[keycloak-user] LDAPS configuration fails "Test authentication"

Jason Axley jaxley at expedia.com
Wed Feb 17 16:46:13 EST 2016 

I followed some documentation like https://developer.jboss.org/wiki/LDAPSecurityRealmExamples for configuring JBOSS to use LDAP over SSL to Active Directory but can’t seem to get Keycloak to honor the trust settings in the configured keystore.


2016-02-17 21:33:49,670 ERROR [org.keycloak.services.managers.LDAPConnectionTestManager] (default task-2) Error when authenticating to LDAP: simple bind failed: server.example.com:636: javax.naming.CommunicationException: simple bind failed: server.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)

This is the configuration I’m using for the standalone server:


           <security-realm name="LdapSSLRealm">

               <authentication>

                <truststore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password=“password" />

               </authentication>

            </security-realm>

        </security-realms>

        <outbound-connections>

            <ldap name=“AD" url="ldaps://server.example.com:636" security-realm="LdapSSLRealm" />

        </outbound-connections>

I have all of the certs in the chain imported into the keystore:


keytool -list -keystore ../configuration/keycloak.jks

Enter keystore password:


Keystore type: JKS

Keystore provider: SUN


Your keystore contains 5 entries


cert1, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): D5:BA:F5:07:21:7D:71:AA:F6:9B:53:41:C1:05:0C:48:A9:3F:57:CE

rootcert2, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): 86:70:AB:0A:96:58:4D:73:C0:D5:13:A8:4D:B3:1D:EC:08:D7:7B:1A

mykey, Feb 12, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): 20:8C:D9:BD:B7:75:12:53:F8:68:04:82:48:5C:D7:70:F5:6C:28:15

rootcert, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): 36:28:1E:74:E0:A9:6E:0F:53:99:75:DA:62:20:24:D4:F6:34:CD:BD

intermediateu, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): E9:66:EE:CF:79:6A:C1:D0:13:18:59:9C:B4:29:08:54:DF:91:27:2D

Is there a way to find out if Keycloak/jboss is picking up this truststore config?  Seems that it’s not.  Any other ideas?

-Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160217/c37df95b/attachment.html

More information about the keycloak-user mailing list