[keycloak-dev] User TLS client certificate authentication - inconsistent DN string representation with LDAP

Nalyvayko, Peter pnalyvayko at agi.com
Tue Jan 8 17:02:17 EST 2019 

Hi,

>> I believe that's a bug. The `X509ClientCertificateAuthenticator` should ignore those extra spaces. May I kindly ask you to create a ticket for us and assign it either to me or Sebastien?

Sebastian/Michael, 

According to https://tools.ietf.org/html/rfc1779, BNF for distinguished name allows for optional space before and after the separator. Do you know of any reason why the DN returned by LDAP and the DN returned by  calling to X509Certificate.getSubjectDN().getName() should or expected be identical? It seems to me BNF allows for some discrepancies in representation thus comparing two strings verbatim may not be a good idea, no?

Kindly,
Peter


-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Sebastian Laskawiec
Sent: Monday, January 7, 2019 7:36 AM
To: Peck, Michael A <mpeck at mitre.org>; sblanc at redhat.com
Cc: keycloak-dev at lists.jboss.org
Subject: Re: [keycloak-dev] User TLS client certificate authentication - inconsistent DN string representation with LDAP

Hey Michael,

Adding +Sebastien Blanc <sblanc at redhat.com> for visibility.

I believe that's a bug. The `X509ClientCertificateAuthenticator` should ignore those extra spaces. May I kindly ask you to create a ticket for us and assign it either to me or Sebastien?

Thanks,
Sebastian

On Sun, Dec 23, 2018 at 6:49 PM Peck, Michael A <mpeck at mitre.org> wrote:

> Hello,
>
> I’ve configured Keycloak to authenticate users using TLS client 
> certificate authentication.
> I’ve also configured Keycloak to synchronize users with my LDAP server.
>
> I’d like to match the TLS client certificate’s Subject DN to the 
> Subject DNs synchronized from my LDAP server (which are stored by 
> Keycloak in each user’s LDAP_ENTRY_DN attribute).
>
> I’ve set that up, but am running into an issue that Keycloak appears 
> to have inconsistent string representations of DNs between those two 
> methods - so the Subject DNs from the TLS client certificate and the 
> LDAP server aren’t matching as I was expecting.
>
> The TLS client certificate DNs look like this:
> CN=Peck Michael, OU=People, DC=test, DC=net
>
> While the LDAP_ENTRY_DN attribute is formatted like this:
> cn=Peck Michael,ou=People,dc=test,dc=net
>
> It looks to me that the TLS client certificate DN string 
> representation is coming from the standard Java X500Principal class 
> used by calls to
> X509Certificate.getSubjectDN().getName() in 
> keycloak/services/src/main/java/org/keycloak/authentication/authentica
> tors/x509/X509ClientCertificateAuthenticator.java
> and the LDAP_ENTRY_DN string representation is coming from the 
> toString method in 
> keycloak/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java.
>
> I modified the LDAPDn class’s toString method to follow the same 
> format as used in the TLS client certificate DNs, and authentication works for me now.
> Would the Keycloak project consider accepting a pull request to change 
> the way LDAPDn formats DNs as strings?
> (However I have not checked if this would impact other uses of the 
> LDAPDn class within Keycloak or cause problems with upgrading existing
> deployments?)
>
> The suggested change follows:
> diff --git
> a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LD
> APDn.java
> b/federation/ldap/src/main/
> index 39e7d97..2f8c805 100644
> ---
> a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LD
> APDn.java
> +++
> b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LD
> APDn.java @@ -87,9 +87,9 @@ public class LDAPDn {
>              if (first) {
>                  first = false;
>              } else {
> -                builder.append(",");
> +                builder.append(", ");
>              }
> -
> builder.append(rdn.attrName).append("=").append(rdn.attrValue);
> +
> builder.append(rdn.attrName.toUpperCase()).append("=").append(rdn.attrValue);
>          }
>
>          return builder.toString();
>
>
>
> Thank you,
> Michael Peck
> The MITRE Corporation
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list