Hi,
I have problem while authenticating LDAP over SSL (ldaps://) from keycloak
Tested with .cert file in docker container and executed ldapsearch command then returns properly.
Keycloak version - 13.0.0
Followed few methods but not working
Created .jks file by using .cert
keytool -import -alias ldapcert -keystore truststore.jks -file ca-certificates.crt -storepass changeit -noprompt
-
Set KEYCLOAK_EXTRA_ARGS
KEYCLOAK_EXTRA_ARGS="--spi-truststore-file-file=/opt/jboss/.cacerts/truststore.jks --spi-truststore-file-password=changeit --spi-truststore-file-hostname-verification-policy=ANY"
-
Set Extra JVM_OPTs
JAVA_OPTS="-Djavax.net.ssl.trustStore=/opt/jboss/.cacerts/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit"
-
Updated standalone-ha.xml
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" />
</ssl>
</server-identities>
</security-realm>
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/>
<https-listener name="https" socket-binding="https" proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" security-realm="ApplicationRealm" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
<http-invoker security-realm="UndertowRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
- Updated standalone.xml
<spi>
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="/opt/jboss/.cacerts/truststore.jks" />
<property name="password" value="changeit" />
<property name="hostname-verification-policy" value="ANY"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
But for all the above options getting same error
10:29:02,638 INFO [org.keycloak.truststore.SSLSocketFactory] (default task-3) No truststore provider found - using default SSLSocketFactory
10:29:05,618 ERROR [org.keycloak.services] (default task-3) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: <FQDN>:636: javax.naming.CommunicationException: simple bind failed: <FQDN>:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
After some time getting another error while doing ‘Test Authentication’
11:26:27,394 ERROR [org.keycloak.services] (default task-3) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: <FQDN>:636: javax.naming.CommunicationException: simple bind failed: <FQDN>:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Please some one advise and solve my problem.Need very urgent.