Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Access the user-mgt.xml file found in the  <PRODUCT_HOME>/repository/conf/ directory.

    The following are samples for the LDAP user store and Active Directory:

    Localtabgroup
    Localtab
    activetrue
    titleLDAP User Store

    LDAP user store sample:

    Code Block
    languagehtml/xml
    <UserManager>
     <Realm>
       <Configuration>
          <AdminRole>admin</AdminRole>
          <AdminUser>
             <UserName>admin</UserName>
             <Password>XXXXXX</Password>
          </AdminUser>
          <EveryOneRoleName>everyone</EveryOneRoleName>
          <!-- By default users in this role sees the registry root -->
          <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
          <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
       </Configuration>
     
       <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> 
          <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
    	  <Property name="ConnectionURL">ldap://localhost:10389</Property>
          <Property name="ConnectionName">uid=admin,ou=system</Property>
          <Property name="ConnectionPassword">admin123</Property>
          <Property name="UserSearchBase">ou=system</Property>
          <Property name="UserNameListFilter">(objectClass=person)</Property>
          <Property name="UserNameAttribute">uid</Property>
          <Property name="ReadLDAPGroups">false</Property>
          <Property name="GroupSearchBase">ou=system</Property>
          <Property name="GroupNameSearchFilter">(objectClass=groupOfNames)</Property>
          <Property name="GroupNameAttribute">cn</Property>
          <Property name="MembershipAttribute">member</Property>
       </UserStoreManager>
     
     </Realm>
    </UserManager>
    Localtab
    titleActive Directory User Store

    Active directory user store sample:

    Code Block
    languagehtml/xml
    <UserManager>
      <Realm>
       <Configuration>
          <AdminRole>admin</AdminRole>
          <AdminUser>
             <UserName>admin</UserName>
             <Password>XXXXXX</Password>
          </AdminUser>
          <EveryOneRoleName>everyone</EveryOneRoleName>
          <!-- By default users in this role sees the registry root -->
          <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
          <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
       </Configuration>
     
        <!-- Active directory configuration follows -->
        <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
                <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
                <Property name="defaultRealmName">WSO2.ORG</Property>
                <Property name="Disabled">false</Property>                                   
                <Property name="kdcEnabled">false</Property>
                <Property name="ConnectionURL">ldaps://10.100.1.100:636</Property> 
                <Property name="ConnectionName">CN=admin,CN=Users,DC=WSO2,DC=Com</Property>
                <Property name="ConnectionPassword">A1b2c3d4</Property>
    	    	<Property name="passwordHashMethod">PLAIN_TEXT</Property>
                <Property name="UserSearchBase">CN=Users,DC=WSO2,DC=Com</Property>
                <Property name="UserEntryObjectClass">user</Property>
                <Property name="UserNameAttribute">cn</Property>
                <Property name="isADLDSRole">false</Property>
    	    	<Property name="userAccountControl">512</Property>
                <Property name="UserNameListFilter">(objectClass=user)</Property>
    	    	<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>
                <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
                <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
                <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
    	    	<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
                <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
    	    	<Property name="ReadGroups">true</Property>
    	    	<Property name="WriteGroups">false</Property>
    	    	<Property name="EmptyRolesAllowed">true</Property>
                <Property name="GroupSearchBase">CN=Users,DC=WSO2,DC=Com</Property>
    	    	<Property name="GroupEntryObjectClass">group</Property>
                <Property name="GroupNameAttribute">cn</Property>
                <Property name="SharedGroupNameAttribute">cn</Property>
                <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>
                <Property name="SharedGroupEntryObjectClass">groups</Property>
                <Property name="SharedTenantNameListFilter">(object=organizationalUnit)</Property>
                <Property name="SharedTenantNameAttribute">ou</Property>
                <Property name="SharedTenantObjectClass">organizationalUnit</Property>
                <Property name="MembershipAttribute">member</Property>
                <Property name="GroupNameListFilter">(objectcategory=group)</Property>
    	    	<Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
                <Property name="UserRolesCacheEnabled">true</Property>
                <Property name="Referral">follow</Property>
    	    	<Property name="BackLinksEnabled">true</Property>
                <Property name="MaxRoleNameListLength">100</Property>
                <Property name="MaxUserNameListLength">100</Property>
                <Property name="SCIMEnabled">false</Property>
    	</UserStoreManager>
     
