Thanks Emmanuel, As a workaround I created a local copy of CertificateMechanismHandler.java and ExternalSaslServer.java, modified the latter to also search for userCertificate under "uid=admin,ou=system" besides of searchBaseDn. I then registered this modified copy with addSaslMechanismHandler() and it worked!
-- Tero On Tue, Aug 11, 2020 at 8:36 AM Emmanuel Lécharny <[email protected]> wrote: > Hi! > > On 10/08/2020 13:53, Tero Saarni wrote: > > Hi, > > > > I'm using a custom server built on ApacheDS API. I would like to use > > client certificate authentication by utilizing SASL EXTERNAL method. > > I got it working for non-admin users but I have problems with the > > admin: even after adding the "userCertificate" attribute for > > "uid=admin,ou=system", authentication still fails due to an > > unknown client certificate. > > > > I suspect that the problem is as follows: > > > > When looking at the ApacheDS code , it seems userCertificates are only > > searched under searchBaseDn [1], which in my case is set to > > "dc=keycloak,dc=org". Therefore "uid=admin,ou=system" will never > > appear in the search results. > > > > What would be the best approach to fix this? > > > Hmmm, not simple. admin is a kind of special user, which bypass most of > the controls. > > > One solution would be to write a specific authenticator that deal with > this special use case. The server allows you to add such an > authenticator and configure it in the server config file. From the top > of my head, this is what I see as a quick and dirty solution. > > > > > Best regards > > Tero > > > > [1] > > > https://github.com/apache/directory-server/blob/11ec7f62cf552727098dd2739046b819e94d7307/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer.java#L153 > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
