LDAP DN Fix & Keycloak PKI Compliance
This patch release fixes a critical LDAP group filtering bug reported in #188 and adds government/FedRAMP Keycloak-as-PKI-broker support.
What Was Broken
Active Directory Distinguished Names use commas as internal syntax (e.g. CN=Whisper_Users,CN=Users,DC=domain,DC=local). The previous code split group lists on commas, which shredded full DNs into fragments that could never match what AD returned. Group filtering was silently broken for any installation using full DNs.
Highlights
- LDAP group DN parsing fixed — group lists now use semicolons as the multi-group separator; full AD DNs work correctly
- PKI_ADMIN_DNS parsing fixed — same semicolon delimiter fix for certificate admin lists
- Keycloak X.509 PKI broker — cert claims injected by Keycloak (both
cert_*andx509_cert_*forms) are extracted and stored on the user record - PKI admin promotion via Keycloak — cert DN in
PKI_ADMIN_DNSgrants admin access for Keycloak users, matching standalone PKI auth behaviour - Government cert CN format —
CN=LastName FirstName emailusername(space-separated 3-token) parsed and displayed asFirst Last - 116 new unit tests across
ldap_authandkeycloak_authmodules
Upgrade Notes
LDAP group list format change — update your LDAP_REQUIRED_USER_GROUPS and LDAP_ADMIN_GROUPS environment variables to use semicolons:
# Before (broken for full DNs)
LDAP_REQUIRED_USER_GROUPS=CN=Whisper_Users,CN=Users,DC=domain,DC=local
# After (correct)
LDAP_REQUIRED_USER_GROUPS=CN=Whisper_Users,CN=Users,DC=domain,DC=local
# Multiple groups — use semicolons
LDAP_REQUIRED_USER_GROUPS=CN=Group1,DC=domain,DC=local;CN=Group2,DC=domain,DC=localPKI_ADMIN_DNS — if you have multiple admin DNs, use semicolons:
PKI_ADMIN_DNS=CN=Doe John jdoe,OU=Agency,O=U.S. Government,C=US;CN=Smith Jane jsmith,OU=Agency,O=U.S. Government,C=USNo database migrations required.
How to Update
Docker Compose:
docker compose pull
docker compose up -dFull Changelog
See CHANGELOG.md