Connect keycloak to LDAP over SSL

Configuring the server
1

Hi,

We’re trying to connect keycloak to ldap over ssl. We followed keycloak documentation from this link and this link for adding the spi standalone.xml as can be seen below. There’s no problem on testing the connection url but it is failing on testing authentication. The seen error from the logs is as below. Is there a configuration that might be missed?

SunCertPathBuilderException: unable to find valid certification path to requested target

 <spi name="truststore">
         <provider name="file" enabled="true">
                 <properties>
                         <property name="file" value="${jboss.server.config.dir}/keystores/key.jks"/>
                         <property name="password" value="secret"/>
                         <property name="hostname-verification-policy" value="ANY"/>
                         <property name="disabled" value="false"/>
                 </properties>
         </provider>
 </spi>
2

@lazatin1323
Did you find a solution to this yet? I’m also have the same problem.

1 Like
3

Hi,

Generally, the error indicates that LDAP server certificate is not imported into truststore in Keycloak.

Best Regards,
Taro

4

You say that “There’s no problem on testing the connection url but it is failing on testing authentication”

Are you sure that connection url starts with “ldaps:”?

5

i have the same problem.
in my case, yes.
im using keycloak “jboss/keycloak” with docker compose.

when testing connection to ldaps://contoso.local:636 it connects OK,
but at “test authentication” using a domain-admin user, i got an error

Error! LDAP authentication failed. See server.log for details.

6

same question!
thanks.

7

@ema07cqc
what worked for me was, I copied my Certs from my CA (which was on my MSAD), then added them to my java keystore (cacerts) on my CentOS 7 machine. I did try creating my own keystore, but for some reason ansible failed to use it. It might have something to do with my Nginx reverse proxy.

8

Thanks, i will search for adding certs to java keystore (cacerts).
I have 3 Domain Controllers… i can use any CA from any of them?

thanks again and have a nice weekend!

9

@ema07cqc
I believe you can, which ever one you are using for authentication in the realm.

1 Like
10

An interesting point here.

Certificate validation is about validating that an server certificate is known. Certificate offered by server is known when it certificate chain can be checked till known trusted certificate. So, for this you have 2 options:

  • Add a common root certificate;
  • Add each ones final certificate (if you use all DCs).
1 Like
11

Thanks for your reply. Im still trying to figure out how to make this works.
:point_right: CONTOSO is my domain

Im trying to connect a Keycloak Realm to LDAPS.
LDAP works just fine, but LDAPS not.

  1. created a CA.crt and imported to all my DCs

  2. tested CA.crt the LDAPS connection with openssl and it connect OK to all DCs
    openssl s_client -connect DC1.contoso.local:636 -CAfile /mnt/ssl-ad-2020/LDAPS/ca.crt
    returns OK
    openssl s_client -connect DC2.contoso.local:636 -CAfile /mnt/ssl-ad-2020/LDAPS/ca.crt
    returns OK
    openssl s_client -connect DC3.contoso.local:636 -CAfile /mnt/ssl-ad-2020/LDAPS/ca.crt
    returns OK

  1. inside keycloak container, i generated a ¨custom¨ keystore with the command
    keytool -import -alias contoso.local -keystore /var/lib/keycloak/data/certs/ldaps/contoso-truststore.jks -file /var/lib/keycloak/data/certs/ldaps/contosoLDAPS.crt

  2. added this lines to keycloak/configuration/standalone.xml

    spi name=“truststore”>
    provider name=“file” enabled=“true”>
    properties>
    property name=“file” value=“keystores/contoso-truststore.jks”/>
    property name=“password” value=“my-password”/>
    property name=“hostname-verification-policy” value=“WILDCARD”/>
    property name=“disabled” value=“false”/>
    /properties>
    /provider>
    /spi>

  3. redeployed the container

  4. still getting this error on the log

16:30:51,778 ERROR [org.keycloak.services] (default task-5) KC-SERVICES0055: Error when authenticating to LDAP: contoso.local:636: javax.naming.CommunicationException: contoso.local:636 [Root exception is java.net.SocketException: Connection reset by peer (connect failed)]

and

16:30:53,963 ERROR [org.keycloak.services] (default task-5) KC-SERVICES0055: Error when authenticating to LDAP: Could not negotiate TLS: javax.naming.AuthenticationException: Could not negotiate TLS

and another 200 error lines

Thanks for your time.
Regards.

12

“Could not negotiate TLS” appears to be other problem…

There are any ‘PKIX’ messages on log?

It works if you add cert to java cacerts?

1 Like
13

Thanks for your answer!
Yes, ¨ERROR Could not negotiate TLS:PKIX path building failed¨

Tried to add cert to java cacerts but im still trying to find out how to do that.
Thanks again.

14

Comand to add certificate to cacerts:
${java_home}/bin/keytool -import -alias ${cert_alias} -file ${certificate} -keystore ${java_home}/lib/security/cacerts

Its important to use correct cacerts, double check what Java is your keycloak using.

Thats it. Your ssl connection can’t check certificate received from server.

15

Thank You.
I started from scratch and it worked.

#entered to keycloak docker as root
docker exec -u root -it here-your-docker-id bash

#assigned file permissions to
/lib/jvm/jre-11/lib/security/cacerts

#entered to keycloak docker as regular user
docker exec -it here-your-docker-id bash

#imported the CA.crt
keytool -import -alias contoso.local -file /var/lib/keycloak/data/ca.crt -keystore /lib/jvm/jre-11/lib/security/cacerts -storepass changeit

the default storepass for cacerts is “changeit”

Thank you very much.

16

Hi,
When I follow your annotations, I have the same error than you have before. Is needed some additional configuration??

Still getting this error in docker logs:

`PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target`

Thank you

17

Hi, I have the same issue with server version 12.0.4
Someone has a way to solve it?

18

I solved a same problem.
My solution via Dockerfile. Import crt direct to java trust store.

COPY ldap.crt /opt/jboss/keycloak/standalone/configuration/ldap.cer
USER root
RUN keytool -importcert -alias ldapcert -cacerts -storepass changeit -noprompt -trustcacerts -file /opt/jboss/keycloak/standalone/configuration/ldap.cer

19

Hello everyone

I´m working with keycloak 13.0.1 over ubuntu 18.04. It´s working fine but I want to secure the LDAP connection using LDAPS over StartTLS

The server give me the following message:

[ERROR [org.keycloak.services] (default task-15) KC-SERVICES0055: Error when authenticating to LDAP: Could not negotiate TLS: javax. naming.AuthenticationException: Could not negotiate TLS]

I think i’ve followed correctly the instructions describe in the next link Server Installation and Configuration Guide (keycloak.org)

I tried all of the solutions mentioned in this conversation. Could be a the problem with the certificate? but i have the https working, Is not the same certificate?

When hay try to check the LDAP certificate using

openssl s_client -connect [ipserver]:636

I recieve

Verify return code: 20 (unable to get local issuer certificate)
read:errno=104

how can i solve it?

20

Hi, did you remember what do you mean with #assigned file permissions to
/lib/jvm/jre-11/lib/security/cacerts ?