Connect keycloak to LDAP over SSL

Hi,

We’re trying to connect keycloak to ldap over ssl. We followed keycloak documentation from this link and this link for adding the spi standalone.xml as can be seen below. There’s no problem on testing the connection url but it is failing on testing authentication. The seen error from the logs is as below. Is there a configuration that might be missed?

SunCertPathBuilderException: unable to find valid certification path to requested target
 <spi name="truststore">
         <provider name="file" enabled="true">
                 <properties>
                         <property name="file" value="${jboss.server.config.dir}/keystores/key.jks"/>
                         <property name="password" value="secret"/>
                         <property name="hostname-verification-policy" value="ANY"/>
                         <property name="disabled" value="false"/>
                 </properties>
         </provider>
 </spi>

@lazatin1323
Did you find a solution to this yet? I’m also have the same problem.

1 Like

Hi,

Generally, the error indicates that LDAP server certificate is not imported into truststore in Keycloak.

Best Regards,
Taro

You say that “There’s no problem on testing the connection url but it is failing on testing authentication”

Are you sure that connection url starts with “ldaps:”?

i have the same problem.
in my case, yes.
im using keycloak “jboss/keycloak” with docker compose.

when testing connection to ldaps://contoso.local:636 it connects OK,
but at “test authentication” using a domain-admin user, i got an error

Error! LDAP authentication failed. See server.log for details.

same question!
thanks.

@ema07cqc
what worked for me was, I copied my Certs from my CA (which was on my MSAD), then added them to my java keystore (cacerts) on my CentOS 7 machine. I did try creating my own keystore, but for some reason ansible failed to use it. It might have something to do with my Nginx reverse proxy.

Thanks, i will search for adding certs to java keystore (cacerts).
I have 3 Domain Controllers… i can use any CA from any of them?

thanks again and have a nice weekend!

@ema07cqc
I believe you can, which ever one you are using for authentication in the realm.

1 Like

An interesting point here.

Certificate validation is about validating that an server certificate is known. Certificate offered by server is known when it certificate chain can be checked till known trusted certificate. So, for this you have 2 options:

  • Add a common root certificate;
  • Add each ones final certificate (if you use all DCs).
1 Like

Thanks for your reply. Im still trying to figure out how to make this works.
:point_right: CONTOSO is my domain

Im trying to connect a Keycloak Realm to LDAPS.
LDAP works just fine, but LDAPS not.

  1. created a CA.crt and imported to all my DCs

  2. tested CA.crt the LDAPS connection with openssl and it connect OK to all DCs
    openssl s_client -connect DC1.contoso.local:636 -CAfile /mnt/ssl-ad-2020/LDAPS/ca.crt
    returns OK
    openssl s_client -connect DC2.contoso.local:636 -CAfile /mnt/ssl-ad-2020/LDAPS/ca.crt
    returns OK
    openssl s_client -connect DC3.contoso.local:636 -CAfile /mnt/ssl-ad-2020/LDAPS/ca.crt
    returns OK

  1. inside keycloak container, i generated a ¨custom¨ keystore with the command
    keytool -import -alias contoso.local -keystore /var/lib/keycloak/data/certs/ldaps/contoso-truststore.jks -file /var/lib/keycloak/data/certs/ldaps/contosoLDAPS.crt

  2. added this lines to keycloak/configuration/standalone.xml

    spi name=“truststore”>
    provider name=“file” enabled=“true”>
    properties>
    property name=“file” value=“keystores/contoso-truststore.jks”/>
    property name=“password” value=“my-password”/>
    property name=“hostname-verification-policy” value=“WILDCARD”/>
    property name=“disabled” value=“false”/>
    /properties>
    /provider>
    /spi>

  3. redeployed the container

  4. still getting this error on the log

16:30:51,778 ERROR [org.keycloak.services] (default task-5) KC-SERVICES0055: Error when authenticating to LDAP: contoso.local:636: javax.naming.CommunicationException: contoso.local:636 [Root exception is java.net.SocketException: Connection reset by peer (connect failed)]

and

16:30:53,963 ERROR [org.keycloak.services] (default task-5) KC-SERVICES0055: Error when authenticating to LDAP: Could not negotiate TLS: javax.naming.AuthenticationException: Could not negotiate TLS

and another 200 error lines

Thanks for your time.
Regards.

“Could not negotiate TLS” appears to be other problem…

There are any ‘PKIX’ messages on log?

It works if you add cert to java cacerts?

1 Like

Thanks for your answer!
Yes, ¨ERROR Could not negotiate TLS:PKIX path building failed¨

Tried to add cert to java cacerts but im still trying to find out how to do that.
Thanks again.

Comand to add certificate to cacerts:
{java_home}/bin/keytool -import -alias {cert_alias} -file {certificate} -keystore {java_home}/lib/security/cacerts

Its important to use correct cacerts, double check what Java is your keycloak using.

Thats it. Your ssl connection can’t check certificate received from server.

Thank You.
I started from scratch and it worked.

#entered to keycloak docker as root
docker exec -u root -it here-your-docker-id bash

#assigned file permissions to
/lib/jvm/jre-11/lib/security/cacerts

#entered to keycloak docker as regular user
docker exec -it here-your-docker-id bash

#imported the CA.crt
keytool -import -alias contoso.local -file /var/lib/keycloak/data/ca.crt -keystore /lib/jvm/jre-11/lib/security/cacerts -storepass changeit

the default storepass for cacerts is “changeit”

Thank you very much.

Hi,
When I follow your annotations, I have the same error than you have before. Is needed some additional configuration??

Still getting this error in docker logs:

`PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target`

Thank you

Hi, I have the same issue with server version 12.0.4
Someone has a way to solve it?

I solved a same problem.
My solution via Dockerfile. Import crt direct to java trust store.

COPY ldap.crt /opt/jboss/keycloak/standalone/configuration/ldap.cer
USER root
RUN keytool -importcert -alias ldapcert -cacerts -storepass changeit -noprompt -trustcacerts -file /opt/jboss/keycloak/standalone/configuration/ldap.cer