[JBoss JIRA] (ELY-1616) ldap-key-store requires attribute userPKCS12 on ldap entry, even if it should be mandatory

Thursday, 26 July 2018

    [
https://issues.jboss.org/browse/ELY-1616?page=com.atlassian.jira.plugin.s...
] 

Jiri Ondrusek edited comment on ELY-1616 at 7/26/18 12:16 PM:
--------------------------------------------------------------

Issue is caused by missing configuration. Problem is caused by some ldap servers (OpenLdap
in this case), which return "usercertificate;binary" as a result of search for
"usercertificate".
If this happens, then ldap entry is not recognized as certificate without
"userPKCS12" attribute. 
Even if "userPKCS12" is defined, certificate is loaded from
"userSMIMECertificate" attribute instead of "userCertificate" - so
truststore works only if all 3 attributes are filled "userCertificate",
"userSMIMECertificate" and "userPKCS12".

Solution is simple, use mapping for this kind of ldap servers, to  search for
"usercertificate;binary" instead of "usercertificate".

{quote}/subsystem=elytron/ldap-key-store=qsTrustStore:add( \
  dir-context=exampleDC, \
  search-path="ou=trusstore,dc=example,dc=org", \
  certificate-attribute="*userCertificate;binary*", \
){quote}

With this mapping ldap trusstore will work without "userPKCS12" attributes (and
also without "userSMIMECertificate")

was (Author: jondruse):
Issue is caused by missing configuration. Problem is caused by some ldap servers (OpenLdap
in this case), which return "usercertificate;binary" as a result of search for
"usercertificate".
If this happens, then ldap entry is not recognized as certificate without
"userPKCS12" attribute. 
Even if "userPKCS12" is defined, certificate is loaded from
"userSMIMECertificate" attribute instead of "userCertificate" - so
truststore works only if all 3 attribute are filled "userCertificate",
"userSMIMECertificate" and "userPKCS12".

Solution is simple, use mapping for this kind of ldap servers, to  search for
"usercertificate;binary" instead of "usercertificate".

{quote}/subsystem=elytron/ldap-key-store=qsTrustStore:add( \
  dir-context=exampleDC, \
  search-path="ou=trusstore,dc=example,dc=org", \
  certificate-chain-attribute="*userCertificate;binary*", \
){quote}

With this mapping ldap trusstore will work without "userPKCS12" attributes (and
also without "userSMIMECertificate")

...
 ldap-key-store requires attribute userPKCS12 on ldap entry, even if
it should be mandatory

------------------------------------------------------------------------------------------

                 Key: ELY-1616
                 URL: https://issues.jboss.org/browse/ELY-1616
             Project: WildFly Elytron
          Issue Type: Bug
    Affects Versions: 1.1.11.CR1
            Reporter: Jiri Ondrusek
            Assignee: Jiri Ondrusek

 The "key-attribute" ("userPKCS12") should not be necessary to use
LdapKeyStore as truststore.
 See Steps to Reproduce for more information. 

--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006