problem authentication with elytron wildfly ==> my configuration of LEGACY authentication ldap with the old versions of wildfy is worked good and authenticated only superuser part of specific group
after switching to wildfly 26 which supports elytron, I am facing authentication problems, the problem that I have to authenticate only for a SUPERUSER belonging to a group and not all users but the configuration I made takes and accesses all users and I don't want to do this below I'll show you the: LEGACY CONFIG
<security-realm name="realmx">
<authentication>
<ldap connection="ldap-connection" base-dn="CN=Users,dc=com,dc=global" recursive="true">
<advanced-filter filter="(&(sAMAccountName={0})(memberOf=CN=tfff wildfly Admins,CN=Users,dc=com,dc=global))"/>
</ldap>
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="ldap-connection" url=" ldap://xxxxxxx" search-dn="CN=WEBAPP,CN=Users, dc=com,dc=global" search-credential="pass"/>
</outbound-connections>
ELYTRON: CONFIG
<ldap-realm name="LdapRealm" dir-context="exampleDC" direct-verification="true">
<identity-mapping rdn-identifier="sAMAccountName" use-recursive-search="false" search-base-dn="cn=Users,dc=com,dc=global">
<attribute-mapping>
<attribute from="cn" to="Roles" filter="(member={1})" filter-base-dn="cn=Users,dc=com,dc=global"/>
</attribute-mapping>
<user-password-mapper from="userPassword"/>
</identity-mapping>
....
<dir-context name="exampleDC" url="ldap://xxxx" principal="CN=WEBAPP,cn=Users,dc=com,dc=global">
<credential-reference clear-text="pass"/>
CodePudding user response:
In the identity-mapping configuration, I think you'll want to add the filter-name attribute and set it to "(&(sAMAccountName={0})(memberOf=CN=tfff wildfly Admins,CN=Users,dc=com,dc=global))".
Then, in the attribute-mapping configuration, the filter can be set to "(&(objectClass=group)(member={1}))".