Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When you configure a product to read users/roles from your company LDAP in read-only mode, it does not write any data into the LDAP.

Info
titleBefore you begin
  • If you create the user-mgt.xml file yourself, be sure to save it in the <PRODUCT_HOME>/repository/conf directory.
  • The class attribute for a read-only LDAP is <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> 

...

User management functionality is provided by default in all WSO2 Carbon-based products and is configured in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file.

...

Given below is a sample for the LDAP user store. This configuration is found in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file, however, you need to uncomment them and make the appropriate adjustments. Also ensure that you comment out the configurations for other user stores which you are not using. 

Code Block
languagehtml/xml
<UserManager>
 <Realm>
  ...
   <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> 
            <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property> 
            <Property name="ReadOnly">true</Property> 
            <Property name="Disabled">false</Property> 
            <Property name="MaxUserNameListLength">100</Property> 
            <Property name="ConnectionURL">ldap://localhost:10389&lt;/Property> 
            <Property name="ConnectionName">uid=admin,ou=system</Property> 
            <Property name="ConnectionPassword">admin</Property> 
            <Property name="PasswordHashMethod">PLAIN_TEXT</Property> 
            <Property name="UserSearchBase">ou=system</Property> 
            <Property name="UserNameListFilter">(objectClass=person)</Property> 
            <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property> 
            <Property name="UserNameAttribute">uid</Property> 
            <Property name="ReadGroups">true</Property> 
            <Property name="GroupSearchBase">ou=system</Property> 
            <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> 
            <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property> 
            <Property name="GroupNameAttribute">cn</Property> 
            <Property name="SharedGroupNameAttribute">cn</Property> 
            <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property> 
            <Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property> 
            <Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property> 
            <Property name="SharedTenantNameAttribute">ou</Property> 
            <Property name="SharedTenantObjectClass">organizationalUnit</Property> 
            <Property name="MembershipAttribute">member</Property> 
            <Property name="UserRolesCacheEnabled">true</Property> 
            <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property> 
            <Property name="MaxRoleNameListLength">100</Property> 
            <Property name="MaxUserNameListLength">100</Property> 
            <Property name="SCIMEnabled">false</Property> 
        </UserStoreManager>
 </Realm>
</UserManager>

 

...

Update the connection details to match your user store. For example:

Code Block
languagehtml/xml
<Property name="ConnectionURL">ldap://localhost:10389</Property>

...

Obtain a user who has permission to read all users/attributes and perform searches on the user store from your LDAP/Active Directory administrator. For example, if the privileged user is "AdminLDAP" and the password is "2010#Avrudu", update the following sections of the realm configuration as follows:

Code Block
languagehtml/xml
<Property name="ConnectionName">uid=AdminLDAP,ou=system</Property>
<Property name="ConnectionPassword">2010#Avrudu</Property>

...

Update <Property name="UserSearchBase"> with the directory name where the users are stored. When LDAP searches for users, it will start from this location of the directory.

Code Block
languagehtml/xml
<Property name="UserSearchBase">ou=system</Property> 

...

Set the attribute to use as the username, typically either cn or uid for LDAP. Ideally, <Property name="UserNameAttribute"> and <Property name="UserNameSearchFilter"> should refer to the same attribute. If you are not sure what attribute is available in your user store, check with your LDAP/Active Directory administrator. 

For example:

Code Block
languagehtml/xml
<Property name="UserNameAttribute">uid</Property>

...

For the UserName, set the same username you set for the uid in the ConnectionName configuration in step 4 (you do not have to update the password element; leave it as it is).

Code Block
languagexml
<AdminUser>
	<UserName>AdminLDAP</UserName>
	<Password>XXXXXX</Password>
</AdminUser>

...

Optionally, configure the realm to read roles from the user store by reading the user/role mapping based on a membership (user list) or backlink attribute. The following code snippet represents reading roles based on a membership attribute. This is used by the ApacheDirectory server and OpenLDAP.

Code Block
languagehtml/xml
<Property name="ReadLDAPGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>

 

...

For the UserName element, set the same username you set for the uid in the connection name configuration in step 4. You do not have to update the password element; leave it as is.

Code Block
languagexml
<AdminUser>
	<UserName>AdminLDAP</UserName>
	<Password>XXXXXX</Password>
</AdminUser>

...

This file is shipped with user store manager configurations for all possible user store types (JDBC, read-only LDAP/Active Directory, read-write LDAP and read-write Active directory). The instructions given below explains how to configure a read-only LDAP or Active Directory as the primary user store for the WSO2 server.

Include Page
Shared:Configuring a Read-Only LDAP User Store (V3)
Shared:Configuring a Read-Only LDAP User Store (V3)

  • Configuring the System Administrator: This section provides information about the system administrator user.
  • Properties of User Stores: This section describes each of the properties used in the user-mgt.xml file for configuring the primary user store.