2 Replies Latest reply on Jan 22, 2016 8:21 AM by Lars Ohlén

    WildFly - LDAP Security Realm

    Lars Ohlén Newbie

      Hi Forum,


      I need to authenticate users against a corporate central LDAP server. It used to be a trivial thing in the past, but the LDAP server connection will be additionally secured.

      So basically I need to:

      - Use SSL

      - Login / Authenticate our system (e.g. with a system account user/pw)

      - Then authenticate the actual credentials of the user that wants to access our web portal


      I have tried the following principles (using combined example fromLDAP Security Realm Examples)

      1. <security-realms> 
      2.             <security-realm name="LdapSSLRealm"> 
      3.                 <server-identities> 
      4.                     <ssl> 
      5.                         <keystore path="ldap.keystore" relative-to="jboss.server.config.dir" keystore-password="keystore_password" /> 
      6.                     </ssl> 
      7.                 </server-identities> 
      8.                 <authentication> 
      9.                     <truststore  path="ldap.truststore" relative-to="jboss.server.config.dir" keystore-password="truststore_password" /> 
      10.                 </authentication> 
      11.             </security-realm> 
      12.         </security-realms> 
      13.         <outbound-connections> 
      14.             <ldap name="LocalLdap" url="ldaps://localhost:10389" search-dn="uid=wildfly,dc=simple,dc=wildfly,dc=org" search-credential="secret"  security-realm="LdapSSLRealm" /> 
      15.         </outbound-connections> 


      The trace output that I get in logs do not really hint me if I have done something wrong in the actual realm set-up or if I have done something wrong in the actual query..

      A couple of questions:

      - is my approach the correct for what I need to achieve (e.g. first authenticate our system, then authenticate the actual user)

      - any way of increasing logging for ldap ?


      Any guide / advice appreciated


      Using WildFly 8.2





        • 1. Re: WildFly - LDAP Security Realm
          Martin Choma Master



          If you want to authenticate to LDAP with system user/password then you dont need server identities element. Just follow section "SSL" from referenced article. (Not section SSL with Client Certificate).


          Is your LDAP server configured to TLS/SSL on secured port. Btw. port 10389 you are connecting use to be unsecured port. Secured port use to be something like 636. Try to test SSL connection with openssl s_client.

          What error do you see in log?



          • 2. Re: WildFly - LDAP Security Realm
            Lars Ohlén Newbie


            Thanks for fast response and proposal.

            I found this setting and it increased the logging in a good way

            <logger category="org.jboss.security">
                  <level name="TRACE"/>


            Actually I think that our current problems are related to access problems (Firewall, account set-up or similar). So until I have sorted the out this will be pending.

            Will be back.