"Local" authentication fails when LDAP is used for ManagementRealm ------------------------------------------------------------------ Key: WFLY-3048 URL: https://issues.jboss.org/browse/WFLY-3048 Project: WildFly Issue Type: Bug Security Level: Public(Everyone can see) Components: Security Affects Versions: 8.0.0.Final Environment: Ubuntu 13.04, Xeon-based VPS Reporter: Matt Jensen Assignee: Darran Lofthouse Fix For: 8.1.0.CR1 When LDAP is used for authentication in ManagementRealm, "local" authentication, which is enabled in configuration for the realm, appears to stop working. I have configured my ManagementRealm to use LDAP for authentication of remote clients. However, I also need to allow local authentication without a username and password, for when jboss-cli is invoked from the command line on the server. This is needed in order for the wildfly-init-debian.sh script to shut down the server. I have configured the ManagementRealm as follows: <security-realm name="ManagementRealm"> <authentication> <local default-user="$local" /> <ldap connection="..." base-dn="ou=accounts,dc=..." recursive="false"> ... </ldap> </authentication> <authorization map-groups-to-roles="false"> <ldap connection="..."> ... </ldap> </authorization> </security-realm> I left out most of the LDAP configuration because I don't think it is important for this issue. LDAP authentication works fine for remote clients. In fact, it works fine for local clients as well--when I invoke jboss-cli with LDAP authentication enabled, it prompts for a username and password; if I enter a valid combination from the LDAP directory, jboss-cli connects successfully and executes its command. The problem is that I need it to NOT prompt for a username and password when jboss-cli is invoked locally. Which, I believe, is how things are supposed to work when "local" authentication is also enabled; it just doesn't work that way when LDAP is enabled for the same realm. If I comment out the <ldap .../> element in <authentication> for the realm, local authentication starts working again. I can invoke jboss-cli locally and the command is carried out without a username and password prompt. Re-enable LDAP, with no other configuration changes, and again it flips back to requiring a username and password. I have tried replacing "$local" in the @default-user element of the <local> element with a valid name from the LDAP directory, both as a simple username and as a full DN, and jboss-cli still prompts for a username and password. The modification date on the [tmp/auth] directory changes when I run jboss-cli with LDAP in place and get the username/password prompt, so it appears that the client is putting a token in there to try to use local authentication. The server just never picks it up. The documentation specifically mentions that <local/> should work along with <ldap/> here: https://docs.jboss.org/author/display/WFLY8/Security+Realms