+++ This bug was initially created as a clone of Bug #961656 +++

The authentication in the REST api currently only supports local users, but no LDAP users.

We need to fix that.

--- Additional comment from Heiko W. Rupp on 2013-05-13 05:37:30 EDT ---

The simplest way to support LDAP would be to switch to the "RHQUserSecurityDomain", which fails as RHQ is removing / re-adding the domain on each start. 
EAP sees this and complains that the removal would leave the rhq-rest.war in an illegal state (with a referenced but not provided security-domain) -- see below

I currently see three possible options:
1) add the logic to add/remove LDAP support to the RHQRESTSecurityDomain
2) Fix the RHQUserSecurityDomain setup in the CustomJaasDeploymentService to
not touch the security-domain on each restart and to only add/remove the LDAP module when requested (and perhaps change flags on the other modules.
3) Check if the remove/re-add can be done in Transaction (A EAP-composite operation), so that other services only see the end result. 



11:26:28,758 INFO  [org.rhq.enterprise.server.core.CustomJaasDeploymentService] (EJB default - 1) Security domain [RHQUserSecurityDomain] already exists, it will be replaced.
11:26:28,804 INFO  [org.jboss.web] (ServerService Thread Pool -- 82) JBAS018224: Unregister web context: /rest
11:26:28,806 INFO  [org.rhq.helpers.rtfilter.filter.RtFilter] (ServerService Thread Pool -- 82) -- Filter destroy: 0 requests processed (hashCode=226618607).
11:26:28,813 INFO  [org.jboss.web] (ServerService Thread Pool -- 82) JBAS018210: Register web context: /rest
11:26:28,820 INFO  [org.rhq.helpers.rtfilter.filter.RtFilter] (ServerService Thread Pool -- 82) Initialized response-time filter for webapp with context root 'rest'.
11:26:28,823 ERROR [org.rhq.enterprise.server.core.CustomJaasDeploymentService] (EJB default - 1) Error deploying JAAS login modules: java.lang.Exception: Error registering RHQ JAAS modules
	at org.rhq.enterprise.server.core.CustomJaasDeploymentService.registerJaasModules(CustomJaasDeploymentService.java:176) [rhq-enterprise-server-ejb3.jar:4.8.0-SNAPSHOT]
	at org.rhq.enterprise.server.core.CustomJaasDeploymentService.installJaasModules(CustomJaasDeploymentService.java:76) [rhq-enterprise-server-ejb3.jar:4.8.0-SNAPSHOT]
Caused by: org.rhq.common.jbossas.client.controller.FailureException: Failed to remove security domain [RHQUserSecurityDomain]: JBAS014762: Removing services has lead to unsatisfied dependencies:
Service jboss.security.security-domain.RHQUserSecurityDomain was depended upon by service jboss.web.deployment.default-host./rest.realm
	at org.rhq.common.jbossas.client.controller.SecurityDomainJBossASClient.removeSecurityDomain(SecurityDomainJBossASClient.java:256)

--- Additional comment from Heiko W. Rupp on 2013-05-13 07:07:57 EDT ---

I think doing option 2) got just easier with the use of EAP6.1, as this now allows to individually address login modules:

[standalone@localhost:6999 authentication=classic] ./login-module=org.rhq.enterprise.server.core.jaas.

org.rhq.enterprise.server.core.jaas.JDBCLoginModule                 org.rhq.enterprise.server.core.jaas.JDBCPrincipalCheckLoginModule
org.rhq.enterprise.server.core.jaas.LdapLoginModule
[standalone@localhost:6999 authentication=classic] ./login-module=org.rhq.enterprise.server.core.jaas.LdapLoginModule:

add                          read-attribute               read-children-names          read-children-resources
read-children-types          read-operation-description   read-operation-names         read-resource
read-resource-description    remove                       undefine-attribute           whoami
write-attribute
[standalone@localhost:6999 authentication=classic] ./login-module=org.rhq.enterprise.server.core.jaas.LdapLoginModule: