LDAP AD integration + kerberos

nestle2377 · November 17, 2022, 10:21am

Hi to all, If I integrate an AD in keycloak (like LDAP) I Import the user in my keycloak DB.

after integrating that user federated provider if in the AD user provider I enable the kerberos integration, the users coming from kerberos (related to that AD) are merged with the user that are considered from the AD?

I have to understand this: if I create a userd federation with an AD and inside the user federation I enable the kerberos integration, when a user log in with kerberos, keycloak consider that user like a “user federation user” imported during the creation of the AD user federation, or it creates a new user related to kerberos principal?

thanks

nestle2377 · November 18, 2022, 3:04pm

My question is because in keycloak kerberos documentation we have 2 way to configure it: using a kerberos provider and using Kerberos user storage federation providers.

the second one, To authenticate with Kerberos backed by an LDAP server, has this specification:

Allow Kerberos authentication makes Keycloak use the Kerberos principal access user information so information can import into the Keycloak environment.

I can’t understand if in that way the user that is authenticating will use the already present user imported from ldap configuration.

in the first method, the Kerberos User Storage Federation Provider, is specified:
The Kerberos provider parses the Kerberos ticket for simple principal information and imports the information into the local Keycloak database.
so in that case I understand that the user is completely import in db.

any idea? for the To authenticate with Kerberos backed by an LDAP server the user is actually the one of the ldap in which the kerberos integration is made?

thanks!

nestle2377 · November 19, 2022, 6:23pm

Hi to all, at the end I’ve tested it in a lab and I can confirm that in case of kerberos inside a LDAP user storage provider the user that authenticate with kerberos is NOT created as new but the session is bound to the user imported from AD/LDAP.

ayouuub · October 28, 2023, 9:03pm

Hello @nestle2377, I want to do same as you did where users are imported from an AD, then using kerberos ticket to authenticate, can you give me tips I created this topic if you can help i’ll be so glad
(Kerberos + keycloak congratulation issue)

Topic		Replies	Views
Kerberos authentication and user provisioning	5	1858	November 19, 2022
What is the best way to federate users from Azure AD to Keycloak? Getting advice user-federation	10	6909	March 7, 2023
Multidomain authorization and SSO via keycloak with kerberos Getting advice	0	148	February 7, 2024
Too many LDAP user federation connections Getting advice user-federation , ldap	2	435	July 21, 2022
LDAP as an identity provider	0	302	April 11, 2023

LDAP AD integration + kerberos

Related Topics