[keycloak-dev] User TLS client certificate authentication - inconsistent DN string representation with LDAP

Hello, I’ve configured Keycloak to authenticate users using TLS client certificate authentication. I’ve also configured Keycloak to synchronize users with my LDAP server. I’d like to match the TLS client certificate’s Subject DN to the Subject DNs synchronized from my LDAP server (which are stored by Keycloak in each user’s LDAP_ENTRY_DN attribute). I’ve set that up, but am running into an issue that Keycloak appears to have inconsistent string representations of DNs between those two methods - so the Subject DNs from the TLS client certificate and the LDAP server aren’t matching as I was expecting. The TLS client certificate DNs look like this: CN=Peck Michael, OU=People, DC=test, DC=net While the LDAP_ENTRY_DN attribute is formatted like this: cn=Peck Michael,ou=People,dc=test,dc=net It looks to me that the TLS client certificate DN string representation is coming from the standard Java X500Principal class used by calls to X509Certificate.getSubjectDN().getName() in keycloak/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java and the LDAP_ENTRY_DN string representation is coming from the toString method in keycloak/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java. I modified the LDAPDn class’s toString method to follow the same format as used in the TLS client certificate DNs, and authentication works for me now. Would the Keycloak project consider accepting a pull request to change the way LDAPDn formats DNs as strings? (However I have not checked if this would impact other uses of the LDAPDn class within Keycloak or cause problems with upgrading existing deployments?) The suggested change follows: diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java b/federation/ldap/src/main/ index 39e7d97..2f8c805 100644 --- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java +++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java @@ -87,9 +87,9 @@ public class LDAPDn { if (first) { first = false; } else { - builder.append(","); + builder.append(", "); } - builder.append(rdn.attrName).append("=").append(rdn.attrValue); + builder.append(rdn.attrName.toUpperCase()).append("=").append(rdn.attrValue); } return builder.toString(); Thank you, Michael Peck The MITRE Corporation