IAM ldap authentication

Document ID : KB000077121
Last Modified Date : 11/04/2018
Show Technical Document Details
Introduction:
How to  make  successful LDAPS  connection from Identity Access Manager? 

This is error I get when I verify the connection: 

8-04-11 09:14:18,597 ERROR [org.keycloak.services] (default task-31) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: NSROOT.NET:3269: javax.naming.CommunicationException: simple bind failed: NSROOT.NET:3269 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
    at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
Background:
Connecting LDAP over SSL in IAM
Environment:
DEVTEST 10.3
Instructions:
When connecting to LDAP over SSL, the SSL certificates should be imported to the  trust store used by IAM. 

Here are the steps to add the certificates to the trust store and make it available to IAM. 

1. Use keytool to create a new truststore file or add trusted host certificates to an existing one: 

$ keytool -import -alias HOSTDOMAIN -keystore truststore.jks -file host-certificate.cer 

2. In the standalone.xml located in <INSTALL_DIR>/vscatalog/IdentityAccessManager/standalone/configuration/standalone.xml, search for <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">. Couple of lines down you will find multiple spi tags, add the below xml before <spi name="eventsStore">. 

<spi name="truststore"> 
<provider name="file" enabled="true"> 
<properties> 
<property name="file" value="path to your .jks file containing public certificates, that was created in before using the keytool"/> 
<property name="password" value="password for the truststore"/> 
<property name="hostname-verification-policy" value="WILDCARD"/> 
<property name="disabled" value="false"/> 
</properties> 
</provider> 
</spi> 

3. Restart IAM. 

After the above steps are complete , you would also have to configure the mapper 

To create a mapper to assign a default role to a user or set of users: 

By default, read only access is granted to a valid LDAP user.

  1. Click Create in the Mappers tab.
  2. Enter default_role_mapper as the mapper name.
  3. Choose hardcoded-ldap-role-mapper as the mapper type.
  4. Enter virtual-service-catalog.service_catalog_user as the role.




 
Additional Information:
https://docops.ca.com/devtest-solutions/10-3/en/using/using-virtual-service-catalog/configure-identity-and-access-manager