Hello,

I am running JBoss EAP 6.0.1.GA (AS 7.1.3.Final-redhat-4)

Within my SecurityRealm I perform LDAP authentication against a Microsoft AD server to allow access to the JBoss Admin interface.

My question is: is it possible to use more than one LDAP group for authentication, and how can it be configured?

Further explanation:

Using the configuration below I can authorize users to login to the JBoss Admin interface in the Active Directory, by making them a member of the "jbossadmins" group.

However, I would like to use more than one group to authenticate users; for example, group 'linuxadmins' in addition to 'jbossadmins'.

So that users will be allowed to login if they are a member of group "linuxadmins" OR a member of group "jbossadmins".

I can think of the following approaches:

- make group "linuxadmins" a member (nested group) of "jbossadmins"; however this does not work. members of "linuxadmins" can not log in to the Admin interface.

The attribute "recursive=true" does not make a difference.

- Add a second element "advanced-filter", but this is not allowed;

- Use a different method to authenticate against LDAP, for example PAM and/or SSSD (don't know if possible / how)

Any ideas would be appreciated!

My current configuration works perfectly, but I can only use group "jbossadmins" and no nested groups:

<management>

  <security-realms>

    <security-realm name="ManagementRealm">

      <authentication>

        <ldap connection="ldap_connection" base-dn="CN=Users,DC=ACME,DC=COM" recursive="true">

          <advanced-filter filter="(&amp;(sAMAccountName={0})(memberOf=CN=jbossadmins,CN=Users,DC=acme,DC=com))"/>

        </ldap>

      </authentication>

    </security-realm>

  </security-realms>

(...)

  <outbound-connections>

    <ldap name="ldap_connection" url="ldaps://ldapserver1.acme.com:636 ldaps://ldapserver2.acme.com:636" search-dn="cn=adreader,cn=users,dc=acme,dc=com" search-credential="SecretPassword"/>

  </outbound-connections>

(...)

</management>

Kind regards,

Lucas