We have a client who has run into a scenerio that I need some help with. Client is using LDAP for its users and wants to ensure that certain users do not have admin permissions. They have configured a certain user (will refer to this user as worker1) to a group and that group is configured to be part of a custom realm and assigned a read-only role. They have configured their admin users to another group which is then configured to the “master” realm. When worker1 logs into Keycloak, they are able to access the “master” realm. They are not able to update anything so it seems like their read-only permissions are being adhered to, however, it seems strange that they would have any access to “master” realm at all. My understanding is that realms are completely independent of one another so worker1 should not be able to access any other realms. Does anyone have any idea what could be happening here? If it helps, I can provide additional information/configuration if needed. Please let me know. Thank you!
We figured out what we were doing wrong and wanted to post here in case anyone else stumbles upon this issue. We were using the exact same LDAP provider settings in each realm, so Keycloak was querying for the same users and importing them to both realms. Since the non-privaleged user was being imported to the “master” realm, that user would be able to log into the admin console. In order to fix this, we utilized “organizational unit” (ou) in the user distinguished name. In our LDAP configuration, we set up an ou for admin users and other groups that had less privaledges. We then defined the admin users to be a part of that ou in their distinguished name. Here is example:
# Define an organizational unit for admin users
dn: ou=adminUsers,dc=example,dc=com
objectClass: organizationalUnit
ou: adminUsers
# Define a master realm user
dn: uid=adminuser,ou=adminUsers,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Admin User
sn: Admin
uid: adminuser
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/adminuser
loginShell: /bin/bash
userPassword: {SSHA}aTbz/t+CCVWbIBLhOGxFnZtA09A00X84
We then updated our LDAP providers to define the ou in the saerch settings. This will only import users to that realm that contain the same ou in their distinguished name.
Im sure there are other ways to configure this but this was one way that worked for us.