0 Replies Latest reply on Jan 21, 2015 2:36 PM by psesi

    Is it possible to load roles for ManagementRealm from an LDAP security domain?

    psesi Newbie



      I am trying to set up Wildfly8.2 to use LDAP for authentication and authorization for the management console. I am able to get authorization working using an LDAP Security domain (see below). However, I can’t quite figure out how to set up associated authorization to allow the user roles read by that security domain be “realized” by the authorization portion of the ManagementRealm. I can get things partially working, by using a combination of LDAP for authentication  and the “<properties>” setup for authorization – where I have to add an entry for the user(s) and explicitly define the group (role) that I want to map to the Management Application roles. This is a workaround, but ideally, I want to use the roles as defined in our LDAP domain (e.g., "Web Admin" in example below) and directly map them in the "<access-control>" section of the config.


      Note that I use “<jaas>” option in <authentication> to reference the security domain I have defined. One advantage to this (over setting up as “<ldap>”) is that the user provided credentials will be used to bind to ldap – I don’t have to set up a separate “user” and expose those credentials in standalone.xml (<connection>). Unfortunately, <jaas> is not allowed under the <authorization> element as far as I can tell.


      So, ideally, I’d like to have the users groups (roles) read/mapped by the security domain on authentication – and not have to set up a separate “ldap/connection” (which is what I've seen in other discussion, etc.) or use a "hard-coded" properties file for that. Is there any way to do that for the ManagementRealm?


      Here are the relevant parts of my standalone.xml showing my current “workaround” setup:

       <security-realm name="ManagementRealm">
       <local default-user="$local" skip-group-loading="true"/>
       <jaas name="ldap-authn"/>
       <authorization map-groups-to-roles="false">
       <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
       <access-control provider="rbac">
       <role name="SuperUser">
       <user name="$local"/>
       <group name="Web Admin" realm="ManagementRealm"/>
      <subsystem xmlns="urn:jboss:domain:security:1.2">
       <security-domain cache-type="default" name="ldap-authn">
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
       <module-option name="password-stacking" value="useFirstPass"/>
       <module-option name="java.naming.provider.url" value="ldaps://ldapsrvr.mydom.com:636"/>
       <module-option name="java.naming.security.protocol" value="ssl"/>
       <module-option name="matchOnUserDN" value="false"/>
       <module-option name="principalDNPrefix" value=""/>
       <module-option name="principalDNSuffix" value="@mydom.com"/>
       <module-option name="uidAttributeID" value="sAMAccountName"/>
       <module-option name="rolesCtxDN" value="OU=USERS,DC=mydom,DC=com"/>
       <module-option name="roleAttributeIsDN" value="true"/>
       <module-option name="roleAttributeID" value="memberOf"/>
       <module-option name="roleNameAttributeID" value="name"/>
       <module-option name="java.naming.security.authentication" value="simple"/>
       <module-option name="allowEmptyPasswords" value="false"/>


      Thanks in advance -