Hi,
> I believe that's a bug. The
`X509ClientCertificateAuthenticator` should ignore those extra spaces. May I kindly ask
you to create a ticket for us and assign it either to me or Sebastien?
Sebastian/Michael,
According to
https://tools.ietf.org/html/rfc1779, BNF for distinguished name allows for
optional space before and after the separator. Do you know of any reason why the DN
returned by LDAP and the DN returned by calling to
X509Certificate.getSubjectDN().getName() should or expected be identical? It seems to me
BNF allows for some discrepancies in representation thus comparing two strings verbatim
may not be a good idea, no?
Kindly,
Peter
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-bounces(a)lists.jboss.org> On
Behalf Of Sebastian Laskawiec
Sent: Monday, January 7, 2019 7:36 AM
To: Peck, Michael A <mpeck(a)mitre.org>; sblanc(a)redhat.com
Cc: keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] User TLS client certificate authentication - inconsistent DN
string representation with LDAP
Hey Michael,
Adding +Sebastien Blanc <sblanc(a)redhat.com> for visibility.
I believe that's a bug. The `X509ClientCertificateAuthenticator` should ignore those
extra spaces. May I kindly ask you to create a ticket for us and assign it either to me or
Sebastien?
Thanks,
Sebastian
On Sun, Dec 23, 2018 at 6:49 PM Peck, Michael A <mpeck(a)mitre.org> wrote:
Hello,
I’ve configured Keycloak to authenticate users using TLS client
certificate authentication.
I’ve also configured Keycloak to synchronize users with my LDAP server.
I’d like to match the TLS client certificate’s Subject DN to the
Subject DNs synchronized from my LDAP server (which are stored by
Keycloak in each user’s LDAP_ENTRY_DN attribute).
I’ve set that up, but am running into an issue that Keycloak appears
to have inconsistent string representations of DNs between those two
methods - so the Subject DNs from the TLS client certificate and the
LDAP server aren’t matching as I was expecting.
The TLS client certificate DNs look like this:
CN=Peck Michael, OU=People, DC=test, DC=net
While the LDAP_ENTRY_DN attribute is formatted like this:
cn=Peck Michael,ou=People,dc=test,dc=net
It looks to me that the TLS client certificate DN string
representation is coming from the standard Java X500Principal class
used by calls to
X509Certificate.getSubjectDN().getName() in
keycloak/services/src/main/java/org/keycloak/authentication/authentica
tors/x509/X509ClientCertificateAuthenticator.java
and the LDAP_ENTRY_DN string representation is coming from the
toString method in
keycloak/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java.
I modified the LDAPDn class’s toString method to follow the same
format as used in the TLS client certificate DNs, and authentication works for me now.
Would the Keycloak project consider accepting a pull request to change
the way LDAPDn formats DNs as strings?
(However I have not checked if this would impact other uses of the
LDAPDn class within Keycloak or cause problems with upgrading existing
deployments?)
The suggested change follows:
diff --git
a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LD
APDn.java
b/federation/ldap/src/main/
index 39e7d97..2f8c805 100644
---
a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LD
APDn.java
+++
b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LD
APDn.java @@ -87,9 +87,9 @@ public class LDAPDn {
if (first) {
first = false;
} else {
- builder.append(",");
+ builder.append(", ");
}
-
builder.append(rdn.attrName).append("=").append(rdn.attrValue);
+
builder.append(rdn.attrName.toUpperCase()).append("=").append(rdn.attrValue);
}
return builder.toString();
Thank you,
Michael Peck
The MITRE Corporation
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev