The WSO2 User Manager authenticates users from different types of user stores and currently has the capability to easily plug-in to LDAP, Active Directory and JDBC to perform authentication.
How to Configure an External LDAP User Store / Active Directory User Store Anchor LDABActive LDABActive
| LDABActive | |
| LDABActive |
All WSO2 Carbon based products can read and write users and roles from external LDAP user stores. You can configure Carbon products to access LDAP in one of the following modes.
Read-Only Mode Anchor Read-Only Mode Read-Only Mode
| Read-Only Mode | |
| Read-Only Mode |
All WSO2 Carbon based products can read users and roles from external LDAP/Active Directory user stores. You can configure Carbon products to read users/roles from your organization's Active Directory. Carbon company LDAP. The "Read Only" mode does not write any data into the Active DirectoryLDAP.
Following are the steps that differ from the steps described in section 6.1 above.
1. A sample user-mgt.xml configuration file for Active Directory is available here.
2. Note that LDAP is used going forward to refer to both LDAP and ActiveDirectory servers.
Step 1 : Backup <carbon-home>/repository/conf/user-mgt.xml.
- A sample file for LDAP user store is given below:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<UserManager>
<Realm>
<Configuration>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin</UserName>
<Password>XXXXXX</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<!-- By default users in thsi role sees the registry root -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
<Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="ConnectionURL">ldap://localhost:10389</Property>
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin123</Property>
<Property name="UserSearchBase">ou=system</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="ReadLDAPGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupNameSearchFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
</UserStoreManager>
</Realm>
</UserManager> |
- A sample file for Active Directory is given below:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<UserManager>
<Realm>
<Configuration>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin</UserName>
<Password>XXXXXX</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<!-- By default users in thsi role sees the registry root -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
<Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
</Configuration>
<!-- Active directory configuration follows -->
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">>
<Property name="ConnectionURL">ldap://10.100.1.211:389</Property>
<Property name="ConnectionName">cn=Administrator,cn=users,dc=wso2,dc=lk</Property>
<Property name="ConnectionPassword">admin123</Property>
<Property name="UserSearchBase">cn=users,dc=wso2,dc=lk</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property>
<Property name="GroupNameSearchFilter">(objectcategory=group)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
</UserStoreManager>
</Realm>
</UserManager> |
Copy the user-mgt-ldap.xml file and save it as <carbon-home>/repository/conf/user-mgt.xml. When you are configuring for ActiveDirectory, do the same to user-mgt-actdir.xml.
Note the following in your file.
| Code Block |
|---|
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> |
Step 2 : Find a valid user that resides in the Directory Server. For example, let's say a valid user name is "AdminSOA". " Update the Admin user section of your LDAP ldap configuration as follows.
...
| title | Note |
|---|
You don't have to update the password element
...
; leave it as it is.
| Code Block |
|---|
<AdminUser> <UserName>AdminSOA</UserName> <Password>XXXXXX</Password> </AdminUser> |
3. If you wish to connect to the user store in read-only mode, make sure the value of the <ReadOnly> element is set to true as follows:
| Code Block |
|---|
<ReadOnly>true</ReadOnly>
|
4. Step 3 : Update the connection details to suit your Directory Server.
| Code Block |
|---|
<Property name="ConnectionURL">ldap://localhost:10389</Property> |
5. Step 4: Obtain a user who has permission to read all users/attributes and to perform searches on the Directory Server from your LDAP administrator. For example, let's say your the privileged user is "AdminLDAP" and the password is "2010#Avrudu". " Update Now update the following sections of the realm configuration.
| Code Block |
|---|
<Property name="ConnectionName">uid=AdminLDAP,ou=system,dc=ABCompany,dc=lk<system</Property> <Property name="ConnectionPassword">2010#Avrudu <>2010#Avrudu</Property> |
6. Update the <Property name="UserNameAttributeUserSearchBase"> by giving the directory where the users are stored. LDAP searches for users will start from this location.
| Code Block |
|---|
<PropertyProperty name="UserNameAttributeUserSearchBase">sAMAccountName<>ou=system</Property> |
7. Step 5: Set the attribute that you wish to use be used as the username. The most common case is to use either "cn" or "uid" as the username. If you are not sure which what attribute is available in your LDAP, please ask check with your LDAP administrator.
| Code Block |
|---|
<Property name="UserNameAttribute">uid</Property> |
...
