Wildfly 13 LDAPS authentication

[Arthur Leclerc]

Hello,

I use Wildfly 13 in standalone mode and have a single webapp deployed.

I already configured basic LDAP authentication (port 389) through Elytron subsystem (combined realm: LDAP for authentication and JDBC for authorization).

Now my organization wants to enforce SSL over all LDAP connections (port 636).

The problem is I can't configure Wildfly to connect to LDAP server via port 636.

I already have an Server SSL Context configured used for HTTPS protocol.

So after changing the URL of the LDAP dir-context object (from ldap://myurl:389 to: ldaps://myurl:636), I removed both Principal and Credential Reference attributes from the dir-context object.

Then I tried to use the existing Server SSL Context for the LDAP dir-context , but it was not working (SSL Handsahke Exception).

Then I tried to set up a Client SSL Context with the same Key Manager than the previous one, but I still had the same error.

Then I tried to export the Root certificate for my organization, and set up a new Key Manager that uses it, then set up a Client SSL Context that uses this Key Manager, and set this SSL Context as the dir-context SSL Context. But still the same error.

Here are screenshots of my configuration and the server logs generated when I try to authnticate:

Am I missing anything to configure the LDAPS connection?

Thanks,

Arthur

[valsaraj pv]

Would you share the xml snippet for LDAP conf?

--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/1a453b79-8205-457c-868a-0f95e2d3f899%40googlegroups.com.

--

Life is like this: "Just when we get all the answers of life.... God changes the question paper....

Valsaraj Viswanathan

[Arthur Leclerc]

Hello,

Here is the snippet for my whole security configuration.

For privacy reasons I edited the value of the following attributes:

- search-base-dn for identity-mapping tag in ldap-realm tag

- clear-text passwords 

- hostname of the LDAP server

About the passwords: The key-manager has a credential-reference child tag. I let it here because according to the documentations it is mandatory, but the root certificate into the keystore doesn't require a password (I set it to the same value than the keystore password). 

<subsystem xmlns="urn:wildfly:elytron:3.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">

...

    <security-domains>

        ...

        <security-domain name="combined-sd" default-realm="combined-realm" permission-mapper="default-permission-mapper">

            <realm name="combined-realm"/>

        </security-domain>

    </security-domains>

    <security-realms>

        <aggregate-realm name="combined-realm" authentication-realm="ldap-realm" authorization-realm="jdbc-realm"/>

        <jdbc-realm name="jdbc-realm">

            <principal-query sql="SELECT role FROM users WHERE username=UPPER(?)" data-source="myDS">

                <attribute-mapping>

                    <attribute to="Roles" index="1"/>

                </attribute-mapping>

            </principal-query>

        </jdbc-realm>

        ...

        <ldap-realm name="ldap-realm" dir-context="ldap-dir" direct-verification="true">

            <identity-mapping rdn-identifier="sAMAccountName" use-recursive-search="true" search-base-dn="ou=myOrga,dc=myorga,dc=org">

                <user-password-mapper from="userPassword" verifiable="false"/>

            </identity-mapping>

        </ldap-realm>

    </security-realms>

    ...

    <http>

        ...

        <http-authentication-factory name="combined-http-auth" security-domain="combined-sd" http-server-mechanism-factory="global">

            <mechanism-configuration>

                <mechanism mechanism-name="BASIC">

                    <mechanism-realm realm-name="mySecurityDomain"/>

                </mechanism>

            </mechanism-configuration>

        </http-authentication-factory>

        <provider-http-server-mechanism-factory name="global"/>

    </http>

    ...

    <tls>

        <key-stores>

        ...

            <key-store name="ldapsKS">

                <credential-reference clear-text="keystorePassword"/>

                <implementation type="JKS"/>

                <file path="ldaps.keystore" relative-to="jboss.server.config.dir"/>

            </key-store>

        </key-stores>

        <key-managers>

            <key-manager name="ldapsKM" key-store="ldapsKS">

                <credential-reference clear-text="keystorePassword"/>

            </key-manager>

        </key-managers>

        <client-ssl-contexts>

            <client-ssl-context name="ldapsSSL" protocols="TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" key-manager="ldapsKM"/>

        </client-ssl-contexts>

    </tls>

    <dir-contexts>

        <dir-context name="ldap-dir" url="ldaps://myUrl:636" ssl-context="ldapsSSL"/>

    </dir-contexts>

</subsystem>

...

<subsystem xmlns="urn:jboss:domain:undertow:6.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">

    ...

    <application-security-domains>

        <application-security-domain name="mySecurityDomain" http-authentication-factory="combined-http-auth"/>

    </application-security-domains>

</subsystem>

Thank you,

Arthur

Le mercredi 1 avril 2020 09:36:34 UTC+2, valsaraj pv a écrit :

Would you share the xml snippet for LDAP conf?

On Tue, Mar 31, 2020 at 9:34 PM Arthur Leclerc <ag....@gmail.com> wrote:

Hello,

I use Wildfly 13 in standalone mode and have a single webapp deployed.

I already configured basic LDAP authentication (port 389) through Elytron subsystem (combined realm: LDAP for authentication and JDBC for authorization).

Now my organization wants to enforce SSL over all LDAP connections (port 636).

The problem is I can't configure Wildfly to connect to LDAP server via port 636.

I already have an Server SSL Context configured used for HTTPS protocol.

So after changing the URL of the LDAP dir-context object (from ldap://myurl:389 to: ldaps://myurl:636), I removed both Principal and Credential Reference attributes from the dir-context object.

Then I tried to use the existing Server SSL Context for the LDAP dir-context , but it was not working (SSL Handsahke Exception).

Then I tried to set up a Client SSL Context with the same Key Manager than the previous one, but I still had the same error.

Then I tried to export the Root certificate for my organization, and set up a new Key Manager that uses it, then set up a Client SSL Context that uses this Key Manager, and set this SSL Context as the dir-context SSL Context. But still the same error.

Here are screenshots of my configuration and the server logs generated when I try to authnticate:

Am I missing anything to configure the LDAPS connection?

Thanks,

Arthur

--
You received this message because you are subscribed to the Google Groups "WildFly" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wil...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/1a453b79-8205-457c-868a-0f95e2d3f899%40googlegroups.com.

[Philippe Marschall]

Hello

You're experiencing and SSL error because the LDAPS client doesn't trust the server certificate, likely because the root certificate is not in the truststore. You need to set up a truststore for the LDAPS server.

Cheers

Philippe