When connecting to LDAP over SSL, the SSL certificates should be imported to the trust store used by IAM.
Here are the steps to add the certificates to the trust store and make it available to IAM. 1. Use keytool to create a new truststore file or add trusted host certificates to an existing one:
$ keytool -import -alias HOSTDOMAIN -keystore truststore.jks -file host-certificate.cer
2. In the standalone.xml located in <INSTALL_DIR>/vscatalog/IdentityAccessManager/standalone/configuration/standalone.xml, search for <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">. Couple of lines down you will find multiple spi tags, add the below xml before <spi name="eventsStore">.
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="path to your .jks file containing public certificates, that was created in before using the keytool"/>
<property name="password" value="password for the truststore"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
3. Restart IAM.
After the above steps are complete , you would also have to configure the
mapper To create a mapper to assign a default role to a user or set of users:
By default, read only access is granted to a valid LDAP user.
- Click Create in the Mappers tab.
- Enter default_role_mapper as the mapper name.
- Choose hardcoded-ldap-role-mapper as the mapper type.
-
Enter virtual-service-catalog.service_catalog_user as the role.