Elytron ldap-realm is not able to use LDAP attribute as principal ----------------------------------------------------------------- Key: ELY-857 URL: https://issues.jboss.org/browse/ELY-857 Project: WildFly Elytron Issue Type: Bug Components: Realms Affects Versions: 1.1.0.Beta16 Reporter: Ondrej Lukas Assignee: Jan Kalina Priority: Blocker In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute. It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication. Example: It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used: {code} dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=someUser,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: someUser cn: some User sn: AuthenticatedUser userPassword: Password {code} Mentioned ldif works correctly with legacy security solution. This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.