Elytron ldap-realm does not support principal to group mapping (memberOf) ------------------------------------------------------------------------- Key: WFLY-7848 URL: https://issues.jboss.org/browse/WFLY-7848 Project: WildFly Issue Type: Bug Components: Security Reporter: Jan Kalina Assignee: Jan Kalina Priority: Blocker Elytron ldap-realm is not able to work with LDAP which uses principal to group mapping. It seems that there is currently no way how to configure principal to group mapping in application server. Simplified example: {code} dn: uid=TestUserOne,ou=users,dc=principal-to-group,dc=example,dc=org objectClass: groupMember memberOf: uid=GroupOne,ou=groups,dc=principal-to-group,dc=example,dc=org memberOf: uid=Slashy/Group,ou=groups,dc=principal-to-group,dc=example,dc=org dn: uid=GroupOne,ou=groups,dc=principal-to-group,dc=example,dc=org objectClass: groupMember objectClass: group memberOf: uid=GroupFive,ou=subgroups,ou=groups,dc=principal-to-group,dc=example,dc=org {code} Example for reproducing: (by olukas) Role {{SomeRole}} is currently not able to be assigned to user {{someUser}} when following ldif is used. In this case principal to group mapping is provided by attribute {{description}}, but in can be provided by any attribute (e.g. memberOf). User {{thisUserIsNotUsed}} is used only for simpler reproduction of issue. {code} dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=someUser,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: someUser cn: some User sn: User userPassword: Password description: cn=SomeRole,ou=Roles,dc=jboss,dc=org dn: uid=thisUserIsNotUsed,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: thisUserIsNotUsed cn: this User Is Not Used sn: this User Is Not Used userPassword: Password dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=SomeRole,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: SomeRole member: uid=thisUserIsNotUsed,ou=People,dc=jboss,dc=org {code} Mentioned ldif works with legacy security solution. This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.