Elytron - LDAP Realm not honoring direct-verification

[eng.dan...@gmail.com]

​ Hi,

According to documentation:

https://docs.wildfly.org/28/wildscribe/subsystem/elytron/ldap-realm/index.html

"direct-verification  - Does this realm support verification of credentials by directly connecting to LDAP as the account being authenticated"

We should be able to authenticate with a valid ldap account without having to specify the principal and credential on ldap dir-context authentication. However this is not the case.

After checking the source code, this happens because the getIdentity doesn't honor the direct-verification flag and always uses the principal of the dir context. With direct verification enabled, all connections to ldap should use the account that is being authenticated (in my opinion). This will benefit the security, because there is one less  user/password on the configuration file (standalone.xml).

Is this a bug or the expected setup/behaviour of the ldap realm?

Thanks

[Israel Diéguez]

Hi Daniel,

I was working in last days to remove my personal credentials from dir-context, exactly the same you are trying. Unsuccessfully. In fact, I read some messages from you in Internet asking the same. I wrote a message in this forum 2 hours ago asking exactly the same, but it's in moderation before being published. I will follow your conversation and try to help.

Thanks Daniel.

[Israel Diéguez]

Hi Daniel,

Recently I was asking about this in Zulip, the WildFly chatroom, and Darran Lofthouse replied me that it's nos possible to remove the principal credentials from configuration. Maybe we can change to another file, encrypt the credentials, etc. But it's neccesary an user to make the first connection to LDAP. Another option is create an implementation to make this, but I have not enough knowledge to do it.

https://wildfly.zulipchat.com/#narrow/stream/174184-wildfly-developers/topic/Remove.20LDAP.20credentials.20from.20.3Cdir-context.3E

Regards.