'How to map LDAP Usergroups to Wildfly roles

we have javaee application running on wildfly 18. authentication is done by kerberos security-domain (com.sun.security.auth.module.Krb5LoginModule). this works just fine.

now we need to know, whether authenticated user belongs to certain usergroup in LDAP. any idea how to do that? i assume we need to configure LDAP connection and then somehow map LDAP usergroups to wildfly roles, but i have clue where to start.

for any help or direction thank you very much.



Solution 1:[1]

I had similar problem like you.

In my case I first needed to migrate from legacy security to elyctron. In elyctron loading users and groups is first step, and then you have opportunity to map roles to whatever you want using role-mappers.

            <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
                <realm name="ApplicationRealm" role-decoder="groups-to-roles"  role-mapper="KeepMappedRoleMapper"/>
                <realm name="local"/>
            </security-domain>
            ...
            <mapped-role-mapper name="KeepMappedRoleMapper" keep-mapped="false" keep-non-mapped="false">
              <role-mapping from="SOURCE_GROUP" to="TARGET_GROUP"/>
            </mapped-role-mapper>

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 charlie_pl