Hi,

I'm trying to migrate legacy security to Elytron:

In Wildfly 16 i have this security-domain:

<security-domain name="MyDomain" cache-type="default">

<authentication>

<login-module code="Database" flag="sufficient">

<module-option name="dsJndiName" value="java:/MyUsersDS"/>

<module-option name="principalsQuery" value="SELECT password FROM USER WHERE username = ?"/>

<module-option name="rolesQuery" value="SELECT groupname, 'Roles' FROM USERGROUP  WHERE username = ?"/>

<module-option name="hashAlgorithm" value="SHA-256"/>

<module-option name="hashEncoding" value="base64"/>

</login-module>

<login-module code="Ldap" flag="sufficient">

<module-option name="java.naming.provider.url" value="ldap://xxx.xxx.xxx.xxx:389/"/>

<module-option name="principalDNSuffix" value="@mydomain.com"/>

<module-option name="rolesCtxDN" value="DC=MYDOMAIN,DC=COM"/>

<module-option name="uidAttributeID" value="sAMAccountName"/>

<module-option name="roleAttributeID" value="memberOf"/>

<module-option name="roleAttributeIsDN" value="true"/>

</login-module>

</authentication>

</security-domain>

With this configuration, user credentials are validated against login-module that succeeds the first(flag=sufficient).

I'm trying to replicate this config with Elytron using Wildfly 18.0.1.

I already succeed using only ldap-realm or Database. However i need to authenticate in Ldap if Database fails.

How can i do this?

Thanks