How to configure multiple Login modules in one security domain in JBOSS EAP 6.3?

Question

I have two groups of users - employees and members, employees are in LDAP server and members are in properties file. I need to configure both of them in a single security domain, which means I need to get authentication from different login modules - employees from LdapExtLoginModule, and, members from UsersRoles login module. Something like this:

<security-domain name="EmpMem" cache-type="default">
    <authentication>
        <login-module code="UsersRoles" flag="required">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="usersProperties" value="app-users.properties"/>
            <module-option name="rolesProperties" value="app-roles.properties"/>
        </login-module>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="java.naming.provider.url" value="ldap://ha-adds-global.xxx.com:3268"/>
            <module-option name="bindDN" value="CN=prodjbsvc,OU=ServiceAccounts,OU=NOPOL,dc=eagle,dc=xxx,dc=com"/>
            <module-option name="bindCredential" value="XQtU@1lc"/>
            <module-option name="baseCtxDN" value="dc=eagle,dc=xxx,dc=com"/>
            <module-option name="baseFilter" value="(sAMAccountName={0})"/>
            <module-option name="rolesCtxDN" value="ou=COSAs,dc=eagle,dc=xxx,dc=com"/>
            <module-option name="roleFilter" value="(sAMAccountName={0})"/>
            <module-option name="roleAttributeID" value="memberOf"/>
            <module-option name="roleAttributeIsDN" value="true"/>
            <module-option name="roleNameAttributeID" value="cn"/>
            <module-option name="roleRecursion" value="-1"/>
            <module-option name="searchScope" value="SUBTREE_SCOPE"/>
            <module-option name="allowEmptyPasswords" value="false"/>
            <module-option name="java.naming.referral" value="follow"/>
        </login-module>
    </authentication>
</security-domain>

I know that there is a login module called Password Stacking which can chain multiple login modules together, but looks like LdapExtLoginModule doesn't support that? Please suggest a way to accomplish this.

My Requirement: When the user is employee, he gets authenticated from LDAP server and should be able to to access employee resources (java packages/classes)only, and when the user is member, he gets authenticated from properties file and should be able to access member resources (java packages/classes) only.

Answer 1

If sufficient for your needs use LdapLoginModule instead of LdapExtLoginModule. Password Stacking is supported by that LoginModule.

However, judging by your Requirement I don't think Password Stacking is what you're looking for ...

If a previous module configured for password stacking has authenticated the user, all the other stacking modules will consider the user authenticated and only attempt to provide a set of roles for the authorization step.

Seems like a User will either be a employee or a member? If so, use "sufficient" as the LoginModule "flag" attribute

sufficient : The login module is not required to succeed. If it does succeed, control immediately returns to the application. If it fails, authentication continues down the login stack.