Quick question stil regarding admin authentication with client certificate.
Would change like this be something that the upstream is interested in? It is a small change and obviously something with a rather limited potential user base. Draft version here https://github.com/tsaarni/directory-server/commit/2abccdb7abbf1d766f18872753236c74b84712fa -- Tero On Tue, Aug 11, 2020 at 4:43 PM Tero Saarni <[email protected]> wrote: > Thanks Emmanuel, > > As a workaround I created a local copy of CertificateMechanismHandler.java > and ExternalSaslServer.java, modified the latter to also search for > userCertificate under "uid=admin,ou=system" besides of searchBaseDn. I > then registered this modified copy with addSaslMechanismHandler() and it > worked! > > -- > Tero > > > On Tue, Aug 11, 2020 at 8:36 AM Emmanuel Lécharny <[email protected]> > wrote: > >> Hi! >> >> On 10/08/2020 13:53, Tero Saarni wrote: >> > Hi, >> > >> > I'm using a custom server built on ApacheDS API. I would like to use >> > client certificate authentication by utilizing SASL EXTERNAL method. >> > I got it working for non-admin users but I have problems with the >> > admin: even after adding the "userCertificate" attribute for >> > "uid=admin,ou=system", authentication still fails due to an >> > unknown client certificate. >> > >> > I suspect that the problem is as follows: >> > >> > When looking at the ApacheDS code , it seems userCertificates are only >> > searched under searchBaseDn [1], which in my case is set to >> > "dc=keycloak,dc=org". Therefore "uid=admin,ou=system" will never >> > appear in the search results. >> > >> > What would be the best approach to fix this? >> >> >> Hmmm, not simple. admin is a kind of special user, which bypass most of >> the controls. >> >> >> One solution would be to write a specific authenticator that deal with >> this special use case. The server allows you to add such an >> authenticator and configure it in the server config file. From the top >> of my head, this is what I see as a quick and dirty solution. >> >> > >> > Best regards >> > Tero >> > >> > [1] >> > >> https://github.com/apache/directory-server/blob/11ec7f62cf552727098dd2739046b819e94d7307/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer.java#L153 >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >>
