I have Kerberos set up with wildfly plus I get groups from LDAP and I have a problem with it not getting all the roles.

Kerberos works as expected and here is the config I have for LDAP:

                        <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="requisite">
                            <module-option name="java.naming.provider.url" value="ldap://myhost.com:3268/"/>
                            <module-option name="bindDN" value="login"/>
                            <module-option name="bindCredential" value="pwd"/>
                            <module-option name="baseCtxDN" value="DC=AD,DC=TTT,DC=com"/>
                            <module-option name="baseFilter" value="(userPrincipalName={0})"/>
                            <module-option name="rolesCtxDN" value="DC=AD,DC=TTT,DC=com"/>
                            <module-option name="roleFilter" value="(member={1})"/>
                            <module-option name="roleAttributeID" value="memberOf"/>
                            <module-option name="roleAttributeIsDN" value="true"/>
                            <module-option name="roleNameAttributeID" value="cn"/>
                            <module-option name="recurseRoles" value="true"/>
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="allowEmptyPassword" value="false"/>
                            <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                        </login-module>

I have setup a group called app_ttt_api. I added some members to this group.

So my setup works when the member I added is a group itself and you are a member of that group. If you add a user directly, it doesn't work. Also if you add a group that contains a group that contains a user it also doesn't work.

So, group->group->user works but

group->user

and

group->group->group->user

doesn't and it goes on like that, so

group->group->group->group->user will work too

I looked at the source code of AdvancedLdapLoginModule

here: GC: AdvancedLdapLoginModule - org.jboss.security.negotiation.AdvancedLdapLoginModule (.java) - GrepCode Class Source

From the code it looks like following:

1. get all the roles from initial role context filtering by user

    526            results = searchContext.search(rolesCtxDN, roleFilter, filterArgs, roleSearchControls);

    rolesCtxDN=DC=AD,DC=TTT,DC=com roleFilter=(member={1}) filterArgs[0]=myuser@AD.TTT.COM filterArgs[1]=CN=myuser,CN=Managed Service Accounts,DC=AD,DC=MLP,DC=com

2. Iterate through roles calling

    532               obtainRole(searchContext, resultDN);

3. In obtainRole it calls

    572      Attributes result = searchContext.getAttributes(dn, attrNames);

    575         Attribute roles = result.get(roleAttributeID);

    where attrNames is roleAttributeID - "memberOf" in my case.

4. Go through all the roles obtained from line 575 and call

    585               loadRoleByRoleNameAttributeID(searchContext, roleDN);

    586               recurseRolesSearch(searchContext, baseRoleDN);

where 585 adds a role and 586 recursively searches for underlying roles.

The problem in my case in 3 - why would we try to get roles our initial role is memberOf and not add it right away, we already know that the user is a member of this role. I think that's the reason why I only get authorized when I have group->group->user and not in other cases.

Am I understanding what's going on right? Should I pass something else in the config? I tried different variations of the config, when I do

                            <module-option name="roleAttributeID" value="cn"/>

                            <module-option name="roleAttributeIsDN" value="false"/>

it will load all first level roles, but wouldn't recurse to lower level groups.

In other configurations I tried there were no roles loaded.