1 Reply Latest reply on Jan 10, 2020 3:48 PM by walkerca

Anything Like LDAP defaultRole in Elytron?

walkerca Jan 10, 2020 1:56 PM

Hi,

I have a working legacy LDAP configuration that is running in WF 17. I'm trying to migrate it to Elytron, but I'm getting an error that I think is role related. My legacy config is using defaultRole to set up the role referenced in the web.xml. I tried a constant role mapper, but this doesn't seem to be taking effect (placed it at both the security domain and realm levels).

These are some messages from server.log that seem relevant.

13:49:22,099 DEBUG [org.wildfly.security] (default task-1) Identity [myuser] attributes are:

13:49:22,102 DEBUG [org.wildfly.security] (default task-1) Attribute [Roles] value [CN=myteam,OU=MYTeam,DC=company,DC=fullcompany].

And this is the config

<ldap-realm name="my-ldap-realm" dir-context="my-ldap-connection" direct-verification="true">

<identity-mapping rdn-identifier="memberOf" search-base-dn="CN=Users,DC=company,DC=fullcompany" filter-name="(sAMAccountName={0})">

<attribute-mapping>

</attribute-mapping>

</identity-mapping>

</ldap-realm>

The binding and principal look up appear to be functioning. I'd like to either return a static "appuser" as a default role or to translate the LDAP return value into "appuser".

Thanks,

Carl

1. Re: Anything Like LDAP defaultRole in Elytron?

walkerca Jan 10, 2020 3:48 PM (in response to walkerca)

After turning on TRACE for org.wildfly.security, I saw that my Constant Role Mapper was being picked up.

I was missing a default-permission-mapper. Setting this on the domain cleared everything up.
Actions