      </Realm>
    </UserManager>

    Note that the following tags in your file indicate whether it is an Active Directory or LDAP:

    Panel

    Active Directory - <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">

    LDAP - <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">

    Info

    If you wish to create this file yourself, ensure that the user-mgt.xml file you create is saved in <PRODUCT_HOME>/repository/conf/user-mgt.xml.

  2. Find a valid user that resides in the Directory Server. For example, if the valid username is "AdminSOA", update the Admin user section of your LDAP configuration as follows. You do not have to update the password element; leave it as it is.

    Code Block
    languagehtml/xml
    <AdminRole>wso2admin</AdminRole>
    <AdminUser>
       <UserName>AdminSOA</UserName>
       <Password>XXXXXX</Password>
    </AdminUser>
    Panel
    • <AdminRole>wso2admin</AdminRole> 
      This is the role that has all administrative privileges of the WSO2 product, i.e., all users having this role are admins of the WSO2 product. You can provide any meaningful name for this role and it is created in the internal H2 database when the product starts up.
       
    • <AdminUser> 
      Here we configure the default administrator for the WSO2 product. If the user store is read-only, then this role is added to the system as a special internal role where users are from an external user store.
       
    • <UserName> 
      This is the username of the default administrator. This user MUST exist in the external LDAP. If the user store is read-only, the admin user must exist in the user store for the process to work.
       
    • <Password>
      Do NOT put the password there. Just leave it empty or place some stars (*) there. If the user store is read-only, this element and its value are ignored.
  3. Update the connection details to suit your Directory Server. For example:

    Code Block
    languagehtml/xml
    <Property name="ConnectionURL">ldap://localhost:10389</Property>

     

  4. Obtain a user who has permission to read all users/attributes and perform searches on the Directory Server from your LDAP administrator. For example, if the privileged user is "AdminLDAP" and the password is "2010#Avrudu", update the following sections of the realm configuration as follows:

    Code Block
    languagehtml/xml
    <Property name="ConnectionName">uid=AdminLDAP,ou=system</Property>
    <Property name="ConnectionPassword">2010#Avrudu</Property>

    Also update the <Property name="UserSearchBase"> by providing the directory name where the users are stored. When LDAP searches for users, it will start from this location of the directory.

    Code Block
    languagehtml/xml
    <Property name="UserSearchBase">ou=system</Property> 

     

  5. Set the attribute that you wish to use as the username. The most common case is to use either cn or uid as the username. If you are not sure what attribute is available in your LDAP, check with your LDAP administrator. 

    Code Block
    languagehtml/xml
    <Property name="UserNameAttribute">uid</Property>

    For Active Directory this will differ as follows: 

    Code Block
    languagehtml/xml
    <Property name="UserNameAttribute">sAMAccountName</Property>
  6. The above steps address the most basic form of configuration. For more advanced options like "external roles", jump to step 7. Otherwise you are done. Start your server and try to log in as "AdminSOA". The password is the AdminSOA's password in the LDAP server. If you are unable to log in, contact WSO2 for support.
  7. The realm can read roles from the Directory Server. It can read user/role mapping based on a backlink attribute or membership (user list) attribute.

    • The following code snippet represents reading roles based on a membership attribute. This is used by the ApacheDirectory server and OpenLDAP.

      Code Block
      languagehtml/xml
      <Property name="ReadLDAPGroups">false</Property>
      <Property name="GroupSearchBase">ou=system</Property>
      <Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MembershipAttribute">member</Property>
      
    • The following code snippet represents reading roles based on a backlink attribute. This is used by the Active Directory.

      Code Block
      languagehtml/xml
      <Property name="ReadLDAPGroups">true</Property>
      <Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property>
      <Property name="GroupSearchFilter">(objectcategory=group)</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MemberOfAttribute">memberOf</Property>
      

...