7 Replies Latest reply on Nov 30, 2019 10:39 AM by mewkiba

    [Active Directory authentication][Database authorisation]

    mewkiba

      Hi All,

       

      I am new to wildfly and want to activate Active Directory authentication from wildfly 18.

       

      The roles are store in a database, so authorisation is handled in Database.

       

      With previous releases, this was possible with two modules in the security-domain (one LdapExtended and one Database)

       

      Can someone point me to a good documentation to configure the same with wildfly 18?

       

      Thanks in advance & Best regards.

        • 1. Re: [Active Directory authentication][Database authorisation]
          mayerw01

          As well LDAP as Database authorization is possible in Wildfly. Please see WildFly Elytron Security for more information

          • 2. Re: [Active Directory authentication][Database authorisation]
            mewkiba

            Thank you for your answer.

             

            I started reading the documentation. I will test after and feedback.

             

            Best regards.

            • 3. Re: [Active Directory authentication][Database authorisation]
              mewkiba

              Hi Wolfgang,

               

              I just read the documentation. I saw we can do database authentication and authaurization with Elytron on wildfly.

               

              But, what i want is to do authentication with active directory and authorization with database. In the documentation there is way to create additional principal-query with attribute-mapping to obtain additional authaurization informations, but i don't see if it is possible to point it to another realm (surely i missed something, because with wildfly 10, i was able to do it using to different login-module in the same security domain).

               

              Best regards

              • 4. Re: [Active Directory authentication][Database authorisation]
                mayerw01

                Did you also go thru chapter "11. Migrate Legacy Security to Elytron Security"
                It is possible to take a previously defined PicketBox security domain and expose it as an Elytron security realm

                1 of 1 people found this helpful
                • 5. Re: [Active Directory authentication][Database authorisation]
                  mewkiba

                  Ok. I will review this part.

                   

                  Thank you.

                  • 6. Re: [Active Directory authentication][Database authorisation]
                    pmm

                    We use something like the following

                     

                    <subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
                    
                      <security-domains>
                      <security-domain name="ApplicationDomain" default-realm="acme-realm" permission-mapper="default-permission-mapper" security-event-listener="local-audit">
                      <realm name="acme-realm"/>
                      </security-domain>
                      <security-domain name="ManagementDomain" default-realm="acme-realm" permission-mapper="default-permission-mapper">
                      <realm name="acme-realm"/>
                      </security-domain>
                      </security-domains>
                      <security-realms>
                      <identity-realm name="local" identity="$local"/>
                      <ldap-realm name="ldap-authentication-realm" dir-context="acme-com" direct-verification="true">
                      <identity-mapping rdn-identifier="samAccountName" search-base-dn="DC=acme,DC=com" use-recursive-search="true">
                      </identity-mapping>
                      </ldap-realm>
                      <jdbc-realm name="jdbc-authorization-realm">
                      <principal-query data-source="AcmeDS" sql="SELECT securityrole FROM users WHERE userid = ?">
                      <attribute-mapping>
                      <attribute to="Roles" index="1" />
                      </attribute-mapping>
                      </principal-query>
                      </jdbc-realm>
                      <aggregate-realm name="acme-realm" authentication-realm="ldap-authentication-realm" authorization-realm="jdbc-authorization-realm"/>
                      </security-realms>
                      <dir-contexts>
                      <dir-context name="acme-com" url="ldaps://acme.com:636" principal="ACME\techuser" ssl-context="..." referral-mode="follow" enable-connection-pooling="true">
                      <credential-reference .../>
                      </dir-context>
                      </dir-contexts>
                    
                    1 of 1 people found this helpful
                    • 7. Re: [Active Directory authentication][Database authorisation]
                      mewkiba

                      Thank you all for the support.

                       

                      Very nice.