New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User federation with starttls not working #13347
Comments
I am also trying to configure this flag with an LDAP server that is not enabled with SSL. My understanding is that when we enable this startTLS flag on keycloak, it will enforce LDAP to establish a secure communication. But, at the same time, I think LDAP has to have some capability to support this. Is there any guide (or, pre-requisites) to properly use startTLS flag with an insecure LDAP server? |
Have you configured trusted CA certificates that can be used to verify the LDAP server certificate? That can be done either via default Java property |
Hi @tsaarni , |
Hello, thank you for the report. The stackstrace implies that there is some misconfiguration in TLS or in ldap itself. Could you check logs in ldap? AFAIK configuration on both ends has to match. |
Hi @vramik, |
Thank you for responding on the issue. Can you help us in understanding the functionality of the starttls option in keycloak. I am closing the issue for now as it seems it's not actually a bug. Feel free to reopen it and provide steps to reproduce it if you think otherwise. |
After adding a new provider ldap with the connection url ldap://:port and provided with the UserDN, bindDN and credentials. By setting the enable starttls On. The connection test works but the authentication fails with the below error. But without the starttls On it works without any issues. Observed this issue when starttls is enabled on both ldap and ldap with tls.
Version
17.0.0 -- wildfly
Expected behavior
No response
Actual behavior
Without the tls for ldap we hope that by enabling the starttls keycloak would maintain a secure connection. Please let us know if this is not the functionality. Also can you update any pre-requisities that needs to configure to make this work.
How to Reproduce?
No response
Anything else?
Documentation and functionality of the starttls check is not clear.
The text was updated successfully, but these errors were encountered: