[keycloak-user] LDAPS configuration fails "Test authentication"

Jason Axley jaxley at expedia.com
Thu Feb 18 11:20:01 EST 2016 

Will do.

This is Active Directory.

-Jason

From: Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>>
Date: Thursday, February 18, 2016 at 8:15 AM
To: Jason Axley <jaxley at expedia.com<mailto:jaxley at expedia.com>>, "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] LDAPS configuration fails "Test authentication"

That's possible. Could you please create JIRA for this?

Which LDAP server are you using btv? Not sure if it's related, but maybe yes...

Thanks,
Marek

On 18/02/16 17:04, Jason Axley wrote:
I got the keystore working in the keycloak-server.json config to enable SMTP TLS connections to Amazon SES so I know that is being picked up:


"truststore": {

      "file": {

          "file": "${jboss.server.config.dir}/keycloak.jks",

          "password": “password",

  "hostname-verification-policy": "WILDCARD",

  "disabled": false

      }

  }

But, this same configuration is not applied to the LDAP connections.  I finally got it to work by adding the Java keystore arguments to the startup:


nohup ../bin/standalone.sh -Djavax.net.ssl.trustStore=/opt/keycloak/keycloak-1.8.1.Final/standalone/configuration/keycloak.jks -Djavax.net.ssl.trustStorePassword=password

Would seem to be a bug to not apply the same keystore configuration to the LDAP connections?

-Jason

From: Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>>
Date: Wednesday, February 17, 2016 at 11:10 PM
To: Jason Axley <<mailto:jaxley at expedia.com>jaxley at expedia.com<mailto:jaxley at expedia.com>>, "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] LDAPS configuration fails "Test authentication"

On 17/02/16 22:46, Jason Axley wrote:
I followed some documentation like <https://developer.jboss.org/wiki/LDAPSecurityRealmExamples> https://developer.jboss.org/wiki/LDAPSecurityRealmExamples for configuring JBOSS to use LDAP over SSL to Active Directory but can’t seem to get Keycloak to honor the trust settings in the configured keystore.


2016-02-17 21:33:49,670 ERROR [org.keycloak.services.managers.LDAPConnectionTestManager] (default task-2) Error when authenticating to LDAP: simple bind failed: server.example.com:636: javax.naming.CommunicationException: simple bind failed: server.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)

This is the configuration I’m using for the standalone server:


           <security-realm name="LdapSSLRealm">

               <authentication>

                <truststore path="keycloak.jks"relative-to="jboss.server.config.dir"keystore-password=“password" />

               </authentication>

            </security-realm>

        </security-realms>

        <outbound-connections>

            <ldap name=“AD"url=<ldaps://server.example.com:636>"ldaps://server.example.com:636"<ldaps://server.example.com:636>security-realm="LdapSSLRealm" />

        </outbound-connections>

I have all of the certs in the chain imported into the keystore:


keytool -list -keystore ../configuration/keycloak.jks

Enter keystore password:


Keystore type: JKS

Keystore provider: SUN


Your keystore contains 5 entries


cert1, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): D5:BA:F5:07:21:7D:71:AA:F6:9B:53:41:C1:05:0C:48:A9:3F:57:CE

rootcert2, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): 86:70:AB:0A:96:58:4D:73:C0:D5:13:A8:4D:B3:1D:EC:08:D7:7B:1A

mykey, Feb 12, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): 20:8C:D9:BD:B7:75:12:53:F8:68:04:82:48:5C:D7:70:F5:6C:28:15

rootcert, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): 36:28:1E:74:E0:A9:6E:0F:53:99:75:DA:62:20:24:D4:F6:34:CD:BD

intermediateu, Feb 17, 2016, trustedCertEntry,

Certificate fingerprint (SHA1): E9:66:EE:CF:79:6A:C1:D0:13:18:59:9C:B4:29:08:54:DF:91:27:2D

Is there a way to find out if Keycloak/jboss is picking up this truststore config?  Seems that it’s not.  Any other ideas?
Yes, it seems that it's not picking it. AFAIK we don't support retrieve truststore from the wildfly configuration of security-realm in standalone.xml . Maybe we should...

At this moment, what should work to configure truststore is either:
- Configure truststore SPI in keycloak-server.json. See <http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e231> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e231
- add system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword

Marek
-Jason



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160218/6a2e48a7/attachment-0001.html

More information about the keycloak-user mailing list