...
- Read Only mode
- Read/Write users and Read only groups
- Read/Write both users and groups
...
| Table of Contents | ||||
|---|---|---|---|---|
|
...
|
...
Read Only mode
| Anchor | ||||
|---|---|---|---|---|
|
Follow the instructions below to configure an external LDAP in read only mode.
1. Backup the $carbon-home$GREG_HOME/repository/conf/user-mgt.xml. Download the sample file for LDAP user store and save it as $carbon-home$GREG_HOME/repository/conf/user-mgt.xml. Please, observe the following in your file.
| Code Block |
|---|
<UserStoreManager class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager">
|
...
| Info | ||
|---|---|---|
| ||
You do not have to update the password element. |
| Code Block |
|---|
<AdminUser>
<UserName>AdminSOA</UserName>
<Password>XXXXXX</Password>
</AdminUser>
|
3. To connect the user store in read only mode, make sure the value of the <ReadOnly> element is set to true as follows.
| Code Block |
|---|
<ReadOnly>true</ReadOnly>
|
4. Update the connection details to suite your Directory Server.
| Code Block |
|---|
<Property name="ConnectionURL">ldap://localhost:10389</Property>
|
5. Obtain a user who has permission to read all users/attributes and to perform searches on the Directory Server from your LDAP administrator. For example, let's say your privileged user is AdminLDAP and password is 2010#Avrudu. Update the following sections of the realm configuration.
| Code Block |
|---|
<Property name="ConnectionName">uid=AdminLDAP,ou=system,dc=ABCompany,dc=lk</Property>
<Property name="ConnectionPassword">2010#Avrudu </Property>
|
6. Update the <Property name="UserSearchBase"> by giving the directory where the users are stored. LDAP searches for users will start from this location.
| Code Block |
|---|
Property name="UserSearchBase">ou=system,dc=ABCompany,dc=lk</Property>
|
7. Set the attribute that you wish to use as the username. The most common case is to use either cn or uid as the username. If you are not sure what attribute is available in your LDAP, please, ask your LDAP administrator.
| Code Block |
|---|
<Property name="UserNameAttribute">uid</Property>
|
...
ReadLDAPGroups property indicates whether to read groups from external LDAP. If this is false then none of the attributes following it, needs to be set and carbon roles will be written and read from internal JDBC database only. If this is true, then carbon roles will be written to internal JDBC database and will be read from both internal JDBC database and external LDAP user store.
| Code Block |
|---|
<Property name="ReadLDAPGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
|
...
To connect to external LDAP user store such that only the user entries are written to external LDAP and roles are not written to external LDAP, the only difference from the steps in section "#Read Read Only mode" is:
In step 3, set the ReadOnly property to false.
...
From this release onwards, you can configure Carbon products to read and write both users and roles in your company LDAP. Following are the steps that are different from the steps in the section "#Read Read Only mode" above:
9. You may notice the following two additional properties in configuration than those mentioned in the step 9 of the section 6.1 above:
| Code Block |
|---|
<Property name="WriteLDAPGroups">true</Property>
<Property name="EmptyRolesAllowed">false</Property>
|
...
Following are the steps that are different from the steps mentioned in the section "#Read Read Only mode" above.
Step 6. UserNameAttribute for Active Directory is different.
| Code Block |
|---|
<Property name="UserNameAttribute">sAMAccountName</Property>
|
...
Following are the properties related to reading roles based on a backlink attribute.
| Code Block |
|---|
<Property name="ReadLDAPGroups">true</Property>
<Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property>
<Property name="GroupSearchFilter">(objectcategory=group)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MemberOfAttribute">memberOf</Property>
|
...
The connection details mentioned in Realm Configuration is used by the Authorization manager. If we specify another set of database connection details inside UserStoreManager, it will read/write users to that database.
1. Backup the $carbon-home$GREG_HOME/repository/conf/user-mgt.xml. Download a sample file for JDBC user store file and save it as $carbon-home$GREG_HOME/repository/conf/user-mgt.xml. Please, observe the following in your file.
| Code Block |
|---|
<UserStoreManager
class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
|
...
| Info | ||
|---|---|---|
| ||
You do not have to update the password element. |
| Code Block |
|---|
<AdminUser>
<UserName>AdminSOA</UserName>
<Password>XXXXXX</Password>
</AdminUser>
|
3. Add the JDBC driver to the classpath by dropping the JAR into $carbon-home$GREG_HOME/repository/components/lib.
4. Update the connection details inside the <UserStoreManager> class.
5. Start the server.
| Excerpt | ||
|---|---|---|
| ||
Instructions on how to configure the external LDAP user store. |