Every WSO2 product comes with an embedded, internal user store, which is configured in <PRODUCT_HOME>/repository/conf/user-mgt.xml. In WSO2 Identity Server, the embedded user store is LDAP, and in other products it is JDBC. Because the domain name (unique identifier) of this default user store is set to PRIMARY by default, it is called the primary user store.
...
Comment out the following user store which is enabled by default. This is the user store which is uncommented by default in the
user-mgt.xmlfile.<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">Given below are samples for LDAP and Active Directory user stores in the
<PRODUCT_HOME>/repository/conf/user-mgt.xmlfile. Note that these configurations already exist in theuser-mgt.xmlfile so you only need to uncomment them and make the appropriate adjustments. Also ensure that you comment out the configurations for other user stores which you are not using.Localtabgroup Localtab active true title LDAP User Store LDAP user store sample:
Code Block language html/xml <UserManager> <Realm> ... <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property> <Property name="ReadOnly">true</Property> <Property name="Disabled">false</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="ConnectionURL">ldap://localhost:10389</Property> <Property name="ConnectionName">uid=admin,ou=system</Property> <Property name="ConnectionPassword">admin</Property> <Property name="passwordHashMethod">PLAIN_TEXT</Property> <Property name="UserSearchBase">ou=system</Property> <Property name="UserNameListFilter">(objectClass=person)</Property> <Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property> <Property name="UserNameAttribute">uid</Property> <Property name="ReadGroups">true</Property> <Property name="GroupSearchBase">ou=system</Property> <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> <Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="SharedGroupNameAttribute">cn</Property> <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property> <Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property> <Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property> <Property name="SharedTenantNameAttribute">ou</Property> <Property name="SharedTenantObjectClass">organizationalUnit</Property> <Property name="MembershipAttribute">member</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property> <Property name="MaxRoleNameListLength">100</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="SCIMEnabled">false</Property> </UserStoreManager> </Realm> </UserManager>Localtab title Active Directory User Store Active directory user store sample:
Code Block language html/xml <UserManager> <Realm> ... <!-- Active directory configuration follows --> <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager"> <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property> <Property name="defaultRealmName">WSO2.ORG</Property> <Property name="Disabled">false</Property> <Property name="kdcEnabled">false</Property> <Property name="ConnectionURL">ldaps://10.100.1.100:636</Property> <Property name="ConnectionName">CN=admin,CN=Users,DC=WSO2,DC=Com</Property> <Property name="ConnectionPassword">A1b2c3d4</Property> <Property name="passwordHashMethod">PLAIN_TEXT</Property> <Property name="UserSearchBase">CN=Users,DC=WSO2,DC=Com</Property> <Property name="UserEntryObjectClass">user</Property> <Property name="UserNameAttribute">cn</Property> <Property name="isADLDSRole">false</Property> <Property name="userAccountControl">512</Property> <Property name="UserNameListFilter">(objectClass=user)</Property> <Property name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property> <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property> <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property> <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property> <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> <Property name="ReadGroups">true</Property> <Property name="WriteGroups">false</Property> <Property name="EmptyRolesAllowed">true</Property> <Property name="GroupSearchBase">CN=Users,DC=WSO2,DC=Com</Property> <Property name="GroupEntryObjectClass">group</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="SharedGroupNameAttribute">cn</Property> <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property> <Property name="SharedGroupEntryObjectClass">groups</Property> <Property name="SharedTenantNameListFilter">(object=organizationalUnit)</Property> <Property name="SharedTenantNameAttribute">ou</Property> <Property name="SharedTenantObjectClass">organizationalUnit</Property> <Property name="MembershipAttribute">member</Property> <Property name="GroupNameListFilter">(objectcategory=group)</Property> <Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="Referral">follow</Property> <Property name="BackLinksEnabled">true</Property> <Property name="MaxRoleNameListLength">100</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="SCIMEnabled">false</Property> </UserStoreManager> </Realm> </UserManager>Info If you create the
user-mgt.xmlfile yourself, be sure to save it in the<PRODUCT_HOME>/repository/confdirectory. Creating this file from scratch requires you to copy the above configuration directly into the XML file along with other<Realm>configurations.The
classattribute of theUserStoreManagertag indicates whether it is an Active Directory or LDAP user store. Ensure that the correct configuration is uncommented.Active Directory:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">Read-only LDAP:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
Update the connection details to match your user store. For example:
Code Block language html/xml <Property name="ConnectionURL">ldap://localhost:10389</Property>
Obtain a user who has permission to read all users/attributes and perform searches on the user store from your LDAP/Active Directory administrator. For example, if the privileged user is "AdminLDAP" and the password is "2010#Avrudu", update the following sections of the realm configuration as follows:
Code Block language html/xml <Property name="ConnectionName">uid=AdminLDAP,ou=system</Property> <Property name="ConnectionPassword">2010#Avrudu</Property>
Update
<Property name="UserSearchBase">with the directory name where the users are stored. When LDAP searches for users, it will start from this location of the directory.Code Block language html/xml <Property name="UserSearchBase">ou=system</Property>
Set the attribute to use as the username, typically eithereither
cnororuidfor LDAP. Ideally,<Property name="UserNameAttribute">and<Property name="UserNameSearchFilter">should refer to the same attribute. If you are not sure what attribute is available in your user store, check with your LDAP/Active Directory administrator.For example:
Localtabgroup Localtab active true title LDAP Code Block language html/xml Read-only LDAP:
<Property name="UserNameAttribute">uid</Property>
title Active Directory
Code Block language html/xml :
<Property name="UserNameAttribute">sAMAccountName</Property>
- Optionally, configure the realm to read roles from the user store by reading the user/role mapping based on a membership (user list) or backlink attribute, as follows:
The following code snippet represents reading roles based on a membership attribute. This is used by the
ApacheDirectoryserver andOpenLDAP.Code Block language html/xml <Property name="ReadLDAPGroups">false</Property> <Property name="GroupSearchBase">ou=system</Property> <Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MembershipAttribute">member</Property>The following code snippet represents reading roles based on a backlink attribute. This is used by the Active Directory.
Code Block language html/xml <Property name="ReadLDAPGroups">true</Property> <Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property> <Property name="GroupSearchFilter">(objectcategory=group)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MemberOfAttribute">memberOf</Property>
- See here for more detailed information on the properties available in
user-mgt.xml. Start your server and try to log in as the admin user you specified. The password is the admin user's password in the LDAP/Active Directory server.
...