3 Replies Latest reply on Dec 6, 2018 2:50 PM by mchoma

    Wildfly 11 - Configure Management to use Active Directory

    jayboyle_5446
    jayboyle_5446 Dec 5, 2018 12:48 PM

      Hi, I am struggling to get the Management Console configure to use Active Directory for authentication in Wildfly 11.

       

      I am using the new Elytron security model, and have a LDAP Realm configured and users are able to authenticate and log into the deployed applications.  Instead of using the default properties file I would like to use this same LDAP Realm to allow users to authenticate through the Management Console.  I've tried several combination of things based on (dated) articles I could find on Google.  It would be much appreciated if someone can point me in the right direction.

       

      This is the security configuration of the LDAP Realm that allows AD users to authentication against applications deployed on this server.

      <elytron>

      ...

      <security-domains>

      ...

                      <security-domain name="AllUsersLDAPSecurityDomain" default-realm="CachedAllUsersLDAPSecurityRealm" permission-mapper="default-permission-mapper">

                          <realm name="CachedAllUsersLDAPSecurityRealm"/>

                      </security-domain>

      </security-domains>

      <security-realms>

      <ldap-realm name="CBSAUsersLDAPSecurityRealm" dir-context="ldap-connection" direct-verification="true">

          <identity-mapping rdn-identifier="CN" use-recursive-search="true" search-base-dn="ou=root,dc=Alpha,dc=ABC-DEF,dc==NET" iterator-filter="(uid=*)">

                  <attribute-mapping>

                         <attribute from="CN" to="Roles" filter="(&amp;(objectClass=groupOfNames)(member={0}))" filter-base-dn="ou=root,dc=Alpha,dc=ABC-DEF,dc=NET"/>

                  </attribute-mapping>

           </identity-mapping>

      </ldap-realm>

      <caching-realm name="CachedAllUsersLDAPSecurityRealm" realm="AllUsersLDAPSecurityRealm"/>

      </security-realms>

      <hhtp>

      <http-authentication-factory name="ldap-all-users-http-authentication" http-server-mechanism-factory="global" security-domain="AllUsersLDAPSecurityDomain">

                          <mechanism-configuration>

                              <mechanism mechanism-name="FORM">

                                  <mechanism-realm realm-name="CachedAllUsersLDAPSecurityRealm"/>

                              </mechanism>

                          </mechanism-configuration>

                      </http-authentication-factory>

      </http>

      <dir-contexts>

            <dir-context name="ldap-connection" url="ldap://ldap1.ABC-DEF.NET:389" principal="cn=Userg,ou=Service_Accounts,dc=ALPHA,DC=ABC-DEF,DC=NET">

                 <credential-reference clear-text="secret"/>

           </dir-context>

      </dir-contexts>

      </eytron>

        • 1. Re: Wildfly 11 - Configure Management to use Active Directory
          mchoma
          mchoma Dec 6, 2018 9:08 AM (in response to jayboyle_5446)

          Use http-authentication-factory [1] attribute to reference http authentication factory (similar to ldap-all-users-http-authentication). However I think with Management console you cant use FORM mechanism (You cant specify loggin.jsp / error.jsp there). So try BASIC or DIGEST mechanism in this case.

           

          [1] WildFly 14.0 Model Reference

            • Actions
          • 2. Re: Wildfly 11 - Configure Management to use Active Directory
            jayboyle_5446
            jayboyle_5446 Dec 6, 2018 9:37 AM (in response to mchoma)

            Thanks Martin, I was able to get it working with a different Filter than was is being used in the LDAP Realm.  But when I try to use the same filter (&amp;(objectClass=groupOfNames)(member={0})) defined in the LDAP Realm it doesn't work.

             

            <management>

                 <security-realms>

                      <security-realm name="ManagementRealm">

                            <authentication>

                                      <ldap connection="ldap-management" base-dn="ou=CBSA-ASFC,dc=OMEGA,dc=DCE-EIR,dc=NET" recursive="true" user-dn="dn">

                                         <advanced-filter filter="(&amp;(sAMAccountName={0})(memberOf=CN=GroupName,OU=Access_Control_Groups,DC=ALPHA,DC=ABC-DEF,DC=NET))"/>  

                                     </ldap>

                            </authentication>

                            <authorization map-groups-to-roles="false">

                                     <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>

                            </authorization>

                      </security-realm>

                     ....

            <security-realms>

                 <outbound-connections>

                        <ldap name="ldap-management" url="ldap://APLHA.ABC-DEF.NET:389" search-dn="cn=binduserName,ou=Service_Accounts,dc=APLHA,DC=ABC-DEF,DC=NET" search-credential="secret"/>

                 </outbound-connections>

                  ...

            </management>

              • Actions
            • 3. Re: Wildfly 11 - Configure Management to use Active Directory
              mchoma
              mchoma Dec 6, 2018 2:50 PM (in response to jayboyle_5446)

              Snippet you posted is legacy security - not Elytron. Be aware legacy security will be removed in future so it is better to use Elytron right away.

                • Actions