LDAPS Docker Container

jominga · June 8, 2020, 7:11am

Hello,

I am trying to configure a User Federation using LDAPS with my Active Directory provider. I am using Keycloak in a Docker Container. When I try to authenticate I get the following error:

ERROR [org.keycloak.services] (default task-2) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: MY_SERVER:636: javax.naming.CommunicationException: simple bind failed: MY_SERVER:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

I spoke to my Active Directory Provider and got 3 .cer files as certificates. They told me all 3 are necessary. But now I am unsure on how I should use them.

In the Keycloak Forum (here) I found that I should configure the X509_CA_BUNDLE enviroment variable to be /var/run/secrets/kubernetes.io/serviceaccount/ca.crt . I could convert my .cer files to .crt files and copy them in that directory when creating the container, but this solution only works for one certificate if I am not mistaken.

How should I approach this?

jominga · June 8, 2020, 8:55am

Solved it by combining all the certificates into a .crt like shown here and then importing it like stated in the Keycloak Documentation.

klepptor · July 5, 2021, 7:48am

Hi @jominga

I’m facing the same problem right now and I can’t figure out what to do using the official Keycloak documentation.

Using Docker-Compose I assume I have to simple mount the new Cert file into the container at the right place. The path you mentioned (/var/run/secrets/kubernetes.io/serviceaccount/ca.crt) doesn’t exist in my running container!?!?

Do you have any hint?

Thx

jominga · July 5, 2021, 11:15am

Hello,

Even if the path does not exist you can create it when specifying your volume in the docker-compose file.

Example:

version: "2.4"
services:
  web:
    image: nginx:alpine
    ports:
      - "80:80"
    volumes:
      - type: bind
        source: ./pathToCert
        target: /var/run/secrets/kubernetes.io/serviceaccount

networks:
  webnet:

volumes:
  mydata:

See Compose file version 2 reference | Docker Documentation

klepptor · July 7, 2021, 11:52am

Thx.

Right now I just did:

keytool -import -trustcacerts -alias MYALAIS -file ./certs/myadcert.cer -keystore ./certs/cacerts

mount self created Java Cert Store with own Root CA cert from Active Directory

volumes:
  - ./certs/cacerts:/etc/pki/java/cacerts

This works for me as I only need this single cert in the keystore.

nullr0ute · October 28, 2021, 2:38pm

I tried this approach, but I’m running into this error:

ERROR [org.keycloak.services] (default task-4) KC-SERVICES0055: 
Error when authenticating to LDAP: 
simple bind failed: <ldap-server-hostname>:636: 
javax.naming.CommunicationException: 
simple bind failed: <ldap-server-hostname>:636 [Root exception is 
javax.net.ssl.SSLException: Unexpected error: 
java.security.InvalidAlgorithmParameterException: 
the trustAnchors parameter must be non-empty]

Not sure on how to troubleshoot this. May be due to an incorrect password to the keystore? What should the password be?

Topic		Replies	Views
Ldaps Configuration Error Configuring the server authentication , ldap	1	1268	February 9, 2022
Import LDAP certificate into keycloak running on kubernetes Getting advice ldap	2	1809	February 7, 2024
Connect keycloak to LDAP over SSL Configuring the server ldap	20	28719	May 2, 2023
Facing issue for LDAPS connection from keycloak running on docker as non root user Getting advice	0	99	February 28, 2024
javax.net.ssl.SSLHandshakeException when connecting keycloak to LDAP over SSL Configuring the server authentication , user-federation , ldap	0	1232	April 25, 2023

LDAPS Docker Container

Related Topics