Hi,

We are using clustered mode for Infinispan (version 9.1.3). Using the following LDAP settings, the bind account (svcInfAuthLDAP) is correct and can authenticate. We are having an error when the user tries to access Infinispan (eg. svcOCPtoISPN). We are using openshift pods to access it. We validated LDAP searches successfully and I think it's down to a permission mapper error now. Any help would be appreciated! See domain and host-master files below:

Domain.xml

                    <security>

                        <authorization>

                            <identity-role-mapper/>

                            <role name="sgISPNAppAccess" permissions="ALL EXEC"/>

                            <!-- <role name="Developers" permissions="ALL EXEC"/>

                            <role name="Business" permissions="ALL EXEC"/>

                            <role name="Managers" permissions="ALL EXEC"/>

                            <role name="clustered" permissions="ALL EXEC"/> -->

                        </authorization>

                    </security>

sample cache (in domain.xml):

                    <distributed-cache name="surrogate" mode="ASYNC" segments="20" owners="3" remote-timeout="30000" start="EAGER">

                        <locking acquire-timeout="30000" concurrency-level="1000" striping="false"/>

                        <transaction mode="NONE"/>

                        <security>

                            <authorization roles="sgISPNAppAccess"/>

                        </security>

                        <expiration lifespan="7200000"/>

                    </distributed-cache>

host-master.xml:

            <security-realm name="LDAPSManagementRealm">

                <authentication>

                    <ldap connection="ldap_connection" recursive="true" base-dn="DC=digital,DC=com">

                        <username-filter attribute="sAMAccountName" />

                    </ldap>

                    <truststore  path="***" relative-to="jboss.domain.config.dir" keystore-password='******' />

                </authentication>

                <authorization>

                    <ldap connection="ldap_connection">

                        <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">

                            <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="OU=pcfSecurityGroups,DC=digital,DC=com">

                                <membership-filter principal-attribute="member"/>

                            </group-to-principal>

                        </group-search>

                    </ldap>

...

        <outbound-connections>

            <ldap name="ldap_connection" url="ldaps://p2ldap1.digi.pcf:636" search-dn="CN=svcInfAuthLDAP,OU=ServiceAccounts,DC=digital,DC=com" search-credential='${VAULT::ISPN::LDAP_CRED::1}' security-realm="LDAPSManagementRealm" />

        </outbound-connections>