Attribute identity-mapping.otp-credential-mapper from Elytron ldap-realm should include Object which should contain four required attributes - algorithm-from, hash-from, seed-from, sequence-from. All of these attributes are set as nillable=false.

However CLI allows to run command where otp-credential-mapper attribute is added without any attributes which is inconsistent with their nillable=false. See following command:

/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={}})

Moreover, this command results to configuration xml without any otp-credential-mapper:

<ldap-realm name="ldap-realm" dir-context="ldap">
    <identity-mapping rdn-identifier="uid"/>
</ldap-realm>

In case when at least one of otp-credential-mapper required attribute is added, then CLI command correctly fails:

/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={algorithm-from=atr}})
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0155: hash-from may not be null",
    "rolled-back" => true
}

Suggestion:
Do not allow to add identity-mapping.otp-credential-mapper without required attributes.