[jboss-jira] [JBoss JIRA] (WFLY-3048) "Local" authentication fails when LDAP is used for ManagementRealm

Matt Jensen (JIRA) issues at jboss.org
Fri Feb 28 14:03:47 EST 2014 

Matt Jensen created WFLY-3048:
---------------------------------

             Summary: "Local" authentication fails when LDAP is used for ManagementRealm
                 Key: WFLY-3048
                 URL: https://issues.jboss.org/browse/WFLY-3048
             Project: WildFly
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Security
    Affects Versions: 8.0.0.Final
         Environment: Ubuntu 13.04, Xeon-based VPS
            Reporter: Matt Jensen
            Assignee: Darran Lofthouse


When LDAP is used for authentication in ManagementRealm, "local" authentication, which is enabled in configuration for the realm, appears to stop working.

I have configured my ManagementRealm to use LDAP for authentication of remote clients.  However, I also need to allow local authentication without a username and password, for when jboss-cli is invoked from the command line on the server.  This is needed in order for the wildfly-init-debian.sh script to shut down the server.  I have configured the ManagementRealm as follows:

<security-realm name="ManagementRealm">
        <authentication>
            <local default-user="$local" />
            <ldap connection="..." base-dn="ou=accounts,dc=..." recursive="false">
                ...
            </ldap>
        </authentication>
        <authorization map-groups-to-roles="false">
            <ldap connection="...">
                ...
            </ldap>
        </authorization>
    </security-realm>

I left out most of the LDAP configuration because I don't think it is important for this issue.  LDAP authentication works fine for remote clients.  In fact, it works fine for local clients as well--when I invoke jboss-cli with LDAP authentication enabled, it prompts for a username and password; if I enter a valid combination from the LDAP directory, jboss-cli connects successfully and executes its command.

The problem is that I need it to NOT prompt for a username and password when jboss-cli is invoked locally.  Which, I believe, is how things are supposed to work when "local" authentication is also enabled; it just doesn't work that way when LDAP is enabled for the same realm.

If I comment out the <ldap .../> element in <authentication> for the realm, local authentication starts working again.  I can invoke jboss-cli locally and the command is carried out without a username and password prompt.  Re-enable LDAP, with no other configuration changes, and again it flips back to requiring a username and password.

I have tried replacing "$local" in the @default-user element of the <local> element with a valid name from the LDAP directory, both as a simple username and as a full DN, and jboss-cli still prompts for a username and password.

The modification date on the [tmp/auth] directory changes when I run jboss-cli with LDAP in place and get the username/password prompt, so it appears that the client is putting a token in there to try to use local authentication.  The server just never picks it up.

The documentation specifically mentions that <local/> should work along with <ldap/> here:
https://docs.jboss.org/author/display/WFLY8/Security+Realms

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list