[keycloak-user] ldaps from keycloak container

Joachim Lindenberg keycloak at lindenberg.one
Sat Oct 12 14:38:24 EDT 2019 

Hello,

I am trying to set up keycloak using a container and configure authentication against my ldap (a samba active directory). I configured ldaps://ldap.example.dom:636 in the user interface and test connection succeeds. However authentication of the bind user fails with the following exception:

 

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)

        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)

        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)

        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)

        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)

        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)

        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)

        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)

        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)

        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)

        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)

        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)

        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)

        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:443)

        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:416)

        at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)

        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)

        ... 88 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

        at sun.security.validator.Validator.validate(Validator.java:262)

        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)

        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)

        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)

        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)

        ... 101 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)

        ... 107 more

 

I was expecting that I have to import a CA and therefore configured environment variable X509_CA_BUNDLE to point to a cert as described in https://hub.docker.com/r/jboss/keycloak/ “Setting up TLS(SSL)”, but the section is not really clear whether it also applies for trust to LDAPs.

 

Any suggestion?

Thanks, Joachim

More information about the keycloak-user mailing list