Hi!
On 10/08/2020 13:53, Tero Saarni wrote:
Hi,
I'm using a custom server built on ApacheDS API. I would like to use
client certificate authentication by utilizing SASL EXTERNAL method.
I got it working for non-admin users but I have problems with the
admin: even after adding the "userCertificate" attribute for
"uid=admin,ou=system", authentication still fails due to an
unknown client certificate.
I suspect that the problem is as follows:
When looking at the ApacheDS code , it seems userCertificates are only
searched under searchBaseDn [1], which in my case is set to
"dc=keycloak,dc=org". Therefore "uid=admin,ou=system" will never
appear in the search results.
What would be the best approach to fix this?
Hmmm, not simple. admin is a kind of special user, which bypass most of
the controls.
One solution would be to write a specific authenticator that deal with
this special use case. The server allows you to add such an
authenticator and configure it in the server config file. From the top
of my head, this is what I see as a quick and dirty solution.
Best regards
Tero
[1]
https://github.com/apache/directory-server/blob/11ec7f62cf552727098dd2739046b819e94d7307/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer.java#L153
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
