LdapRealm - referral mode: direct verification + THROW mode ------------------------------------------------------------ Key: WFLY-7705 URL: https://issues.jboss.org/browse/WFLY-7705 Project: WildFly Issue Type: Feature Request Components: Security Reporter: Jan Kalina Assignee: Jan Kalina Fix For: 11.0.0.Alpha1 *1) Log in as referral user is still not possible.* Currently referral user can be found by ldap realm, but his password cannot be verified => log in is still not possible. There are two possible ways how to authenticate user in ldap realm: using direct verification - in this case after obtaining referral user, this referral user is used in LDAP bindRequest against original LDAP server (not referenced LDAP server) which results to invalid credentials bindResponse not using direct verification - in this case after obtaining referral user, this user is used as part of baseObject scope LDAP searchRequest for password attribute against original LDAP server (not referenced LDAP server) which results to noSuchObject searchResDone. Comment [1] says that you are able to log in as user of referred server. Can you please share your configuration? Since there is no related documentation, maybe I do something wrong in using/not using of direct verification. *2) Elytron does not handle THROW referral mode* In case when dir-context uses THROW referral-mode then com.sun.jndi.ldap.LdapReferralException is not caught in Elytron (which is LDAP client) and is thrown to integration tier which also does not handle it, e.g. in case when ldap-realm is used for authentication to application, then it results to status code 500 returned to the application. [1] https://issues.jboss.org/browse/WFLY-7322?focusedCommentId=13307815&p... ( Requested in https://issues.jboss.org/browse/JBEAP-6450?focusedCommentId=13323387#comm... )