]
Darran Lofthouse commented on WFLY-3048:
----------------------------------------
Unfortunately the LDAP authorization configuration is omitted so it is difficult to see
how exactly that was defined, when testing was performed to define a different username
for the local mechanism that should match in LDAP group loading one thing that could have
been missing is the <username-to-dn /> definition in the <ldap /> section of
<authorization />. The purpose of that section is to define how to take the
username from a non-ldap based authentication and convert it into a distinguished name,
unless force is specified typically we would skip the second search and use a cached
result from the ldap based authentication but of course that is not possible if the
mechanism used was <local />
Regarding the general problem I am going to add a new attribute
skip-group-loading="..." with a default of 'false' to the <local
/> element within <authentication /> - if this attribute is set to true then
provided the local mechanism was used for authentication then the group loading step will
be skipped.
Note: A default of true may make more sense for this attribute, unfortunately we have
already shipped where that is not the default setting and users could be relying on us
performing group loading so we will need the default value to be 'false' - in the
config we ship however we can set this to true.
"Local" authentication fails when LDAP is used for
ManagementRealm
------------------------------------------------------------------
Key: WFLY-3048
URL:
https://issues.jboss.org/browse/WFLY-3048
Project: WildFly
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: 8.0.0.Final
Environment: Ubuntu 13.04, Xeon-based VPS
Reporter: Matt Jensen
Assignee: Darran Lofthouse
Fix For: 8.0.1.Final
When LDAP is used for authentication in ManagementRealm, "local"
authentication, which is enabled in configuration for the realm, appears to stop working.
I have configured my ManagementRealm to use LDAP for authentication of remote clients.
However, I also need to allow local authentication without a username and password, for
when jboss-cli is invoked from the command line on the server. This is needed in order
for the wildfly-init-debian.sh script to shut down the server. I have configured the
ManagementRealm as follows:
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" />
<ldap connection="..." base-dn="ou=accounts,dc=..."
recursive="false">
...
</ldap>
</authentication>
<authorization map-groups-to-roles="false">
<ldap connection="...">
...
</ldap>
</authorization>
</security-realm>
I left out most of the LDAP configuration because I don't think it is important for
this issue. LDAP authentication works fine for remote clients. In fact, it works fine
for local clients as well--when I invoke jboss-cli with LDAP authentication enabled, it
prompts for a username and password; if I enter a valid combination from the LDAP
directory, jboss-cli connects successfully and executes its command.
The problem is that I need it to NOT prompt for a username and password when jboss-cli is
invoked locally. Which, I believe, is how things are supposed to work when
"local" authentication is also enabled; it just doesn't work that way when
LDAP is enabled for the same realm.
If I comment out the <ldap .../> element in <authentication> for the realm,
local authentication starts working again. I can invoke jboss-cli locally and the command
is carried out without a username and password prompt. Re-enable LDAP, with no other
configuration changes, and again it flips back to requiring a username and password.
I have tried replacing "$local" in the @default-user element of the
<local> element with a valid name from the LDAP directory, both as a simple username
and as a full DN, and jboss-cli still prompts for a username and password.
The modification date on the [tmp/auth] directory changes when I run jboss-cli with LDAP
in place and get the username/password prompt, so it appears that the client is putting a
token in there to try to use local authentication. The server just never picks it up.
The documentation specifically mentions that <local/> should work along with
<ldap/> here:
https://docs.jboss.org/author/display/WFLY8/Security+Realms
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: