[jboss-jira] [JBoss JIRA] (ELY-1616) ldap-key-store requires attribute userPKCS12 on ldap entry, even if it should be mandatory

Jiri Ondrusek (JIRA) issues at jboss.org
Thu Jul 26 12:14:00 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13611232#comment-13611232 ] 

Jiri Ondrusek edited comment on ELY-1616 at 7/26/18 12:13 PM:
--------------------------------------------------------------

Issue is caused by missing configuration. Problem is caused by some ldap servers (OpenLdap in this case), which return "usercertificate;binary" as a result of search for "usercertificate".
If this happens, then ldap entry is not recognized as certificate without "userPKCS12" attribute. 
Even if "userPKCS12" is defined, certificate is loaded from "userSMIMECertificate" attribute instead of "userCertificate" - so truststore works only if all 3 attribute are filled "userCertificate", "userSMIMECertificate" and "userPKCS12".

Solution is simple, use mapping for this kind of ldap servers, to  search for "usercertificate;binary" instead of "usercertificate".

{quote}/subsystem=elytron/ldap-key-store=qsTrustStore:add( \
  dir-context=exampleDC, \
  search-path="ou=trusstore,dc=example,dc=org", \
  certificate-chain-attribute="*userCertificate;binary*", \
){quote}

With this mapping ldap trusstore will work without "userPKCS12" attributes (and also without "userSMIMECertificate")


was (Author: jondruse):
Issue is caused by missing configuration. Problem is caused by some ldap servers (OpenLdap in this case), which return "usercertificate;binary" as a result of search for "usercertificate".
If this happens, then ldap entry is not recognized as certificate without "userPKCS12" attribute. 

Solution is simple, use mapping for this kind of ldap servers, to  search for "usercertificate;binary" instead of "usercertificate".

{quote}/subsystem=elytron/ldap-key-store=qsTrustStore:add( \
  dir-context=exampleDC, \
  search-path="ou=trusstore,dc=example,dc=org", \
  certificate-chain-attribute="*userCertificate;binary*", \
){quote}

With this mapping ldap trusstore will work without "userPKCS12" attributes.

> ldap-key-store requires attribute userPKCS12 on ldap entry, even if it should be mandatory
> ------------------------------------------------------------------------------------------
>
>                 Key: ELY-1616
>                 URL: https://issues.jboss.org/browse/ELY-1616
>             Project: WildFly Elytron
>          Issue Type: Bug
>    Affects Versions: 1.1.11.CR1
>            Reporter: Jiri Ondrusek
>            Assignee: Jiri Ondrusek
>
> The "key-attribute" ("userPKCS12") should not be necessary to use LdapKeyStore as truststore.
> See Steps to Reproduce for more information.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list