LDAPS not working with truststore SPI and connection timeout

Solution Verified - Updated -

Issue

  • When configuring ldap user federation provider with ldaps protocol and Use Truststore SPI to Always or Only for ldaps the following exception is thrown:

    ERROR [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (default task-5) Could not query server using DN [CN=Users,DC=redhat,DC=com] and filter [(&(sAMAccountName=XXXX)(objectclass=person)(objectclass=organizationalPerson)(objectclass=user))]: javax.naming.CommunicationException: ldap.redhat.com:636 [Root exception is java.net.SocketException: Unconnected sockets not implemented]
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:216)
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1614)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:116)
        at org.jboss.as.naming.InitialContext.init(InitialContext.java:101)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:91)
        at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:646)
        at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:740)
        at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:728)
        at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:250)
        ...
Caused by: java.net.SocketException: Unconnected sockets not implemented
        at javax.net.SocketFactory.createSocket(SocketFactory.java:125)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.sun.jndi.ldap.Connection.createSocket(Connection.java:303)
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
        ... 94 more
Caused by: java.lang.UnsupportedOperationException
        at javax.net.SocketFactory.createSocket(SocketFactory.java:123)
        ... 100 more

  • If a truststore SPI is defined in the keycloak standalone/domain configuration then LDAP user providers do not work when ldaps and connection timeout are used at the same time.

Environment

  • Red Hat Single Sig-On (RH-SSO)
    • 7
  • LDAP user provider configured with ldapsprotocol.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content