Based on the article LDAP Security Realm Examples I am trying to do this on WildFly, especially to get it working to allow only users in a specific group to be able to log in to the management console.

Trying so, I run in the error (when starting WildFly)  :

10:28:29,674 ERROR [org.jboss.as.server] (Controller Boot Thread) JBAS015956: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration

  at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:112) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]

  at org.jboss.as.server.ServerService.boot(ServerService.java:331) [wildfly-server-8.0.0.Final.jar:8.0.0.Final]

  at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:256) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]

  at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_40]

Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[76,25]

Message: JBAS014724: Missing required attribute(s): FORCE

  at org.jboss.as.controller.parsing.ParseUtils.missingRequired(ParseUtils.java:134) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]

  at org.jboss.as.domain.management.parsing.ManagementXml.parseUsernameToDn_2_0(ManagementXml.java:2118) [wildfly-domain-management-8.0.0.Final.jar:8.0.0.Final]

My config looks like :

             <security-realm name="MgtRealm">

                <authentication>

                    <ldap connection="ovodavLDAP" base-dn="ou=People,dc=hydrogenic,dc=local">

                        <!-- <advanced-filter filter="(&amp;(cn=jboss-admin)(member=uid={0},ou=People,dc=hydrogenic,dc=local))" recursive="true"/> -->

                        <username-filter attribute="uid"/>

                    </ldap>

                </authentication>

                <authorization>

                    <ldap connection="ovodavLDAP">

                        <username-to-dn>

                            <username-filter base-dn="ou=People,dc=hydrogenic,dc=local" recursive="false" attribute="uid" user-dn-attribute="dn" />

                        </username-to-dn>

                        <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="uid">

                            <group-to-principal base-dn="ou=Groups,dc=hydrogenic,dc=local" recursive="true" search-by="DISTINGUISHED_NAME">

                                <membership-filter principal-attribute="uniqueMember" />

                            </group-to-principal>

                        </group-search>

                    </ldap>

                </authorization>              

            </security-realm>

When removing the 'authorization' part the authentication works against the LDAP.

Any ideas?