authentik/blueprints/system/sources-kerberos.yaml

version: 1
metadata:
  labels:
    blueprints.goauthentik.io/system: "true"
  name: System - Kerberos Source - Mappings
entries:
  - identifiers:
      managed: goauthentik.io/sources/kerberos/user/default/multipart-principals-as-service-accounts
    model: authentik_sources_kerberos.kerberossourcepropertymapping
    attrs:
      name: "authentik default Kerberos User Mapping: Multipart principals as service accounts"
      expression: |
        from authentik.core.models import USER_PATH_SERVICE_ACCOUNT, UserTypes

        localpart, _ = principal.rsplit("@", 1)
        is_service_account = "/" in localpart
        attrs = {}
        if is_service_account:
            attrs = {
                "type": UserTypes.SERVICE_ACCOUNT,
                "path": USER_PATH_SERVICE_ACCOUNT,
            }
        return attrs        
  - identifiers:
      managed: goauthentik.io/sources/kerberos/user/default/ignore-other-realms
    model: authentik_sources_kerberos.kerberossourcepropertymapping
    attrs:
      name: "authentik default Kerberos User Mapping: Ignore other realms"
      expression: |
        localpart, realm = principal.rsplit("@", 1)
        if realm.upper() != source.realm.upper():
            raise SkipObject
        return {}        
  - identifiers:
      managed: goauthentik.io/sources/kerberos/user/default/ignore-system-principals
    model: authentik_sources_kerberos.kerberossourcepropertymapping
    attrs:
      name: "authentik default Kerberos User Mapping: Ignore system principals"
      expression: |
        localpart, realm = principal.rsplit("@", 1)
        denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/", "kiprop/", "changepw/"]
        for prefix in denied_prefixes:
            if localpart.lower().startswith(prefix.lower()):
                raise SkipObject
        return {}        
  - identifiers:
      managed: goauthentik.io/sources/kerberos/user/realm-as-group
    model: authentik_sources_kerberos.kerberossourcepropertymapping
    attrs:
      name: "authentik default Kerberos User Mapping: Add realm as group"
      expression: |
        localpart, realm = principal.rsplit("@", 1)
        return {
            "groups": [realm.upper()]
        }