jboss-cli failed when trying to create ldap security-domain on EAP 6.4.0

Latest response

On EAP 6.3.x, I use the following CLI commands for configuring my LDAP security domain.

....
/subsystem=security/security-domain=my-security-domain:add(cache-type=default)
/subsystem=security/security-domain=my-security-domain/authentication=classic:add
/subsystem=security/security-domain=my-security-domain/authentication=classic:write-attribute(name=login-modules,value=[{code=>LdapExtended,flag=>required,module-options=>[java.naming.factory.initial=>com.sun.jndi.ldpa.LdapCtxFactory,java.naming.provider.url=>ldap://localhost:389,java.naming.security.authentication=>simple,bindDN=>"CN=root,dc=me,dc=lab",bindCredential=>me,baseCtxDN=>"ou=Users,DC=my-ap,DC=me,DC=lab",baseFilter=>(cn={0}),rolesCtxDN=>"ou=Groups,DC=my-app,DC=me,DC=lab",roleFilter=>(uniquemember={1}),searchScope=>ONELEVEL_SCOPE,allowEmptyPasswords=>false,defaultRole=>MyWebUser,roleAttributeID=>cn ]}])
...

On EAP 6.4.0, the last command raises the following error message:
{
"outcome" => "failed",
"failure-description" => "JBAS014749: Operation handler failed: java.lang.IllegalArgumentException",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}

If I manually edit the standalone-full.xml file, the security-domain is working correctly.

Does the CLI syntax changes between 6.3.x and 6.4.0 ?

Responses

Can you try the steps here and let us know if this is there are any issues - https://access.redhat.com/solutions/366553

I just tried your procedure and it works as expected on both 6.3.x and 6.4.
It seems to me that creating the login-module using the "write-attribute()" operation was allowed on 6.3.x, but is raising an exception on 6.4 (java.lang.IllegalArgumentException).

I'm not sure it worked in 6.3.x either. I just tried and I get a failure. Did you already have a login-module and were just overriding the values?

If you open a case we can look into it further.

Hi Vincent, thanks for getting back to me. We see the same error on 6.3 when using the write-attribute so perhaps it's something else that you were doing wrong. If you want us to investigate this some more then please go ahead and raise a support case with us and we can dig in to this some more if you so wish.

Hi Mustafa, if you copy-paste my initial example above, it works on 6.3 and fails on 6.4. This is why I was thinking of a change between 6.3 and 6.4.
Anyway, the procedure you have proposed is working properly on both versions and fixes my problem. Thank you

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.