Description of problem: Where a security realm is configured to load groups from LDAP it should not cause an authentication failure if the user is not found in LDAP. One example is local authentication where the user may not exist. Another is domain mode servers where the servers have a custom name and generated password that they use to connect back to the local host controller. Steps to Reproduce: Configure domain mode to use LDAP / RBAC for the management realm: <security-realm name="ManagementRealm"> <authentication> <ldap connection="ldap_connection" base-dn="ou=Users,dc=my-domain,dc=com"> <username-filter attribute="uid"/> </ldap> </authentication> <authorization map-groups-to-roles="true"> <ldap connection="ldap_connection"> <username-to-dn force="true"> <username-filter base-dn="ou=Users,dc=my-domain,dc=com" recursive="true" attribute="uid" user-dn-attribute="dn" /> </username-to-dn> <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="cn"> <group-to-principal base-dn="ou=Groups,dc=my-domain,dc=com" recursive="true" search-by="DISTINGUISHED_NAME"> <membership-filter principal-attribute="member" /> </group-to-principal> </group-search> </ldap> </authorization> </security-realm> Actual results: Server instances fail to start: [Server:server-one] 15:33:51,172 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS014613: Operation ("validate-authorization") failed - address: ([ [Server:server-one] ("core-service" => "management"), [Server:server-one] ("security-realm" => "ManagementRealmLDAP"), [Server:server-one] ("authorization" => "ldap") [Server:server-one] ]) - failure description: "JBAS015290: Configuration for security realm 'ManagementRealmLDAP' does not contain any group-search resource within the authorization=ldap resource." [Server:server-one] 15:33:51,178 FATAL [org.jboss.as.server] (Controller Boot Thread) JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. Expected results: Additional info:
6.2.x PR: https://github.com/jbossas/jboss-eap/pull/781 6.x PR: https://github.com/jbossas/jboss-eap/pull/780
Marking for inclusion in 6.2.1 release notes documentation.
Hi Derek, I'm hoping you could assist the documentation effort and fill in the blanks in the Doc Text field above for the release notes.
Verified with 6.2.1.CP.CR1-patch.
Thanks for the help Derek. Marking final note for inclusion in the Release Notes document.
Fixed a typo in Doc Text
Minor amendments to release notes text.