Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm ------------------------------------------------------------------------ Key: WFLY-7437 URL: https://issues.jboss.org/browse/WFLY-7437 Project: WildFly Issue Type: Bug Components: Security Affects Versions: 11.0.0.Alpha1 Reporter: Ondrej Lukas Assignee: Darran Lofthouse Priority: Minor Labels: user_experience Attribute {{identity-mapping.otp-credential-mapper}} from Elytron ldap-realm should include Object which should contain four required attributes - algorithm-from, hash-from, seed-from, sequence-from. All of these attributes are set as nillable=false. However CLI allows to run command where otp-credential-mapper attribute is added without any attributes which is inconsistent with their nillable=false. See following command: {code} /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={}}) {code} Moreover, this command results to configuration xml without any otp-credential-mapper: {code} <ldap-realm name="ldap-realm" dir-context="ldap"> <identity-mapping rdn-identifier="uid"/> </ldap-realm> {code} In case when at least one of otp-credential-mapper required attribute is added, then CLI command correctly fails: {code} /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={algorithm-from=atr}}) { "outcome" => "failed", "failure-description" => "WFLYCTL0155: hash-from may not be null", "rolled-back" => true } {code} Suggestion: Do not allow to add {{identity-mapping.otp-credential-mapper}} without required attributes.