Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version 4

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Comment out the following user store which is enabled by default in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file.
    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"> 

  2. Given below is a sample for the LDAP user store. This configuration is found in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file, however, you need to uncomment them and make the appropriate adjustments. Also ensure that you comment out the configurations for other user stores which you are not using. 

    Code Block
    languagehtml/xml
    <UserManager>
 <Realm>
  ...
   <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> 
            <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property> 
            <Property name="ReadOnly">true</Property> 
            <Property name="Disabled">false</Property> 
            <Property name="MaxUserNameListLength">100</Property> 
            <Property name="ConnectionURL">ldap://localhost:10389&lt;/Property> 
            <Property name="ConnectionName">uid=admin,ou=system</Property> 
            <Property name="ConnectionPassword">admin</Property> 
            <Property name="PasswordHashMethod">PLAIN_TEXT</Property> 
            <Property name="UserSearchBase">ou=system</Property> 
            <Property name="UserNameListFilter">(objectClass=person)</Property> 
            <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property> 
            <Property name="UserNameAttribute">uid</Property> 
            <Property name="ReadGroups">true</Property> 
            <Property name="GroupSearchBase">ou=system</Property> 
            <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> 
            <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property> 
            <Property name="GroupNameAttribute">cn</Property> 
            <Property name="SharedGroupNameAttribute">cn</Property> 
            <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property> 
            <Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property> 
            <Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property> 
            <Property name="SharedTenantNameAttribute">ou</Property> 
            <Property name="SharedTenantObjectClass">organizationalUnit</Property> 
            <Property name="MembershipAttribute">member</Property> 
            <Property name="UserRolesCacheEnabled">true</Property> 
            <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property> 
            <Property name="MaxRoleNameListLength">100</Property> 
            <Property name="MaxUserNameListLength">100</Property> 
            <Property name="SCIMEnabled">false</Property> 
        </UserStoreManager>
 </Realm>
</UserManager>

     

  3. Update the connection details to match your user store. For example:

    Code Block
    languagehtml/xml
    <Property name="ConnectionURL">ldap://localhost:10389</Property>

  4. Obtain a user who has permission to read all users/attributes and perform searches on the user store from your LDAP/Active Directory administrator. For example, if the privileged user is "AdminLDAP" and the password is "2010#Avrudu", update the following sections of the realm configuration as follows:

    Code Block
    languagehtml/xml
    <Property name="ConnectionName">uid=AdminLDAP,ou=system</Property>
<Property name="ConnectionPassword">2010#Avrudu</Property>

  5. Update <Property name="UserSearchBase"> with the directory name where the users are stored. When LDAP searches for users, it will start from this location of the directory.

    Code Block
    languagehtml/xml
    <Property name="UserSearchBase">ou=system</Property>

  6. Set the attribute to use as the username, typically either cn or uid for LDAP. Ideally, <Property name="UserNameAttribute"> and <Property name="UserNameSearchFilter"> should refer to the same attribute. If you are not sure what attribute is available in your user store, check with your LDAP/Active Directory administrator. 

    For example:

    Code Block
    languagehtml/xml
    <Property name="UserNameAttribute">uid</Property>

  7. For the UserName, set the same username you set for the uid in the ConnectionName configuration in step 4 (you do not have to update the password element; leave it as it is).

    Code Block
    languagexml
    <AdminUser>
	<UserName>AdminLDAP</UserName>
	<Password>XXXXXX</Password>
</AdminUser>

  8. Optionally, configure the realm to read roles from the user store by reading the user/role mapping based on a membership (user list) or backlink attribute. The following code snippet represents reading roles based on a membership attribute. This is used by the ApacheDirectory server and OpenLDAP.

    Code Block
    languagehtml/xml
    <Property name="ReadLDAPGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>

     

  9. For the UserName element, set the same username you set for the uid in the connection name configuration in step 4. You do not have to update the password element; leave it as is.

    Code Block
    languagexml
    <AdminUser>
	<UserName>AdminLDAP</UserName>
	<Password>XXXXXX</Password>
</AdminUser>

  10. Start your server and try to log in as the admin user you specified. The password is the admin user's password in the LDAP server.