[keycloak-dev] User TLS client certificate authentication - inconsistent DN string representation with LDAP

Sebastian Laskawiec slaskawi at redhat.com
Mon Jan 7 07:36:00 EST 2019 

Hey Michael,

Adding +Sebastien Blanc <sblanc at redhat.com> for visibility.

I believe that's a bug. The `X509ClientCertificateAuthenticator` should
ignore those extra spaces. May I kindly ask you to create a ticket for us
and assign it either to me or Sebastien?

Thanks,
Sebastian

On Sun, Dec 23, 2018 at 6:49 PM Peck, Michael A <mpeck at mitre.org> wrote:

> Hello,
>
> I’ve configured Keycloak to authenticate users using TLS client
> certificate authentication.
> I’ve also configured Keycloak to synchronize users with my LDAP server.
>
> I’d like to match the TLS client certificate’s Subject DN to the Subject
> DNs synchronized from my LDAP server (which are stored by Keycloak in each
> user’s LDAP_ENTRY_DN attribute).
>
> I’ve set that up, but am running into an issue that Keycloak appears to
> have inconsistent string representations of DNs between those two methods -
> so the Subject DNs from the TLS client certificate and the LDAP server
> aren’t matching as I was expecting.
>
> The TLS client certificate DNs look like this:
> CN=Peck Michael, OU=People, DC=test, DC=net
>
> While the LDAP_ENTRY_DN attribute is formatted like this:
> cn=Peck Michael,ou=People,dc=test,dc=net
>
> It looks to me that the TLS client certificate DN string representation is
> coming from the standard Java X500Principal class used by calls to
> X509Certificate.getSubjectDN().getName() in
> keycloak/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java
> and the LDAP_ENTRY_DN string representation is coming from the toString
> method in
> keycloak/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java.
>
> I modified the LDAPDn class’s toString method to follow the same format as
> used in the TLS client certificate DNs, and authentication works for me now.
> Would the Keycloak project consider accepting a pull request to change the
> way LDAPDn formats DNs as strings?
> (However I have not checked if this would impact other uses of the LDAPDn
> class within Keycloak or cause problems with upgrading existing
> deployments?)
>
> The suggested change follows:
> diff --git
> a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java
> b/federation/ldap/src/main/
> index 39e7d97..2f8c805 100644
> ---
> a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java
> +++
> b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java
> @@ -87,9 +87,9 @@ public class LDAPDn {
>              if (first) {
>                  first = false;
>              } else {
> -                builder.append(",");
> +                builder.append(", ");
>              }
> -
> builder.append(rdn.attrName).append("=").append(rdn.attrValue);
> +
> builder.append(rdn.attrName.toUpperCase()).append("=").append(rdn.attrValue);
>          }
>
>          return builder.toString();
>
>
>
> Thank you,
> Michael Peck
> The MITRE Corporation
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list