Description of problem: Where a security realm is configured to load groups from LDAP it should not cause an authentication failure if the user is not found in LDAP. One example is local authentication where the user may not exist. Another is domain mode servers where the servers have a custom name and generated password that they use to connect back to the local host controller.
6.x PR: https://github.com/jbossas/jboss-eap/pull/780
QA is OK with forced qa_ack.
Verification on EAP 6.3.0.DR1 failed. It seems it still fails. I've added authorization through LDAP (for load groups from LDAP, see below) and then in case I defined $local user in ldif for LDAP I can connect to jboss-cli but in case I comment out $local user from ldif it fails, but according to right behavior it still should allow me access to jboss-cli. I used following authorization for ManagementRealm: <authorization map-groups-to-roles="false"> <ldap connection="ldapConnection"> <username-to-dn force="false"> <username-filter base-dn="ou=People,dc=jboss,dc=org" user-dn-attribute="dn" attribute="uid" /> </username-to-dn> <group-search group-name="SIMPLE" group-dn-attribute="dn" group-name-attribute="cn"> <group-to-principal base-dn="ou=Groups,dc=jboss,dc=org" search-by="DISTINGUISHED_NAME"> <membership-filter principal-attribute="member"/> </group-to-principal> </group-search> </ldap> </authorization>
Verified on EAP 6.3.0.ER2. Using parameter skip-group-loading resolved this issue.
Is this issue the same as the one Tom raised in bug 1069127? If so, which should carry the release notes text into the final document?
Yes that is correct, both are the same issue - the initial description was just described differently.
Thanks Darran. Marking for exclusion from 6.3.0 Release Notes as the issue is already noted in 1069127.