Description Arvid Requate 2023-01-09 12:07:23 CET

Login to Keycloak master realm is restricted to

(memberOf=cn=Domain Admins,cn=groups,dc=ucs50domain,dc=net)

This is too unflexible. The group name could be different, e.g. "Domänen-Admins" in UCS domains that used AD-Takeover from german langage MS AD domains.

1) At the very least, we should properly configure this at installation time with
======
from univention.lib.misc import custom_groupname
groups_default_domainadmins = custom_groupname('Domain Admins')
======

I don't immediately see an easy way how to solve this in a way that would react dynamically to DN changes for "Domain Admins".

But I can offer bad ideas:

2) Maybe a listener module like
 /usr/lib/univention-directory-listener/system/well-known-sid-name-mapping.py
could be implemented to then change the value filter in Keycloak, in case the group gets renamed (or moved!). But Keycloak is a container app, and the listener would need to run on the host. I.e. this solution would not work for Kubernetes deployments, or at least we would need some container based approach that would work in a side-car container or rather one singleton "Keycloak-provisioning/-config" container.

3) If OpenLDAP would support https://ldapwiki.com/wiki/LDAP_MATCHING_RULE_IN_CHAIN , then UCS could simply make "Domänen-Admins" member of "Domain Admins", but that would not solve moved groups.