4 Replies Latest reply on Jan 24, 2020 11:21 AM by walkerca

    Legacy security to Elytron Migration




      I'm trying to migrate legacy security to Elytron:


      In Wildfly 16 i have this security-domain:


      <security-domain name="MyDomain" cache-type="default">



      <login-module code="Database" flag="sufficient">

      <module-option name="dsJndiName" value="java:/MyUsersDS"/>

      <module-option name="principalsQuery" value="SELECT password FROM USER WHERE username = ?"/>

      <module-option name="rolesQuery" value="SELECT groupname, 'Roles' FROM USERGROUP  WHERE username = ?"/>

      <module-option name="hashAlgorithm" value="SHA-256"/>

      <module-option name="hashEncoding" value="base64"/>


      <login-module code="Ldap" flag="sufficient">

      <module-option name="java.naming.provider.url" value="ldap://xxx.xxx.xxx.xxx:389/"/>

      <module-option name="principalDNSuffix" value="@mydomain.com"/>

      <module-option name="rolesCtxDN" value="DC=MYDOMAIN,DC=COM"/>

      <module-option name="uidAttributeID" value="sAMAccountName"/>

      <module-option name="roleAttributeID" value="memberOf"/>

      <module-option name="roleAttributeIsDN" value="true"/>






      With this configuration, user credentials are validated against login-module that succeeds the first(flag=sufficient).

      I'm trying to replicate this config with Elytron using Wildfly 18.0.1.

      I already succeed using only ldap-realm or Database. However i need to authenticate in Ldap if Database fails.

      How can i do this?