Keycloak:在 docker 中为 ldaps 设置自签名证书
Keycloak: setting up self-signed certificate for ldaps in docker
我是 运行 keycloak,使用 docker-compose 如下所述:official docker compose example
该实例在作为反向代理的 apache2 后面 运行,执行 SSL 终止,效果很好。
我想将 ldap 添加为用户存储提供程序。可以访问 ldap 服务器("Test Connection" 表示成功)但我无法连接,因为 keycloak 需要信任我的自签名证书,这是 ldaps 连接所必需的。错误是:
Error when authenticating to LDAP: Could not negotiate TLS
如何让 keycloak 在 docker-compose 的上下文中信任我的 Active Directory (ldap) 服务器的 CA 证书?
这一切都归结为在 Docker 构建中获取 CA 证书,然后将其导入 java 密钥库:
# JDK8 installation just for reference. You might want to update soon, since it is EOL soon
RUN apt update && apt install -y openjdk-8-jdk
# COPY your root CA cert from the docker build directory to the container
COPY ca.mydomain.com.crt /usr/local/share/ca-certificates/mydomain.com/ca.fs-stuttgart.de.crt
# import the root CA cert from the file location within your container to the java cacerts
RUN keytool -storepass changeit -noprompt -trustcacerts -import -alias mydomain.com -keystore /etc/ssl/certs/java/cacerts -file /usr/local/share/ca-certificates/mydomain.com/ca.mydomain.com.crt
从现在开始,keycloak(引用 java cacerts)将把你的根 CA 识别为有效授权
我是 运行 keycloak,使用 docker-compose 如下所述:official docker compose example
该实例在作为反向代理的 apache2 后面 运行,执行 SSL 终止,效果很好。
我想将 ldap 添加为用户存储提供程序。可以访问 ldap 服务器("Test Connection" 表示成功)但我无法连接,因为 keycloak 需要信任我的自签名证书,这是 ldaps 连接所必需的。错误是:
Error when authenticating to LDAP: Could not negotiate TLS
如何让 keycloak 在 docker-compose 的上下文中信任我的 Active Directory (ldap) 服务器的 CA 证书?
这一切都归结为在 Docker 构建中获取 CA 证书,然后将其导入 java 密钥库:
# JDK8 installation just for reference. You might want to update soon, since it is EOL soon
RUN apt update && apt install -y openjdk-8-jdk
# COPY your root CA cert from the docker build directory to the container
COPY ca.mydomain.com.crt /usr/local/share/ca-certificates/mydomain.com/ca.fs-stuttgart.de.crt
# import the root CA cert from the file location within your container to the java cacerts
RUN keytool -storepass changeit -noprompt -trustcacerts -import -alias mydomain.com -keystore /etc/ssl/certs/java/cacerts -file /usr/local/share/ca-certificates/mydomain.com/ca.mydomain.com.crt
从现在开始,keycloak(引用 java cacerts)将把你的根 CA 识别为有效授权