In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.

It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.

Example:
It seems that ldap-realm cannot be configured for following scenario: User with credentials someUser/Password is authenticated and name AuthenticatedUser is assigned to them (e.g. when calling ./jboss-cli.sh -c -u=someUser -p=Password ':whoami', then AuthenticatedUser should be printed). Following ldif is used:

dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=someUser,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: someUser
cn: some User
sn: AuthenticatedUser
userPassword: Password

Mentioned ldif works correctly with legacy security solution.

This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.