SASL External authentication with UnboundID and certificates

Question

I would like to perform a certificate based authentication with my OPENLDAP ldap.

I created a PKI, set up my client and server with the good keystores,trustores / certificates, key. I also configure the LDAP to demand a certificate during the SSL handshake.

I then tried to authenticate with UnboudID LDAP as followed:

    //Create a unsecured connection

    LDAPConnection connection = new   LDAPConnection(hostname,port);

    //Secure the connection by the use of SSL (StartTLS operation)

    SSLUtil ssl = new SSLUtil(new KeyStoreKeyManager(keyStore, new String("somePasword").toCharArray()),
            new TrustStoreTrustManager(trustStore));
    SSLContext sslContext = ssl.createSSLContext();
    StartTLSExtendedRequest startTLSRequest = new StartTLSExtendedRequest(sslContext);
    ExtendedResult startTLSResult = connection.processExtendedOperation(startTLSRequest);

    //Bind request that should retrieve information from the client certificate and authenticate the client

    BindRequest bindRequest = new EXTERNALBindRequest("");
    BindResult bindResult = connection.bind(bindRequest);

    //The result is always SUCCESS...
    if (bindResult.getResultCode() != ResultCode.SUCCESS) {
        ...
    }

The DN of the user I want to bind the connection to corresponds to: cn=12345,ou=anOrganizationUnit,o=anOrganization,dc=com,dc=example. Since the DN coming from the certificate rather looks like: cn=12345,ou=...,o=...,l=Berlin,st=some-state,c=de I also created a matching rule in the LDAP.

The bindRequest always succeeds, as soon as I have a certificate that has been signed by the CA. If the DN coming from the LDAP corresponds to nothing in the LDAP, it doesn't matter. I guess it is converted to an anonymous connection. But when it corresponds to an existing user, it also doesn't matter. The user is not authenticated and I don't have access to the user's rights. I tried to perform a WhoAmI request, and it returned: authzId = dn:cn=12345,ou=anorganizationunit,o=anorganization,dc=com,dc=example which seems to be good (well with the capital letters transformed to lower case).

Is there something I missed in the LDAP Configuration ? or could it be my certificates ?

I would be really thankful for any help :)

EDIT: I don't know if that helps, but before adding the matching rule, I performed a WhoAmI request, and the result was something like: dn:cn\3D12345\2C...,o=organization,dc=com,dc=example. The common name I entered during the certificate creation seems to have been escaped (\3D is "=", \2C is ",").

Did you get to resolve ? – Balaji Boggaram Ramanarayan Dec 29 '17 at 22:12 — Balaji Boggaram Ramanarayan, Dec 29 '17 at 22:12

score 0 · Answer 1 · answered Dec 31 '17 at 06:29

I'll answer my own question, although it's been a really long time and I lost access to the code.

I'm pretty sure the problem corresponded to the escaping of the CN part. I do remember that my matching rule was not correct, and I think that was the root cause. But to be honest there might have been other mistakes I don't remember.

SASL External authentication with UnboundID and certificates

1 Answers1