Cached LDAP Auth from two directories

[Tom]

I have two different LDAP directories for authorization/authentication, one for users from group A and one from group B. I don't make the LDAP structure but I gotta live with it.

I've found that "distributed-realm" works fine, it checks A then B.

I'd like it better as a cached realm that wraps the distributed realm, but cached-realm cannot cache a distributed-realm. I'm not sure why.

I tried caching A and caching B, then wrapping both in a distributed-realm, but when searching for a member of B the initial check on cached-A misses, does a full query on A, then goes to B. And I used a cache in part to avoid full queries for known users.

Any hints to help me out?

[Diana Krepinska]

I don't think you can achieve this right now without implementing something custom. You can open a feature request for project ELY at https://redhat.atlassian.net/issues?filter=105408 to be able to cache a distributed realm or solve this problem some other way.

[Laura Schanno]

Note that if you want to try to implement your own custom cacheable realm, it must implement the interface org.wildfly.security.auth.realm.CacheableSecurityRealm in order to support being wrapped by a caching-realm. The implementing class for distributed realms, org.wildfly.security.auth.realm.DistributedSecurityRealm does not, which is why it cannot be wrapped by a caching-realm instance.