Connect to LDAP with invalid certificate
545 views
Skip to first unread message
Todor Petkov
Jan 11, 2022, 6:11:56 AM1/11/22
to keyclo...@googlegroups.com
Hello,
I am running Keycloak 13 in Kubernetes and I need to add connection to
LDAP(s) server. The server in question has invalid certificate and
Keycloak refuses to connect with message "ERROR [org.keycloak.services]
(default task-392) KC-SERVICES0055: Error when authenticating to LDAP:
simple bind failed: ldapserver.domain:636:
javax.naming.CommunicationException: simple bind failed:
ldapserver.domain:636 [Root exception is
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target]"
Is there a way to allow Keycloak to connect to the server without
checking the certificate by adding an environment variable? I don't want
to rebuild the image to add the server certificate in the store.
Regards
I am running Keycloak 13 in Kubernetes and I need to add connection to
LDAP(s) server. The server in question has invalid certificate and
Keycloak refuses to connect with message "ERROR [org.keycloak.services]
(default task-392) KC-SERVICES0055: Error when authenticating to LDAP:
simple bind failed: ldapserver.domain:636:
javax.naming.CommunicationException: simple bind failed:
ldapserver.domain:636 [Root exception is
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target]"
Is there a way to allow Keycloak to connect to the server without
checking the certificate by adding an environment variable? I don't want
to rebuild the image to add the server certificate in the store.
Regards
C R
Jan 11, 2022, 7:05:03 AM1/11/22
to Todor Petkov, Keycloak User
I suspect adding the java property
"-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true" may
work. Another option may add the CA at runtime by adapting the
entrypoint script.
C.
> --
> You received this message because you are subscribed to the Google Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/763a2031-e1cc-3a7a-505e-e005eadc9c13%40gmail.com.
"-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true" may
work. Another option may add the CA at runtime by adapting the
entrypoint script.
C.
> You received this message because you are subscribed to the Google Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/763a2031-e1cc-3a7a-505e-e005eadc9c13%40gmail.com.
Todor Petkov
Jan 17, 2022, 12:22:37 PM1/17/22
to C R, Keycloak User
On Tue, 2022-01-11 2:04 PM, C R wrote:
> I suspect adding the java property
> "-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true" may
> work. Another option may add the CA at runtime by adapting the
> entrypoint script.
>
> C.
>
> Le mar. 11 janv. 2022 à 12:11, Todor Petkov <petkov...@gmail.com> a écrit :
>>
>> Hello,
>>
>> I am running Keycloak 13 in Kubernetes and I need to add connection to
>> LDAP(s) server. The server in question has invalid certificate and
>> Keycloak refuses to connect with message "ERROR [org.keycloak.services]
>> (default task-392) KC-SERVICES0055: Error when authenticating to LDAP:
>> simple bind failed: ldapserver.domain:636:
>> javax.naming.CommunicationException: simple bind failed:
>> ldapserver.domain:636 [Root exception is
>> javax.net.ssl.SSLHandshakeException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target]"
>>
>> Is there a way to allow Keycloak to connect to the server without
>> checking the certificate by adding an environment variable? I don't want
>> to rebuild the image to add the server certificate in the store.
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
-Dmaven.wagon.http.ssl.insecure=true
-Dmaven.wagon.http.ssl.allowall=true
-Dcom.sun.security.enableAIAcaIssuers=true
What am I missing here?
Thanks
Sad Sad
Jan 17, 2022, 12:46:25 PM1/17/22
to Todor Petkov, C R, Keycloak User
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/ac5cb3ff-249e-5608-0771-7cf6a50d3577%40gmail.com.
Reply all
Reply to author
Forward
0 new messages