For Active Directory this is different.
| Code Block |
|---|
<Property name="UserNameAttribute">sAMAccountName</Property>
|
Step 6 : This is the most basic configuration. For more advanced options like "external roles", jump to step 7. Otherwise you are done! Now start your server and try to login as "AdminSOA". The password is the AdminSOA's password in the LDAP server.
If you are unable to login, contact the WSO2 carbon user group according to the contact details given under "community and support" section on the welcome page.
Step 7 : The realm can read roles from the Active Directory Server. It can read user/role mapping based on a backlink attribute or membership (user list) attribute.Following are the properties related to reading
- Step 7.1 : Reading roles based on a membership attribute. This is used by the ApacheDirectory server and OpenLDAP.
| Code Block |
|---|
<Property name="ReadLDAPGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
|
- Step 7.2 : Reading roles based on a backlink attribute. This is used by the Active Directory.
| Code Block |
|---|
<Property name="ReadLDAPGroups">true</Property> <Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property> <Property name="GroupSearchFilter">(objectcategory=group)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MemberOfAttribute">memberOf</Property> |
See detailed descriptions of each of the above-mentioned properties hereThe following table contains detail descriptions of each property.
Property Name | Description |
|---|---|
| MaxUserNameListLength | |
ConnectionURL | The connection URL to the database. |
ConnectionName | The user name used to connect to the database. |
ConnectionPassword | Password of the connection username. |
UserSearchBase | Search base of users. |
UserNameListFilter | The LDAP query that should be used to search users. |
UserNameAttribute | Users can be authenticated using their email address, uid and etc. |
ReadLDAPGroups | Indicates whether to read groups from the LDAP. |
GroupSearchBase | Search base for groups. |
| GroupNameListFilter | |
GroupSearchFilter | The LDAP query used to search for groups. |
GroupNameAttribute | The attribute to be treated as the group name. |
MembershipAttribute | Attribute that contains users. |
| UserRolesCacheEnabled | |
| ReplaceEscapeCharactersAtUserLogin |
Read/Write Mode Anchor Read/Write Users and Read-Only Groups Read/Write Users and Read-Only Groups
| Read/Write Users and Read-Only Groups | |
| Read/Write Users and Read-Only Groups |
If you wish to connect to external LDAP user store such that only the user entries are written to external LDAP and roles are not written to external LDAP, the only difference from the steps in section "Read-Only Mode" is in following:
| Code Block |
|---|
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"> |
How to Configure an External JDBC User Store Anchor JDBC JDBC
| JDBC | |
| JDBC |
All Carbon based products can work with external RDBMSs. You can configure Carbon to read users/roles from your company RDBMS and even write to it. Therefore, the user core connected to two databases.
- Carbon database where authorization information is stored in the internal Carbon database.
- Your company database where users/roles resides.
So the user-mgt.xml file must contain details for two database connections. The connection details mentioned earlier is used by the Authorization manager. If we specify another set of database connection details inside UserStoreManager, it will read/write users to that database. Step by step guidelines for connecting to an external JDBC user store in read-only mode is given below.
Step 1 : Backup the <carbon-home>/repository/conf/user-mgt.xml file. A sample file for JDBC user store (user-mgt-jdbc.xml) is available in <carbon-home>/repository/conf directory . Download the relevant file and save it as <carbon-home>/repository/conf/user-mgt.xml. Note the following in your file.
| Code Block |
|---|
<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
|
Step 2 : Find a valid user that resides in the RDBMS. For example, say a valid username is "AdminSOA". Update the Admin user section of your ldap configuration as follows. You don't have to update the password element; leave it as it is.
| Code Block |
|---|
<AdminUser>
<UserName>AdminSOA</UserName>
<Password>XXXXXX</Password>
</AdminUser>
|
Step 3 : Add the JDBC driver to the classpath by dropping the jar to <carbon-home>/repository/components/lib.
Step 4 : Update the connection details inside the <UserStoreManager> class.
Step 5 : Edit the SQLs as you desire and start the server.
| Excerpt | ||
|---|---|---|
| ||
Instructions on how to configure an external Active Directory User StoreInformation on managing external user stores in WSO2 Carbon. |