You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Tero Saarni <te...@gmail.com> on 2020/08/10 11:53:14 UTC
Using client certificate authentication for LDAP admin
Hi,
I'm using a custom server built on ApacheDS API. I would like to use
client certificate authentication by utilizing SASL EXTERNAL method. I got
it working for non-admin users but I have problems with the admin: even
after adding the "userCertificate" attribute for "uid=admin,ou=system",
authentication still fails due to an unknown client certificate.
I suspect that the problem is as follows:
When looking at the ApacheDS code , it seems userCertificates are only
searched under searchBaseDn [1], which in my case is set to
"dc=keycloak,dc=org". Therefore "uid=admin,ou=system" will never appear in
the search results.
What would be the best approach to fix this?
Best regards
Tero
[1]
https://github.com/apache/directory-server/blob/11ec7f62cf552727098dd2739046b819e94d7307/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer.java#L153
Re: Using client certificate authentication for LDAP admin
Posted by Tero Saarni <te...@gmail.com>.
Quick question stil regarding admin authentication with client
certificate.
Would change like this be something that the upstream is interested in?
It is a small change and obviously something with a rather limited
potential user base.
Draft version here
https://github.com/tsaarni/directory-server/commit/2abccdb7abbf1d766f18872753236c74b84712fa
--
Tero
On Tue, Aug 11, 2020 at 4:43 PM Tero Saarni <te...@gmail.com> wrote:
> Thanks Emmanuel,
>
> As a workaround I created a local copy of CertificateMechanismHandler.java
> and ExternalSaslServer.java, modified the latter to also search for
> userCertificate under "uid=admin,ou=system" besides of searchBaseDn. I
> then registered this modified copy with addSaslMechanismHandler() and it
> worked!
>
> --
> Tero
>
>
> On Tue, Aug 11, 2020 at 8:36 AM Emmanuel Lécharny <el...@gmail.com>
> wrote:
>
>> Hi!
>>
>> On 10/08/2020 13:53, Tero Saarni wrote:
>> > Hi,
>> >
>> > I'm using a custom server built on ApacheDS API. I would like to use
>> > client certificate authentication by utilizing SASL EXTERNAL method.
>> > I got it working for non-admin users but I have problems with the
>> > admin: even after adding the "userCertificate" attribute for
>> > "uid=admin,ou=system", authentication still fails due to an
>> > unknown client certificate.
>> >
>> > I suspect that the problem is as follows:
>> >
>> > When looking at the ApacheDS code , it seems userCertificates are only
>> > searched under searchBaseDn [1], which in my case is set to
>> > "dc=keycloak,dc=org". Therefore "uid=admin,ou=system" will never
>> > appear in the search results.
>> >
>> > What would be the best approach to fix this?
>>
>>
>> Hmmm, not simple. admin is a kind of special user, which bypass most of
>> the controls.
>>
>>
>> One solution would be to write a specific authenticator that deal with
>> this special use case. The server allows you to add such an
>> authenticator and configure it in the server config file. From the top
>> of my head, this is what I see as a quick and dirty solution.
>>
>> >
>> > Best regards
>> > Tero
>> >
>> > [1]
>> >
>> https://github.com/apache/directory-server/blob/11ec7f62cf552727098dd2739046b819e94d7307/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer.java#L153
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
>> For additional commands, e-mail: dev-help@directory.apache.org
>>
>>
Re: Using client certificate authentication for LDAP admin
Posted by Tero Saarni <te...@gmail.com>.
Thanks Emmanuel,
As a workaround I created a local copy of CertificateMechanismHandler.java
and ExternalSaslServer.java, modified the latter to also search for
userCertificate under "uid=admin,ou=system" besides of searchBaseDn. I
then registered this modified copy with addSaslMechanismHandler() and it
worked!
--
Tero
On Tue, Aug 11, 2020 at 8:36 AM Emmanuel Lécharny <el...@gmail.com>
wrote:
> Hi!
>
> On 10/08/2020 13:53, Tero Saarni wrote:
> > Hi,
> >
> > I'm using a custom server built on ApacheDS API. I would like to use
> > client certificate authentication by utilizing SASL EXTERNAL method.
> > I got it working for non-admin users but I have problems with the
> > admin: even after adding the "userCertificate" attribute for
> > "uid=admin,ou=system", authentication still fails due to an
> > unknown client certificate.
> >
> > I suspect that the problem is as follows:
> >
> > When looking at the ApacheDS code , it seems userCertificates are only
> > searched under searchBaseDn [1], which in my case is set to
> > "dc=keycloak,dc=org". Therefore "uid=admin,ou=system" will never
> > appear in the search results.
> >
> > What would be the best approach to fix this?
>
>
> Hmmm, not simple. admin is a kind of special user, which bypass most of
> the controls.
>
>
> One solution would be to write a specific authenticator that deal with
> this special use case. The server allows you to add such an
> authenticator and configure it in the server config file. From the top
> of my head, this is what I see as a quick and dirty solution.
>
> >
> > Best regards
> > Tero
> >
> > [1]
> >
> https://github.com/apache/directory-server/blob/11ec7f62cf552727098dd2739046b819e94d7307/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer.java#L153
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
> For additional commands, e-mail: dev-help@directory.apache.org
>
>
Re: Using client certificate authentication for LDAP admin
Posted by Emmanuel Lécharny <el...@gmail.com>.
Hi!
On 10/08/2020 13:53, Tero Saarni wrote:
> Hi,
>
> I'm using a custom server built on ApacheDS API. I would like to use
> client certificate authentication by utilizing SASL EXTERNAL method.
> I got it working for non-admin users but I have problems with the
> admin: even after adding the "userCertificate" attribute for
> "uid=admin,ou=system", authentication still fails due to an
> unknown client certificate.
>
> I suspect that the problem is as follows:
>
> When looking at the ApacheDS code , it seems userCertificates are only
> searched under searchBaseDn [1], which in my case is set to
> "dc=keycloak,dc=org". Therefore "uid=admin,ou=system" will never
> appear in the search results.
>
> What would be the best approach to fix this?
Hmmm, not simple. admin is a kind of special user, which bypass most of
the controls.
One solution would be to write a specific authenticator that deal with
this special use case. The server allows you to add such an
authenticator and configure it in the server config file. From the top
of my head, this is what I see as a quick and dirty solution.
>
> Best regards
> Tero
>
> [1]
> https://github.com/apache/directory-server/blob/11ec7f62cf552727098dd2739046b819e94d7307/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer.java#L153
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org