EAP, how to management-interfaces with multiple or fail-over security-realm(s)

Latest response

I have a working configuration for the native-interface and http-interface, with ldap login.

But I want a second or even more security-realm as fail-over, with user/password.

How do I configure that?

Responses

I'm not sure I understand what you mean. Can you give us a use case that might help me understand this a little better?

I'm sorry, english is not me native language.

I want a combined system for management security with ldap login and user/password login.

Hi Peter

I think it might be better if you raise a case with our support team for this. I've asked our security guys to take a look at this but I think we may need more information which is better handled over a case.

Regards
Mustafa

He meant what if ldap is not available, how do we access JBOSS console/jboss-cli.sh.
For example, if ldap fails, we could use an user that is created in this realm:

security-realm name="ManagementRealm"
properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"
properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"

But its not possible to configure more than one type in security-realm:

management-interfaces
native-interface security-realm="OpenLDAPRealm"
socket interface="management" port="${jboss.management.native.port:9999}"
native-interface
http-interface security-realm="OpenLDAPRealm"
socket interface="management" port="${jboss.management.http.port:9990}"
http-interface
management-interfaces
management

Daniela

Is this Issue Resolved ?

I want to integrated multiple security Realm to Management-Interface ? Please let me know how can we do it.

Hi - similar issue here - using LDAP auth on the http management interface endpoint, and using local OS account auth by-pass for 127.0.0.1 access (by the account that runs the jboss processes) on the native management interface endpoint.

I would like to have the native management interface ALSO available for remote access from other hosts in the local management network (not only 127.0.0.1 but 10.x.x.x) and authenticate access to that endpoint via LDAP login unless the user is accessing the native management interface from localhost/127.0.0.1.

So, is there any way to combine the LDAP and local by-pass on the native management interface? Or is it possible to setup a second native management interface on a different port that listens on 10.x.x.x IP and port for remote access on the management/local network?

Thank you, Scott Stirling