Apologies if this has been discussed before but I could not find a similar thread on this specific topic.
I am new to using Keycloak and hoping I don’t have to change my security model for this.
I have an authentication environment set up using (MIT) Kerberos for authentication and (Open)LDAP for user/directory data.
LDAP does not store any passwords or Kerberos data, and the LDAP server does not allow anonymous/unauthenticated bind. I use GSSAPI/SASL as the authentication mechanism to LDAP.
This security model works fine on my Linux and Windows (WSL… I guess also Linux!) machines. However, I am running into an issue using this configuration with Keycloak, which I am running as a container.
I have added a keytab (for the principal keycloak/host@REALM) to the container’s file system and an LDAP User Federation provider against my LDAP server. I have enabled the Kerberos authentication feature and provided the realm, principal, and path to the keytab with the principal in the provider configurations.
I have configured the LDAP “Bind type” to none
, assimple
bind is not correct, and was hoping that it may use the keytab file with GSSAPI/SASL to authenticate.
However, that doesn’t seem to be the case. I get the error:
2024-05-19 19:33:17.452255-04:002024-05-19 19:33:17,451 ERROR [org.keycloak.storage.managers.UserStorageSyncManager] (Timer-0) Error occurred during FULL users-sync in realm test: org.keycloak.models.ModelException: LDAP Query failed
[...]
2024-05-19 19:33:17.452549-04:00Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - authentication required]; remaining name 'ou=redac,dc=ted'
[...]
Has anyone had success using Keycloak with GSSAPI/SASL authentication to an LDAP User Federation provider?
I’m hoping that this is not too far outside the realm of possibilities for Keycloak, as I would prefer not to create a bind credential just for Keycloak when my other services use the current security model just fine.
However, if the only acceptable bind types are none
or simple
, that may be what I need to do, at least until this feature is considered and implemented.