Configuring LDAP based authentication with Elytron on WildFly

In this tutorial we will learn how to configure Authentication with an Elytron LDAP-Based Identity Store.


  • WildFly 11 or newer
  • A LDAP Server or a Docker deamon to start an LDAP Server in a Container

For the sake of simplicity, we will start a Containerised version of OpenLdap, which is available in the DockerHub, using as BASE DN

$ docker run --env LDAP_ORGANISATION="wildfly" --env LDAP_DOMAIN="" --env LDAP_ADMIN_PASSWORD="admin" --detach osixia/openldap

As an alternative, you can set the BASE DN in your slapf.conf and set the default admin password.

Check your IP Address from your container:

$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' $(docker ps -q)

Now verify the connection with any LDAP Browser:

Authentication with an Elytron LDAP-Based Identity Store.

Ok, the connection worked so now upload a sample ldif file which will contain one user named "frank" which is granted the Role "Admin":

dn: ou=Users,dc=wildfly,dc=org
objectClass: organizationalUnit
objectClass: top
ou: Users

dn: uid=frank,ou=Users,dc=wildfly,dc=org
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: Franky
sn: frank
uid: frank
userPassword: secret123

dn: ou=Roles,dc=wildfly,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Roles

dn: cn=Admin,ou=Roles,dc=wildfly,dc=org
objectClass: top
objectClass: groupOfNames
cn: Admin
member: uid=frank,ou=Users,dc=wildfly,dc=org

You should be able to see the updated Directory from your LDAP Browser:

Authentication with an Elytron LDAP-Based Identity Store.

Now Start WildFly 11 and connect to the Command Line Interface.

The first thing we will need to do is configuring a Directory Context with the URL of the LDAP Server and the information related to the Principal:


Next, it's time to create an LDAP Realm which references the Directory Context, specifying the Search Base DN, how and Users are mapped:


Next, you will need creating a Role Decoder which, in its simplest form, takes a single attribute and maps it directly to roles.


Ok, we have the LDAP Realm, the Role Decoder so we will create a Security Domain which uses this information:


As the Security Domain will be used to authenticate users through HTTP, we will need to add an Http Authentication Factory which is configured to use the above defined Security Domain and LDAP Realm:


We are finished with Elytron. The last piece of the puzzle will be the Http Authentication Factory into Undertow, so that incoming request will be handled by the Security Domain:


We are done! The above CLI command should reflect in the following server configuration:

<?xml version="1.0" encoding="UTF-8"?>
<subsystem xmlns="urn:wildfly:elytron:1.2" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
      . . .
      <security-domain name="exampleLdapSD" default-realm="exampleLR" permission-mapper="default-permission-mapper">
         <realm name="exampleLR" role-decoder="from-roles-attribute" />
       . . . . .
      <ldap-realm name="exampleLR" dir-context="exampleDC">
         <identity-mapping rdn-identifier="uid" search-base-dn="ou=Users,dc=wildfly,dc=org">
               <attribute from="cn" to="Roles" filter="(&(objectClass=groupOfNames)(member={1}))" filter-base-dn="ou=Roles,dc=wildfly,dc=org" />
            <user-password-mapper from="userPassword" />
        . . . .
      <simple-role-decoder name="from-roles-attribute" attribute="Roles" />
      <http-authentication-factory name="management-http-authentication" http-server-mechanism-factory="global" security-domain="ManagementDomain">
       . . . .
      <http-authentication-factory name="example-ldap-http-auth" http-server-mechanism-factory="global" security-domain="exampleLdapSD">
            <mechanism mechanism-name="BASIC">
               <mechanism-realm realm-name="exampleApplicationDomain" />
      <provider-http-server-mechanism-factory name="global" />
      . . . .
      <dir-context name="exampleDC" url="ldap://" principal="cn=admin,dc=wildfly,dc=org">
         <credential-reference clear-text="admin" />

In order to test your application, include the Security bindings in your jboss-web.xml and web.xml.

Here is the jboss-web.xml bit:


And this is a sample web.xml:

    <description>Ldap Secured</description>

Related articles available on

JBoss security framework

Security is a fundamental part of any enterprise application .The

Configure JBoss with LDAP

In this tutorial we will show how to connect JBoss AS 7 (and earl

Configuring Single Signon on JBoss AS 7

This tutorial describes how to configure Single Signon for a JBos

Securing AS 7 applications using the ApplicationRealm

JBoss AS 7 and the EAP 6 provide out of the box a Security Domain

Securing access to JBoss-WildFly Management console

In this tutorial we will demonstrate how to secure access to the

Configuring a MongoDB Login Module

Creating a Login Module with JBoss AS 7 or WildFly can be done by

Follow us on Twitter