3 Replies Latest reply on Jan 20, 2020 6:06 AM by dnovo

    Elytron ldap-realm  - dir-context

    dnovo

      Hi,

       

      I'm trying to migrate PicketLink LdapLoginModule to Elytron (Wildfly 18.0.1)

       

      My previous configuration using legacy security

       

      <security-domain name="MySecurityDomain" cache-type="default">

           <authentication>

      <login-module code="Ldap" flag="sufficient">

           <module-option name="java.naming.provider.url" value="ldap://myactivedirectory:389/"/>

           <module-option name="principalDNSuffix" value="@mydomain.local"/>

           <module-option name="rolesCtxDN" value="DC=mydomain,DC=local"/>

           <module-option name="uidAttributeID" value="sAMAccountName"/>

           <module-option name="roleAttributeID" value="memberOf"/>

           <module-option name="roleAttributeIsDN" value="true"/>

      </login-module>

          </authentication>

      </security-domain>

       

      With this configuration, i was able to establish a connection with myactivedirectory using the user credentials (user trying to login).

       

      Using Elytron with the following configuration everything works fine.

      However i would like to remove the principal and credential from dir-context, and establish the connection using user credentials (user trying to login) as i did using legacy security.

      Is this possible with Elytron?

       

      <security-domains>

      ...

      <security-domain name="MySecurityDomain" default-realm="MySecurityRealm" permission-mapper="default-permission-mapper">

      <realm name="MySecurityRealm"/>

      </security-domain>

      ...

      </security-domains>

       

       

      <security-realms>

      ...               

      <ldap-realm name="MySecurityRealm" dir-context="myDirContext" direct-verification="true">

      <identity-mapping rdn-identifier="sAMAccountName" search-base-dn="OU=users,DC=mydomain,DC=local">

      <attribute-mapping>

      <attribute from="name" to="Roles" filter="(member={1})" filter-base-dn="OU=groups,DC=mydomain,DC=local" role-recursion="1"/>

      </attribute-mapping>

      </identity-mapping>

      </ldap-realm>

      </security-realms>

       

       

      <http>

      <http-authentication-factory name="mysecurity-http-authentication" security-domain="MySecurityDomain" http-server-mechanism-factory="global">

      <mechanism-configuration>

      <mechanism mechanism-name="FORM">

      <mechanism-realm realm-name="MySecurityRealm"/>

      </mechanism>

      </mechanism-configuration>

      </http-authentication-factory>

      </http>

       

       

      <dir-contexts>

      <dir-context name="myDirContext" url="ldap://myactivedirectory:389" principal="CN=AD Connector,OU=users,DC=mydomain,DC=local">

      <credential-reference clear-text="mypassword"/>

      </dir-context>

      </dir-contexts>

       

       

      Thanks in advance.

        • 1. Re: Elytron ldap-realm  - dir-context
          mayerw01

          "To connect to the LDAP server from WildFly, you need to configure a dir-context that provides the URL as well as the principal used to connect to the server." (WildFly Elytron Security )
          But this points to the LDAP admin user. The link to the users and roles are configured in <the ldap-realm> element

          • 2. Re: Elytron ldap-realm  - dir-context
            dnovo

            Hi,

             

            I understand what you are saying. My example is working perfectly. I just want to be sure, theres no other way to connect to ldap server with an account different from the user login.

            In other words, something like:

             

            <dir-contexts>

            <dir-context name="myDirContext" url="ldap://myactivedirectory:389" principal="CN=AD Connector,OU=users,DC=mydomain,DC=local">

            <credential-reference clear-text="mypassword"/>

            </dir-context>

            </dir-contexts>

             

            And using the user credentials (the user is trying to authenticate) to make the connection. Just like legacy login module ldap.

            • 3. Re: Elytron ldap-realm  - dir-context
              dnovo

              Hi,

               

              In, ldap-realm, i have set the property direct-verification to true. According to admin console, this is supposed to do what i want or i misunderstood?

               

              "Does this realm support verification of credentials by directly connecting to LDAP as the account being authenticated?

              Supports expressions. A modification to the attribute can only be applied to the runtime via a restart of all services, but does not require a full jvm restart."

               

              I cannot find any information regarding this property in Elytron Documentation