Page Comparison

Every WSO2 product comes with an embedded, internal user store, which is configured in <PRODUCT_HOME>/repository/conf/user-mgt.xml. In WSO2 Identity Server, the embedded user store is LDAP, and in other products it is JDBC. Because the domain name (unique identifier) of this default user store is set to PRIMARY by default, it is called the primary user store.

...

1. Comment out the following user store which is enabled by default. This is the user store which is uncommented by default in the user-mgt.xml file.
   <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"> 

2. Given below are samples for LDAP and Active Directory user stores in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file. Note that these configurations already exist in the user-mgt.xml file so you only need to uncomment them and make the appropriate adjustments. Also ensure that you comment out the configurations for other user stores which you are not using. 

   Localtabgroup

   Localtab active true title LDAP User Store LDAP user store sample: Code Block language html/xml <UserManager> <Realm> ... <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property> <Property name="ReadOnly">true</Property> <Property name="Disabled">false</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="ConnectionURL">ldap://localhost:10389&lt;/Property> <Property name="ConnectionName">uid=admin,ou=system</Property> <Property name="ConnectionPassword">admin</Property> <Property name="passwordHashMethod">PLAIN_TEXT</Property> <Property name="UserSearchBase">ou=system</Property> <Property name="UserNameListFilter">(objectClass=person)</Property> <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property> <Property name="UserNameAttribute">uid</Property> <Property name="ReadGroups">true</Property> <Property name="GroupSearchBase">ou=system</Property> <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="SharedGroupNameAttribute">cn</Property> <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property> <Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property> <Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property> <Property name="SharedTenantNameAttribute">ou</Property> <Property name="SharedTenantObjectClass">organizationalUnit</Property> <Property name="MembershipAttribute">member</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property> <Property name="MaxRoleNameListLength">100</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="SCIMEnabled">false</Property> </UserStoreManager> </Realm> </UserManager> Localtab title Active Directory User Store Active directory user store sample: Code Block language html/xml <UserManager> <Realm> ... <!-- Active directory configuration follows --> <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager"> <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property> <Property name="defaultRealmName">WSO2.ORG</Property> <Property name="Disabled">false</Property> <Property name="kdcEnabled">false</Property> <Property name="ConnectionURL">ldaps://10.100.1.100:636</Property> <Property name="ConnectionName">CN=admin,CN=Users,DC=WSO2,DC=Com</Property> <Property name="ConnectionPassword">A1b2c3d4</Property> <Property name="passwordHashMethod">PLAIN_TEXT</Property> <Property name="UserSearchBase">CN=Users,DC=WSO2,DC=Com</Property> <Property name="UserEntryObjectClass">user</Property> <Property name="UserNameAttribute">cn</Property> <Property name="isADLDSRole">false</Property> <Property name="userAccountControl">512</Property> <Property name="UserNameListFilter">(objectClass=user)</Property> <Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property> <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property> <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property> <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property> <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> <Property name="ReadGroups">true</Property> <Property name="WriteGroups">false</Property> <Property name="EmptyRolesAllowed">true</Property> <Property name="GroupSearchBase">CN=Users,DC=WSO2,DC=Com</Property> <Property name="GroupEntryObjectClass">group</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="SharedGroupNameAttribute">cn</Property> <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property> <Property name="SharedGroupEntryObjectClass">groups</Property> <Property name="SharedTenantNameListFilter">(object=organizationalUnit)</Property> <Property name="SharedTenantNameAttribute">ou</Property> <Property name="SharedTenantObjectClass">organizationalUnit</Property> <Property name="MembershipAttribute">member</Property> <Property name="GroupNameListFilter">(objectcategory=group)</Property> <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="Referral">follow</Property> <Property name="BackLinksEnabled">true</Property> <Property name="MaxRoleNameListLength">100</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="SCIMEnabled">false</Property> </UserStoreManager> </Realm> </UserManager>

   Info
   If you create the user-mgt.xml file yourself, be sure to save it in the <PRODUCT_HOME>/repository/conf directory. Creating this file from scratch requires you to copy the above configuration directly into the XML file along with other <Realm> configurations.

   Note
   See Working with Properties of Primary User Stores for detailed information on the properties available in the user-mgt.xml file.

    

   1. The class attribute of the UserStoreManager tag indicates whether it is an Active Directory or LDAP user store. Ensure that the correct configuration is uncommented.

      • Active Directory: <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">

      • Read-only LDAP:<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">

   2. Update the connection details to match your user store. For example:
      

      Code Block
      language html/xml
      <Property name="ConnectionURL">ldap://localhost:10389</Property>

   3. Obtain a user who has permission to read all users/attributes and perform searches on the user store from your LDAP/Active Directory administrator. For example, if the privileged user is "AdminLDAP" and the password is "2010#Avrudu", update the following sections of the realm configuration as follows:
      

      Code Block
      language html/xml
      <Property name="ConnectionName">uid=AdminLDAP,ou=system</Property> <Property name="ConnectionPassword">2010#Avrudu</Property>

       

   4. Update <Property name="UserSearchBase"> with the directory name where the users are stored. When LDAP searches for users, it will start from this location of the directory.
      

      Code Block
      language html/xml
      <Property name="UserSearchBase">ou=system</Property>

   5. Set the attribute to use as the username, typically either cnor uid for LDAP. Ideally, <Property name="UserNameAttribute"> and <Property name="UserNameSearchFilter"> should refer to the same attribute. If you are not sure what attribute is available in your user store, check with your LDAP/Active Directory administrator. 

      For example:

      • Read-only LDAP: <Property name="UserNameAttribute">uid</Property>
        

      • Active Directory: <Property name="UserNameAttribute">sAMAccountName</Property>

   6. Optionally, configure the realm to read roles from the user store by reading the user/role mapping based on a membership (user list) or backlink attribute, as follows:
      

      • The following code snippet represents reading roles based on a membership attribute. This is used by the ApacheDirectory server and OpenLDAP.

        Code Block
        language html/xml
        <Property name="ReadLDAPGroups">false</Property> <Property name="GroupSearchBase">ou=system</Property> <Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MembershipAttribute">member</Property>

      • The following code snippet represents reading roles based on a backlink attribute. This is used by the Active Directory.

        Code Block
        language html/xml
        <Property name="ReadLDAPGroups">true</Property> <Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property> <Property name="GroupSearchFilter">(objectcategory=group)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MemberOfAttribute">memberOf</Property>

3. Start your server and try to log in as the admin user you specified. The password is the admin user's password in the LDAP/Active Directory server.

...