password approach, which was quite
easy to setup with a custom authenticator which does it like this:
look in provider 1 -> username matches? great! password matches? nope!
-> go over all the ldaps of the realm and search for same username ->
yep, there's one -> match pw -> ok, login!
Feel free to reach out if that might be the problem.
More information about the keycloak-user
mailing list