LDAPS Docker Container

Hello,

I am trying to configure a User Federation using LDAPS with my Active Directory provider. I am using Keycloak in a Docker Container. When I try to authenticate I get the following error:

ERROR [org.keycloak.services] (default task-2) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: MY_SERVER:636: javax.naming.CommunicationException: simple bind failed: MY_SERVER:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

I spoke to my Active Directory Provider and got 3 .cer files as certificates. They told me all 3 are necessary. But now I am unsure on how I should use them.

In the Keycloak Forum (here) I found that I should configure the X509_CA_BUNDLE enviroment variable to be /var/run/secrets/kubernetes.io/serviceaccount/ca.crt . I could convert my .cer files to .crt files and copy them in that directory when creating the container, but this solution only works for one certificate if I am not mistaken.

How should I approach this?

Solved it by combining all the certificates into a .crt like shown here and then importing it like stated in the Keycloak Documentation.

Hi @jominga

I’m facing the same problem right now and I can’t figure out what to do using the official Keycloak documentation.

Using Docker-Compose I assume I have to simple mount the new Cert file into the container at the right place. The path you mentioned (/var/run/secrets/kubernetes.io/serviceaccount/ca.crt) doesn’t exist in my running container!?!?

Do you have any hint?

Thx

Hello,

Even if the path does not exist you can create it when specifying your volume in the docker-compose file.

Example:

version: "2.4"
services:
  web:
    image: nginx:alpine
    ports:
      - "80:80"
    volumes:
      - type: bind
        source: ./pathToCert
        target: /var/run/secrets/kubernetes.io/serviceaccount

networks:
  webnet:

volumes:
  mydata:

See Compose file version 2 reference | Docker Documentation

Thx.

Right now I just did:

keytool -import -trustcacerts -alias MYALAIS -file ./certs/myadcert.cer -keystore ./certs/cacerts

mount self created Java Cert Store with own Root CA cert from Active Directory

volumes:
  - ./certs/cacerts:/etc/pki/java/cacerts

This works for me as I only need this single cert in the keystore.