...
| Info | ||
|---|---|---|
| ||
|
When you configure a product to read users/roles from your company LDAP in read-only mode, it does not write any data into the LDAP.
...
User management functionality is provided by default in all WSO2 Carbon-based products and is configured in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file.
...
This file is shipped with user store manager configurations for all possible user store types (JDBC, read-only LDAP/Active Directory, read-write LDAP and read-write Active directory).
In order to configure a read-only LDAP user store you must first disable the existing embedded LDAP user store in the Identity Server. To do this, open the <PRODUCT_HOME>/repository/conf/
...
identity/embedded-
...
ldap.xml file
...
and make the
...
following change to the enable property.
| Code Block | |
|---|---|
|
...
|
...
<EmbeddedLDAP> |
...
|
...
<Property name="enable">false</Property> |
...
Update the connection details to match your user store. For example:
Code Block language html/xml <Property name="ConnectionURL">ldap://localhost:10389</Property>Obtain a user who has permission to read all users/attributes and perform searches on the user store from your LDAP/Active Directory administrator. For example, if the privileged user is "AdminLDAP" and the password is "2010#Avrudu", update the following sections of the realm configuration as follows:
Code Block language html/xml <Property name="ConnectionName">uid=AdminLDAP,ou=system</Property> <Property name="ConnectionPassword">2010#Avrudu</Property>Update
<Property name="UserSearchBase">with the directory name where the users are stored. When LDAP searches for users, it will start from this location of the directory.Code Block language html/xml <Property name="UserSearchBase">ou=system</Property>Set the attribute to use as the username, typically either cn or uid for LDAP. Ideally,
<Property name="UserNameAttribute">and<Property name="UserNameSearchFilter">should refer to the same attribute. If you are not sure what attribute is available in your user store, check with your LDAP/Active Directory administrator.For example:
Code Block language html/xml <Property name="UserNameAttribute">uid</Property>- Optionally, configure the realm to read roles from the user store by reading the user/role mapping based on a membership (user list) or backlink attribute, as follows:
The following code snippet represents reading roles based on a membership attribute. This is used by the
ApacheDirectoryserver andOpenLDAP.Code Block language html/xml <Property name="ReadLDAPGroups">false</Property> <Property name="GroupSearchBase">ou=system</Property> <Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MembershipAttribute">member</Property>
...
.......................
</EmbeddedLDAP> |
The instructions given below explains how to configure a read-only LDAP or Active Directory as the primary user store for the WSO2 server.
| Include Page | ||||
|---|---|---|---|---|
|
| Info | ||
|---|---|---|
| ||
|
| Anchor | ||||
|---|---|---|---|---|
|
...