Support kerberos realm filter on LDAP provider #9422
Description
TL;DR: Support a configuration on LDAP provider which would specify which Kerberos realm(s) are handled by given LDAP provider.
Original description follows
Describe the bug
KEYCLOAK-7009
Keycloak supported multiple kerberos realms with [KEYCLOAK-3842](https://issues.redhat.com/browse/KEYCLOAK-3842), but it does not work with the following situations.
Closing reason
Closing as duplicate of [KEYCLOAK-6225](https://issues.redhat.com/browse/KEYCLOAK-6225) . Although the "Steps to reproduce" are really nice and will help when we start work on [KEYCLOAK-6225](https://issues.redhat.com/browse/KEYCLOAK-6225) (which is not clear when it will be).
KEYCLOAK-6225
In a scenario where multiple User Storage providers are configured, and you have 2 LDAP providers configured against Kerberos realm (assuming both use same keytab file). Keycloak ideally should look up after the user being authenticated in each one (following priority order) until find it.
For example, in a scenario where we have two providers: LDAP A and LDAP B, if the user couldn't be found in the first one, Keycloak would look up in LDAP B.
Today, if the user couldn't be found in the first one, the authentication flow stops and return an authentication error to the client.
Closing reason
Issue is being closed as out of date due to lack of work on this issue.
I made a PR a while ago after asking on the mailing list, I can update it if you want.
Version
15.1.1
Expected behavior
User should be logged in on the correct ldap
Improvement plan:
I think Keycloak should search the ldap which is extracted from the user principal.
(I think active directory has a lot of configuration such as global catalog, so the inprovement plan should be discussed much here.)
Actual behavior
(1)
I found user002 and user003 can not do the desktop single sign on.
Keycloak judges error when "Kerberos authenticatin is succeded" and "Keycloak cannot find the user information from the ldap provider".
server.log
2018-03-16 17:39:47,233 WARN [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-13) Kerberos/SPNEGO authentication succeeded with username [user002], but couldn't find or create user with federation provider [aaa.com]
(2)
When the ccc.com\user001 logged in to the windows domain, desktop sso succeed but the Keycloak get the wrong user information ( aaa.com\user001 ).
Keycloak got the user principal ( [email protected] ) but Keycloak extract just "user001" and search the user information without using "ccc.com".
How to Reproduce?
Situation:
- I have the multiple kerberos realms active directory environment attached.
- I want to implemet a desktop single sign on using "ldap provider".
Active Directory setting:
-
Domain Controller : AAA.COM
ktpass -out keycloak.HTTP.keytab.aaa -princ HTTP/[email protected] -ptype KRB5_NT_PRINCIPAL -mapuser keycloak -pass P@ssw0rd
-
Domain Controller : CCC.COM
ktpass -out keycloak.HTTP.keytab.ccc -princ HTTP/[email protected] -ptype KRB5_NT_PRINCIPAL -mapuser keycloak -pass P@ssw0rd
Keycloak setting:
Keycloak User Federation:
1. aaa.com (priority:0)
| key | value |
|---|---|
| Username LDAP attribute | sAMAccountName |
| Connection URL | ldap://aaa.com |
| Allow Kerberos authentication | ON |
| Kerberos Realm | AAA.COM |
| Server Principal | HTTP/[email protected] |
| KeyTab | /opt/keytab/keycloak.HTTP.keytab.aaa |
2. bbb.com (priority:10)
| key | value |
|---|---|
| Username LDAP attribute | sAMAccountName |
| Connection URL | ldap://bbb.com |
| Allow Kerberos authentication | ON |
| Kerberos Realm | BBB.COM |
| Server Principal | HTTP/[email protected] |
| KeyTab | /opt/keytab/keycloak.HTTP.keytab.aaa |
3. ccc.com (priority:20)
| key | value |
|---|---|
| Username LDAP attribute | sAMAccountName |
| Connection URL | ldap://ccc.com |
| Allow Kerberos authentication | ON |
| Kerberos Realm | CCC.COM |
| Server Principal | HTTP/[email protected] |
| KeyTab | /opt/keytab/keycloak.HTTP.keytab.ccc |
Anything else?
No response