7 Replies Latest reply on Nov 30, 2019 10:39 AM by mewkiba

    [Active Directory authentication][Database authorisation]

    mewkiba
    mewkiba Nov 20, 2019 3:38 PM

      Hi All,

       

      I am new to wildfly and want to activate Active Directory authentication from wildfly 18.

       

      The roles are store in a database, so authorisation is handled in Database.

       

      With previous releases, this was possible with two modules in the security-domain (one LdapExtended and one Database)

       

      Can someone point me to a good documentation to configure the same with wildfly 18?

       

      Thanks in advance & Best regards.

      • 359 Views
      • Tags:
        • 1. Re: [Active Directory authentication][Database authorisation]
          mayerw01
          mayerw01 Nov 21, 2019 4:36 AM (in response to mewkiba)

          As well LDAP as Database authorization is possible in Wildfly. Please see WildFly Elytron Security for more information

            • Actions
          • 2. Re: [Active Directory authentication][Database authorisation]
            mewkiba
            mewkiba Nov 21, 2019 4:53 AM (in response to mayerw01)

            Thank you for your answer.

             

            I started reading the documentation. I will test after and feedback.

             

            Best regards.

              • Actions
            • 3. Re: [Active Directory authentication][Database authorisation]
              mewkiba
              mewkiba Nov 21, 2019 5:54 AM (in response to mayerw01)

              Hi Wolfgang,

               

              I just read the documentation. I saw we can do database authentication and authaurization with Elytron on wildfly.

               

              But, what i want is to do authentication with active directory and authorization with database. In the documentation there is way to create additional principal-query with attribute-mapping to obtain additional authaurization informations, but i don't see if it is possible to point it to another realm (surely i missed something, because with wildfly 10, i was able to do it using to different login-module in the same security domain).

               

              Best regards

                • Actions
              • 4. Re: [Active Directory authentication][Database authorisation]
                mayerw01
                mayerw01 Nov 21, 2019 6:54 AM (in response to mewkiba)

                Did you also go thru chapter "11. Migrate Legacy Security to Elytron Security"
                It is possible to take a previously defined PicketBox security domain and expose it as an Elytron security realm

                1 of 1 people found this helpful
                  • Actions
                • 5. Re: [Active Directory authentication][Database authorisation]
                  mewkiba
                  mewkiba Nov 22, 2019 5:21 AM (in response to mayerw01)

                  Ok. I will review this part.

                   

                  Thank you.

                    • Actions
                  • 6. Re: [Active Directory authentication][Database authorisation]
                    pmm
                    pmm Nov 29, 2019 9:37 AM (in response to mewkiba)

                    We use something like the following

                     

                    <subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">

  <security-domains>
  <security-domain name="ApplicationDomain" default-realm="acme-realm" permission-mapper="default-permission-mapper" security-event-listener="local-audit">
  <realm name="acme-realm"/>
  </security-domain>
  <security-domain name="ManagementDomain" default-realm="acme-realm" permission-mapper="default-permission-mapper">
  <realm name="acme-realm"/>
  </security-domain>
  </security-domains>
  <security-realms>
  <identity-realm name="local" identity="$local"/>
  <ldap-realm name="ldap-authentication-realm" dir-context="acme-com" direct-verification="true">
  <identity-mapping rdn-identifier="samAccountName" search-base-dn="DC=acme,DC=com" use-recursive-search="true">
  </identity-mapping>
  </ldap-realm>
  <jdbc-realm name="jdbc-authorization-realm">
  <principal-query data-source="AcmeDS" sql="SELECT securityrole FROM users WHERE userid = ?">
  <attribute-mapping>
  <attribute to="Roles" index="1" />
  </attribute-mapping>
  </principal-query>
  </jdbc-realm>
  <aggregate-realm name="acme-realm" authentication-realm="ldap-authentication-realm" authorization-realm="jdbc-authorization-realm"/>
  </security-realms>
  <dir-contexts>
  <dir-context name="acme-com" url="ldaps://acme.com:636" principal="ACME\techuser" ssl-context="..." referral-mode="follow" enable-connection-pooling="true">
  <credential-reference .../>
  </dir-context>
  </dir-contexts>
                    1 of 1 people found this helpful
                      • Actions
                    • 7. Re: [Active Directory authentication][Database authorisation]
                      mewkiba
                      mewkiba Nov 30, 2019 10:39 AM (in response to pmm)

                      Thank you all for the support.

                       

                      Very nice.

                        • Actions