version: 1 metadata: labels: blueprints.goauthentik.io/system: "true" name: System - Kerberos Source - Mappings entries: - identifiers: managed: goauthentik.io/sources/kerberos/user/default/multipart-principals-as-service-accounts model: authentik_sources_kerberos.kerberossourcepropertymapping attrs: name: "authentik default Kerberos User Mapping: Multipart principals as service accounts" expression: | from authentik.core.models import USER_PATH_SERVICE_ACCOUNT, UserTypes localpart, _ = principal.rsplit("@", 1) is_service_account = "/" in localpart attrs = {} if is_service_account: attrs = { "type": UserTypes.SERVICE_ACCOUNT, "path": USER_PATH_SERVICE_ACCOUNT, } return attrs - identifiers: managed: goauthentik.io/sources/kerberos/user/default/ignore-other-realms model: authentik_sources_kerberos.kerberossourcepropertymapping attrs: name: "authentik default Kerberos User Mapping: Ignore other realms" expression: | localpart, realm = principal.rsplit("@", 1) if realm.upper() != source.realm.upper(): raise SkipObject return {} - identifiers: managed: goauthentik.io/sources/kerberos/user/default/ignore-system-principals model: authentik_sources_kerberos.kerberossourcepropertymapping attrs: name: "authentik default Kerberos User Mapping: Ignore system principals" expression: | localpart, realm = principal.rsplit("@", 1) denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/", "kiprop/", "changepw/"] for prefix in denied_prefixes: if localpart.lower().startswith(prefix.lower()): raise SkipObject return {} - identifiers: managed: goauthentik.io/sources/kerberos/user/realm-as-group model: authentik_sources_kerberos.kerberossourcepropertymapping attrs: name: "authentik default Kerberos User Mapping: Add realm as group" expression: | localpart, realm = principal.rsplit("@", 1) return { "groups": [realm.upper()] }