LDAP+Kerberos User Federation using GSSAPI/SASL for LDAP authentication

Apologies if this has been discussed before but I could not find a similar thread on this specific topic.
I am new to using Keycloak and hoping I don’t have to change my security model for this.

I have an authentication environment set up using (MIT) Kerberos for authentication and (Open)LDAP for user/directory data.
LDAP does not store any passwords or Kerberos data, and the LDAP server does not allow anonymous/unauthenticated bind. I use GSSAPI/SASL as the authentication mechanism to LDAP.
This security model works fine on my Linux and Windows (WSL… I guess also Linux!) machines. However, I am running into an issue using this configuration with Keycloak, which I am running as a container.

I have added a keytab (for the principal keycloak/host@REALM) to the container’s file system and an LDAP User Federation provider against my LDAP server. I have enabled the Kerberos authentication feature and provided the realm, principal, and path to the keytab with the principal in the provider configurations.

I have configured the LDAP “Bind type” to none, assimple bind is not correct, and was hoping that it may use the keytab file with GSSAPI/SASL to authenticate.
However, that doesn’t seem to be the case. I get the error:

2024-05-19 19:33:17.452255-04:002024-05-19 19:33:17,451 ERROR [org.keycloak.storage.managers.UserStorageSyncManager] (Timer-0) Error occurred during FULL users-sync in realm test: org.keycloak.models.ModelException: LDAP Query failed
[...]
2024-05-19 19:33:17.452549-04:00Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]; remaining name 'ou=redac,dc=ted'
[...]

Has anyone had success using Keycloak with GSSAPI/SASL authentication to an LDAP User Federation provider?

I’m hoping that this is not too far outside the realm of possibilities for Keycloak, as I would prefer not to create a bind credential just for Keycloak when my other services use the current security model just fine.
However, if the only acceptable bind types are none or simple, that may be what I need to do, at least until this feature is considered and implemented.

The “Allow Kerberos authentication” switch inside of the LDAP “User federation” is just for the user SSO. So the browser can use www-negotiate to authenticate the logged on user without typing any kind of password. I think the correct SPN would be HTTP/kc-hostname.domain.tld

You can add a Kerberos only “User federation” so you dont have to import all users with LDAP to the local sql database first. Maybe this is what you’re looking for

I am aware of this feature; it is not what I am looking for. Actually I do already have that set up, as well.

I am asking specifically for GSSAPI/SASL method of authentication for a Keycloak server to authenticate to an LDAP server for querying user/directory data.
https://www.openldap.org/doc/admin24/sasl.html


In any case, I’ve already created a bind credential for Keycloak. However it’s 1 more password that I need to add somewhere, on top of the Kerberos keytab.
After trying a number of things with my Keycloak instance I think I’ve determined that what I want is not currently possible.

But yes, you are correct about the service principal needing the “HTTP/…” name as that is the name clients/browsers use to obtain a service token during SPNEGO authentication over HTTP/S.

1 Like

Same issue for me, I’m running a Synology NAS and would like to connect a Keycloak service to the Syno’s Active Directory which supports only SASL while KC supports only simple LDAP authentication.

Would be a really nice added feature :slight_smile: