Hi, I'm using a custom server built on ApacheDS API. I would like to use client certificate authentication by utilizing SASL EXTERNAL method. I got it working for non-admin users but I have problems with the admin: even after adding the "userCertificate" attribute for "uid=admin,ou=system", authentication still fails due to an unknown client certificate.
I suspect that the problem is as follows: When looking at the ApacheDS code , it seems userCertificates are only searched under searchBaseDn [1], which in my case is set to "dc=keycloak,dc=org". Therefore "uid=admin,ou=system" will never appear in the search results. What would be the best approach to fix this? Best regards Tero [1] https://github.com/apache/directory-server/blob/11ec7f62cf552727098dd2739046b819e94d7307/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer.java#L153
