Hello,

I am trying to set up Wildfly8.2 to use LDAP for authentication and authorization for the management console. I am able to get authorization working using an LDAP Security domain (see below). However, I can’t quite figure out how to set up associated authorization to allow the user roles read by that security domain be “realized” by the authorization portion of the ManagementRealm. I can get things partially working, by using a combination of LDAP for authentication  and the “<properties>” setup for authorization – where I have to add an entry for the user(s) and explicitly define the group (role) that I want to map to the Management Application roles. This is a workaround, but ideally, I want to use the roles as defined in our LDAP domain (e.g., "Web Admin" in example below) and directly map them in the "<access-control>" section of the config.

Note that I use “<jaas>” option in <authentication> to reference the security domain I have defined. One advantage to this (over setting up as “<ldap>”) is that the user provided credentials will be used to bind to ldap – I don’t have to set up a separate “user” and expose those credentials in standalone.xml (<connection>). Unfortunately, <jaas> is not allowed under the <authorization> element as far as I can tell.

So, ideally, I’d like to have the users groups (roles) read/mapped by the security domain on authentication – and not have to set up a separate “ldap/connection” (which is what I've seen in other discussion, etc.) or use a "hard-coded" properties file for that. Is there any way to do that for the ManagementRealm?

Here are the relevant parts of my standalone.xml showing my current “workaround” setup:

….
<management>
 <security-realms>
 <security-realm name="ManagementRealm">
 <authentication>
 <local default-user="$local" skip-group-loading="true"/>
 <jaas name="ldap-authn"/>
 </authentication>
 <authorization map-groups-to-roles="false">
 <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
 </authorization>
 </security-realm>
 ….
 </security-realms>
 ….
 <access-control provider="rbac">
 <role-mapping>
 <role name="SuperUser">
 <include>
 <user name="$local"/>
 <group name="Web Admin" realm="ManagementRealm"/>
 </include>
 </role>
 </role-mapping>
 </access-control>
</management>
….
<subsystem xmlns="urn:jboss:domain:security:1.2">
 <security-domains>
 ….
 <security-domain cache-type="default" name="ldap-authn">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
 <module-option name="password-stacking" value="useFirstPass"/>
 <module-option name="java.naming.provider.url" value="ldaps://ldapsrvr.mydom.com:636"/>
 <module-option name="java.naming.security.protocol" value="ssl"/>
 <module-option name="matchOnUserDN" value="false"/>
 <module-option name="principalDNPrefix" value=""/>
 <module-option name="principalDNSuffix" value="@mydom.com"/>
 <module-option name="uidAttributeID" value="sAMAccountName"/>
 <module-option name="rolesCtxDN" value="OU=USERS,DC=mydom,DC=com"/>
 <module-option name="roleAttributeIsDN" value="true"/>
 <module-option name="roleAttributeID" value="memberOf"/>
 <module-option name="roleNameAttributeID" value="name"/>
 <module-option name="java.naming.security.authentication" value="simple"/>
 <module-option name="allowEmptyPasswords" value="false"/>
 </login-module>
 </authentication>
 </security-domain>
 </security-domains>
</subsystem>
…

Thanks in advance -

Paul