3 Replies Latest reply on Jan 20, 2020 6:06 AM by dnovo

    Elytron ldap-realm  - dir-context




      I'm trying to migrate PicketLink LdapLoginModule to Elytron (Wildfly 18.0.1)


      My previous configuration using legacy security


      <security-domain name="MySecurityDomain" cache-type="default">


      <login-module code="Ldap" flag="sufficient">

           <module-option name="java.naming.provider.url" value="ldap://myactivedirectory:389/"/>

           <module-option name="principalDNSuffix" value="@mydomain.local"/>

           <module-option name="rolesCtxDN" value="DC=mydomain,DC=local"/>

           <module-option name="uidAttributeID" value="sAMAccountName"/>

           <module-option name="roleAttributeID" value="memberOf"/>

           <module-option name="roleAttributeIsDN" value="true"/>





      With this configuration, i was able to establish a connection with myactivedirectory using the user credentials (user trying to login).


      Using Elytron with the following configuration everything works fine.

      However i would like to remove the principal and credential from dir-context, and establish the connection using user credentials (user trying to login) as i did using legacy security.

      Is this possible with Elytron?




      <security-domain name="MySecurityDomain" default-realm="MySecurityRealm" permission-mapper="default-permission-mapper">

      <realm name="MySecurityRealm"/>








      <ldap-realm name="MySecurityRealm" dir-context="myDirContext" direct-verification="true">

      <identity-mapping rdn-identifier="sAMAccountName" search-base-dn="OU=users,DC=mydomain,DC=local">


      <attribute from="name" to="Roles" filter="(member={1})" filter-base-dn="OU=groups,DC=mydomain,DC=local" role-recursion="1"/>








      <http-authentication-factory name="mysecurity-http-authentication" security-domain="MySecurityDomain" http-server-mechanism-factory="global">


      <mechanism mechanism-name="FORM">

      <mechanism-realm realm-name="MySecurityRealm"/>








      <dir-context name="myDirContext" url="ldap://myactivedirectory:389" principal="CN=AD Connector,OU=users,DC=mydomain,DC=local">

      <credential-reference clear-text="mypassword"/>





      Thanks in advance.

        • 1. Re: Elytron ldap-realm  - dir-context

          "To connect to the LDAP server from WildFly, you need to configure a dir-context that provides the URL as well as the principal used to connect to the server." (WildFly Elytron Security )
          But this points to the LDAP admin user. The link to the users and roles are configured in <the ldap-realm> element

          • 2. Re: Elytron ldap-realm  - dir-context



            I understand what you are saying. My example is working perfectly. I just want to be sure, theres no other way to connect to ldap server with an account different from the user login.

            In other words, something like:



            <dir-context name="myDirContext" url="ldap://myactivedirectory:389" principal="CN=AD Connector,OU=users,DC=mydomain,DC=local">

            <credential-reference clear-text="mypassword"/>




            And using the user credentials (the user is trying to authenticate) to make the connection. Just like legacy login module ldap.

            • 3. Re: Elytron ldap-realm  - dir-context



              In, ldap-realm, i have set the property direct-verification to true. According to admin console, this is supposed to do what i want or i misunderstood?


              "Does this realm support verification of credentials by directly connecting to LDAP as the account being authenticated?

              Supports expressions. A modification to the attribute can only be applied to the runtime via a restart of all services, but does not require a full jvm restart."


              I cannot find any information regarding this property in Elytron Documentation