jboss-cli failed when trying to create ldap security-domain on EAP 6.4.0

Latest response

On EAP 6.3.x, I use the following CLI commands for configuring my LDAP security domain.

....
/subsystem=security/security-domain=my-security-domain:add(cache-type=default)
/subsystem=security/security-domain=my-security-domain/authentication=classic:add
/subsystem=security/security-domain=my-security-domain/authentication=classic:write-attribute(name=login-modules,value=[{code=>LdapExtended,flag=>required,module-options=>[java.naming.factory.initial=>com.sun.jndi.ldpa.LdapCtxFactory,java.naming.provider.url=>ldap://localhost:389,java.naming.security.authentication=>simple,bindDN=>"CN=root,dc=me,dc=lab",bindCredential=>me,baseCtxDN=>"ou=Users,DC=my-ap,DC=me,DC=lab",baseFilter=>(cn={0}),rolesCtxDN=>"ou=Groups,DC=my-app,DC=me,DC=lab",roleFilter=>(uniquemember={1}),searchScope=>ONELEVEL_SCOPE,allowEmptyPasswords=>false,defaultRole=>MyWebUser,roleAttributeID=>cn ]}])
...

On EAP 6.4.0, the last command raises the following error message:
{
"outcome" => "failed",
"failure-description" => "JBAS014749: Operation handler failed: java.lang.IllegalArgumentException",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}

If I manually edit the standalone-full.xml file, the security-domain is working correctly.

Does the CLI syntax changes between 6.3.x and 6.4.0 ?

Responses

Can you try the steps here and let us know if this is there are any issues - https://access.redhat.com/solutions/366553

I just tried your procedure and it works as expected on both 6.3.x and 6.4.
It seems to me that creating the login-module using the "write-attribute()" operation was allowed on 6.3.x, but is raising an exception on 6.4 (java.lang.IllegalArgumentException).

I'm not sure it worked in 6.3.x either. I just tried and I get a failure. Did you already have a login-module and were just overriding the values?

If you open a case we can look into it further.

Hi Vincent, thanks for getting back to me. We see the same error on 6.3 when using the write-attribute so perhaps it's something else that you were doing wrong. If you want us to investigate this some more then please go ahead and raise a support case with us and we can dig in to this some more if you so wish.

Hi Mustafa, if you copy-paste my initial example above, it works on 6.3 and fails on 6.4. This is why I was thinking of a change between 6.3 and 6.4.
Anyway, the procedure you have proposed is working properly on both versions and fixes my problem. Thank you