[LDAP on Elytron] How to use the login user credentials to connect to LDAP instead of my personal credentials

[Israel Diéguez]

Hi everybody.

I am new in Community. I am trying to configure a LDAP connection from WildFly. With legacy security module, I used the LdapLoginModule.

<security-domain name="LDAPAuth" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldaps://example.com:636"/>
<module-option name="java.naming.security.protocol" value="ssl"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="principalDNPrefix" value="prefix\"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="uidAttributeID" value="sAMAccountName"/>
<module-option name="matchOnUserDN" value="true"/>
</login-module>
</authentication>
</security-domain>

Now, in Elytron, I could configure it using this configuration. And works. I am using WildFly 26.0.1.

<server xmlns="urn:jboss:domain:19.0">
<extensions>
...
</extensions>
<system-properties>
<property name="javax.net.ssl.trustStore" value="D:\wildfly-26.0.1\standalone\configuration\truststore.jks"/>
<property name="javax.net.ssl.trustStorePassword" value="**********"/>
</system-properties>
<management>
...
</management>
<profile>
<subsystem xmlns="urn:wildfly:elytron:15.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<security-domains>
<security-domain name="LdapSD" default-realm="LdapSR" permission-mapper="default-permission-mapper">
<realm name="LdapSR"/>
</security-domain>
...
</security-domains>
<security-realms>
<ldap-realm name="LdapSR" dir-context="LdapDC" direct-verification="true">
<identity-mapping rdn-identifier="sAMAccountName" use-recursive-search="true" search-base-dn="DC=example,DC=com"/>
</ldap-realm>
...
</security-realms>
...
<http>
...
<http-authentication-factory name="ldap-http-authentication" security-domain="LdapSD" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="LdapASD"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
...
</http>
...
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="**********"/>
<implementation type="JKS"/>
<file path="keystore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="**********"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
...
<dir-contexts>
<dir-context name="LdapDC" url="ldaps://ldap.example.com:636" principal="CN=myUserId,OU=Users,OU=company,DC=example,DC=com">
<credential-reference clear-text="**********"/>
</dir-context>
</dir-contexts>
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
...
<application-security-domains>
...
<application-security-domain name="LdapASD" http-authentication-factory="ldap-http-authentication"/>
</application-security-domains>
</subsystem>
...
</profile>
...
</server>

I want to remove my user id from the <dir-context> tag and replace it with the following.

<dir-contexts>
<dir-context name="LdapDC" url="ldaps://ldap.example.com:636"/>
</dir-contexts>

If I do it, WildFly starts fine but I get an error after the user try the login.

11:34:34,807 DEBUG [io.undertow.request] (default I/O-6) Matched prefix path /ldap-tester for path /ldap-tester/
11:34:34,813 DEBUG [io.undertow.request.security] (default task-1) Security constraints for request /ldap-tester/ are [SingleConstraintMatch{emptyRoleSemantic=AUTHENTICATE, requiredRoles=[]}]
11:34:34,813 DEBUG [io.undertow.request.security] (default task-1) Authenticating required for request HttpServerExchange{ GET /ldap-tester/}
11:34:34,813 DEBUG [io.undertow.request.security] (default task-1) Setting authentication required for exchange HttpServerExchange{ GET /ldap-tester/}
11:34:34,816 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [LdapASD], Username: [loginUserId].
11:34:34,819 DEBUG [org.wildfly.security] (default task-1) Obtaining lock for identity [loginUserId]...
11:34:34,821 DEBUG [org.wildfly.security] (default task-1) Obtained lock for identity [loginUserId].
11:34:34,825 DEBUG [org.wildfly.security] (default task-1) Creating [class javax.naming.directory.InitialDirContext] with environment:
11:34:34,826 DEBUG [org.wildfly.security] (default task-1)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
11:34:34,826 DEBUG [org.wildfly.security] (default task-1)     Property [java.naming.referral] with value [ignore]
11:34:34,826 DEBUG [org.wildfly.security] (default task-1)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
11:34:34,826 DEBUG [org.wildfly.security] (default task-1)     Property [java.naming.security.authentication] with value [simple]
11:34:34,826 DEBUG [org.wildfly.security] (default task-1)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
11:34:34,826 DEBUG [org.wildfly.security] (default task-1)     Property [java.naming.provider.url] with value [ldaps://ldap.example.com:636]
11:34:34,826 DEBUG [org.wildfly.security] (default task-1)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
11:34:35,119 DEBUG [org.wildfly.security] (default task-1) [javax.naming.ldap.InitialLdapContext@71f36682] successfully created. Connection established to LDAP server.
11:34:35,121 DEBUG [org.wildfly.security] (default task-1) Trying to create identity for principal [loginUserId].
11:34:35,123 DEBUG [org.wildfly.security] (default task-1) Executing search [(sAMAccountName={0})] in context [DC=example,DC=com] with arguments [loginUserId]. Returning attributes are []. Binary attributes are [].
11:34:35,140 DEBUG [org.wildfly.security] (default task-1) Context [javax.naming.ldap.InitialLdapContext@71f36682] was closed. Connection closed or just returned to the pool.
11:34:35,140 DEBUG [io.undertow.request.error-response] (default task-1) Setting error code 500 for exchange HttpServerExchange{ GET /ldap-tester/}: java.lang.RuntimeException
11:34:35,141 DEBUG [io.undertow.request.error-response] (default task-1) Setting error code 500 for exchange HttpServerExchange{ GET /ldap-tester/}: java.lang.RuntimeException
11:34:35,200 DEBUG [io.undertow.request] (default I/O-6) Matched default handler path /favicon.ico

And the web browser show "Internal Server Error" message.

How can I use the login user credentials to connect to LDAP instead of my personal credentials? Could someone to help me, please? I can't found documentation about this purpose.

Thank you very much. Regards.