jboss-cli failed when trying to create ldap security-domain on EAP 6.4.0

Latest response

On EAP 6.3.x, I use the following CLI commands for configuring my LDAP security domain.

....
/subsystem=security/security-domain=my-security-domain:add(cache-type=default)
/subsystem=security/security-domain=my-security-domain/authentication=classic:add
/subsystem=security/security-domain=my-security-domain/authentication=classic:write-attribute(name=login-modules,value=[{code=>LdapExtended,flag=>required,module-options=>[java.naming.factory.initial=>com.sun.jndi.ldpa.LdapCtxFactory,java.naming.provider.url=>ldap://localhost:389,java.naming.security.authentication=>simple,bindDN=>"CN=root,dc=me,dc=lab",bindCredential=>me,baseCtxDN=>"ou=Users,DC=my-ap,DC=me,DC=lab",baseFilter=>(cn={0}),rolesCtxDN=>"ou=Groups,DC=my-app,DC=me,DC=lab",roleFilter=>(uniquemember={1}),searchScope=>ONELEVEL_SCOPE,allowEmptyPasswords=>false,defaultRole=>MyWebUser,roleAttributeID=>cn ]}])
...

On EAP 6.4.0, the last command raises the following error message:
{
"outcome" => "failed",
"failure-description" => "JBAS014749: Operation handler failed: java.lang.IllegalArgumentException",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}

If I manually edit the standalone-full.xml file, the security-domain is working correctly.

Does the CLI syntax changes between 6.3.x and 6.4.0 ?

IM
Log in to join the conversation

Responses

Mustafa Musaji's picture Red Hat Guru 1798 points
28 May 2015 9:35 AM

Can you try the steps here and let us know if this is there are any issues - https://access.redhat.com/solutions/366553

IM Community Member 22 points
28 May 2015 2:36 PM

I just tried your procedure and it works as expected on both 6.3.x and 6.4.
It seems to me that creating the login-module using the "write-attribute()" operation was allowed on 6.3.x, but is raising an exception on 6.4 (java.lang.IllegalArgumentException).

CD Red Hat Active Contributor 202 points
28 May 2015 2:55 PM

I'm not sure it worked in 6.3.x either. I just tried and I get a failure. Did you already have a login-module and were just overriding the values?

If you open a case we can look into it further.

Mustafa Musaji's picture Red Hat Guru 1798 points
28 May 2015 2:57 PM

Hi Vincent, thanks for getting back to me. We see the same error on 6.3 when using the write-attribute so perhaps it's something else that you were doing wrong. If you want us to investigate this some more then please go ahead and raise a support case with us and we can dig in to this some more if you so wish.

IM Community Member 22 points
2 June 2015 7:17 AM

Hi Mustafa, if you copy-paste my initial example above, it works on 6.3 and fails on 6.4. This is why I was thinking of a change between 6.3 and 6.4.
Anyway, the procedure you have proposed is working properly on both versions and fixes my problem. Thank you

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.