[keycloak-user] ldaps configuration --> Bug or regression with ldap connection ulr

Meissa M'baye Sakho msakho at redhat.com
Thu Nov 15 05:16:00 EST 2018 

Marek,
I'm using the same JRE.
It's not problematic at all using ldaps instead of LDAPS.
I've also been told (somewhere else) that protocols should be "lowercased".
So I will stick to ldaps.
Meissa


Le jeu. 15 nov. 2018 à 11:05, Marek Posolda <mposolda at redhat.com> a écrit :

> Hi Meissa,
>
> I don't think that we changed anything in this part related to ldaps,
> truststore SPI etc, but I could be wrong. We upgraded Wildfly, but this
> doesn't look that it is related to Wildfly upgrade (although again not
> 100% sure TBH).
>
> Also this could be a bug in Java. Are you using same Java version you
> used with Keycloak 3.4.3.Final?
>
> Another question is, how problematic it is to change "LDAPS://" to
> "ldap://" in the configuration? Any issues with changing that in your
> environment?
>
> Marek
>
> On 15/11/18 10:12, Meissa M'baye Sakho wrote:
> > Hello everyone,
> > I'm facing a very strange behaviour using keycloak 4.5 Final while
> > configuring my realm user federation with ldaps.
> > When I set the ldap connection URL to ldaps://myldaphost. It works fine.
> > When I change it to LDAPS://myldaphost, the test connexion fails with the
> > exception below (extract):
> >
> > *KC-SERVICES0055: Error when connecting to LDAP:
> > intra-dev01.bdf-dev01.local:636: javax.naming.CommunicationException:
> > intra-dev01.bdf-dev01.local:636 [Root exception is
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> > valid certification path to requested target]*
> > *        at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)*
> > *        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)*
> > *        at
> com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)*
> > *        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)*
> > *        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)*
> > *        at
> > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)*
> > *        at
> > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)*
> >
> > * Caused by: javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> > valid certification path to requested target*
> > *        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)*
> > *        at
> sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)*
> >
> > With Keycloak 3.4.3Final, I used LDAPS without any problem.
> > Any advice?
> > Meissa
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

More information about the keycloak-user mailing list