Page Comparison

...

Access the user-mgt.xml file found in the <PRODUCT_HOME>/repository/conf/ directory.

The following are samples for the LDAP user store and Active Directory:

Localtabgroup

Localtab

active	true
title	LDAP User Store

LDAP user store sample:

Code Block

language	html/xml

<UserManager>
 <Realm>
   <Configuration>
      <AdminRole>admin</AdminRole>
      <AdminUser>
         <UserName>admin</UserName>
         <Password>XXXXXX</Password>
      </AdminUser>
      <EveryOneRoleName>everyone</EveryOneRoleName>
      <!-- By default users in this role sees the registry root -->
      <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
      <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
   </Configuration>
 
   <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> 
      <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
	  <Property name="ConnectionURL">ldap://localhost:10389</Property>
      <Property name="ConnectionName">uid=admin,ou=system</Property>
      <Property name="ConnectionPassword">admin123</Property>
      <Property name="UserSearchBase">ou=system</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserNameAttribute">uid</Property>
      <Property name="ReadLDAPGroups">false</Property>
      <Property name="GroupSearchBase">ou=system</Property>
      <Property name="GroupNameSearchFilter">(objectClass=groupOfNames)</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MembershipAttribute">member</Property>
   </UserStoreManager>
 
 </Realm>
</UserManager>

Localtab

title	Active Directory User Store

Active directory user store sample:

Code Block

language	html/xml

<UserManager>
  <Realm>
   <Configuration>
      <AdminRole>admin</AdminRole>
      <AdminUser>
         <UserName>admin</UserName>
         <Password>XXXXXX</Password>
      </AdminUser>
      <EveryOneRoleName>everyone</EveryOneRoleName>
      <!-- By default users in this role sees the registry root -->
      <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
      <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
   </Configuration>
 
    <!-- Active directory configuration follows -->
    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
            <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
            <Property name="defaultRealmName">WSO2.ORG</Property>
            <Property name="Disabled">false</Property>                                   
            <Property name="kdcEnabled">false</Property>
            <Property name="ConnectionURL">ldaps://10.100.1.100:636</Property> 
            <Property name="ConnectionName">CN=admin,CN=Users,DC=WSO2,DC=Com</Property>
            <Property name="ConnectionPassword">A1b2c3d4</Property>
	    	<Property name="passwordHashMethod">PLAIN_TEXT</Property>
            <Property name="UserSearchBase">CN=Users,DC=WSO2,DC=Com</Property>
            <Property name="UserEntryObjectClass">user</Property>
            <Property name="UserNameAttribute">cn</Property>
            <Property name="isADLDSRole">false</Property>
	    	<Property name="userAccountControl">512</Property>
            <Property name="UserNameListFilter">(objectClass=user)</Property>
	    	<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>
            <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
            <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
	    	<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
	    	<Property name="ReadGroups">true</Property>
	    	<Property name="WriteGroups">false</Property>
	    	<Property name="EmptyRolesAllowed">true</Property>
            <Property name="GroupSearchBase">CN=Users,DC=WSO2,DC=Com</Property>
	    	<Property name="GroupEntryObjectClass">group</Property>
            <Property name="GroupNameAttribute">cn</Property>
            <Property name="SharedGroupNameAttribute">cn</Property>
            <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>
            <Property name="SharedGroupEntryObjectClass">groups</Property>
            <Property name="SharedTenantNameListFilter">(object=organizationalUnit)</Property>
            <Property name="SharedTenantNameAttribute">ou</Property>
            <Property name="SharedTenantObjectClass">organizationalUnit</Property>
            <Property name="MembershipAttribute">member</Property>
            <Property name="GroupNameListFilter">(objectcategory=group)</Property>
	    	<Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
            <Property name="Referral">follow</Property>
	    	<Property name="BackLinksEnabled">true</Property>
            <Property name="MaxRoleNameListLength">100</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="SCIMEnabled">false</Property>
	</UserStoreManager>
 
  </Realm>
</UserManager>

Note that the following tags in your file indicate whether it is an Active Directory or LDAP:

Panel

Active Directory - <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">

LDAP - <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">

Info
If you wish to create this file yourself, ensure that the `user-mgt.xml` file you create is saved in `<PRODUCT_HOME>/repository/conf/user-mgt.xml`.

Find a valid user that resides in the Directory Server. For example, if the valid username is "AdminSOA", update the Admin user section of your LDAP configuration as follows. You do not have to update the password element; leave it as it is.

Code Block

language	html/xml

<AdminRole>wso2admin</AdminRole>
<AdminUser>
   <UserName>AdminSOA</UserName>
   <Password>XXXXXX</Password>
</AdminUser>

Panel

<AdminRole>wso2admin</AdminRole>
This is the role that has all administrative privileges of the WSO2 product, i.e., all users having this role are admins of the WSO2 product. You can provide any meaningful name for this role and it is created in the internal H2 database when the product starts up.
<AdminUser>
Here we configure the default administrator for the WSO2 product. If the user store is read-only, then this role is added to the system as a special internal role where users are from an external user store.
<UserName>
This is the username of the default administrator. This user MUST exist in the external LDAP. If the user store is read-only, the admin user must exist in the user store for the process to work.
<Password>
Do NOT put the password there. Just leave it empty or place some stars (*) there. If the user store is read-only, this element and its value are ignored.

Update the connection details to suit your Directory Server. For example:
Code Block
language html/xml
<Property name="ConnectionURL">ldap://localhost:10389</Property>
Obtain a user who has permission to read all users/attributes and perform searches on the Directory Server from your LDAP administrator. For example, if the privileged user is "AdminLDAP" and the password is "2010#Avrudu", update the following sections of the realm configuration as follows:
Code Block
language html/xml
<Property name="ConnectionName">uid=AdminLDAP,ou=system</Property> <Property name="ConnectionPassword">2010#Avrudu</Property>
Also update the <Property name="UserSearchBase"> by providing the directory name where the users are stored. When LDAP searches for users, it will start from this location of the directory.
Code Block
language html/xml
<Property name="UserSearchBase">ou=system</Property>
Set the attribute that you wish to use as the username. The most common case is to use either cn or uid as the username. If you are not sure what attribute is available in your LDAP, check with your LDAP administrator.
Code Block
language html/xml
<Property name="UserNameAttribute">uid</Property>
For Active Directory this will differ as follows:
Code Block
language html/xml
<Property name="UserNameAttribute">sAMAccountName</Property>
The above steps address the most basic form of configuration. For more advanced options like "external roles", jump to step 7. Otherwise you are done. Start your server and try to log in as "AdminSOA". The password is the AdminSOA's password in the LDAP server.

The realm can read roles from the Directory Server. It can read user/role mapping based on a backlink attribute or membership (user list) attribute.

The following code snippet represents reading roles based on a membership attribute. This is used by the ApacheDirectory server and OpenLDAP.

Code Block

language	html/xml

<Property name="ReadLDAPGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>

The following code snippet represents reading roles based on a backlink attribute. This is used by the Active Directory.

Code Block

language	html/xml

<Property name="ReadLDAPGroups">true</Property>
<Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property>
<Property name="GroupSearchFilter">(objectcategory=group)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MemberOfAttribute">memberOf</Property>

See here for a detailed description of each property in order to gain a more comprehensive understanding of the configuration details.

...

Versions Compared

Old Version 1

New Version 2

Key