Page Comparison

The WSO2 User Manager authenticates users from different types of user stores and currently has the capability to easily plug-in to LDAP, Active Directory and XConfiguring External User Stores JDBC to perform authentication.

How to Configure an External LDAP User Store / Active Directory User Store

Anchor
LDABActive LDABActive

All WSO2 Carbon based products can read and write users and roles from external LDAP user stores. You can configure Carbon products to access LDAP in one of the following modes.

• XConfiguring External User StoresRead-Only Mode
• Read/Write Mode

Read-Only Mode

Anchor
Read-Only Mode Read-Only Mode

All WSO2 Carbon based products can read users and roles from external LDAP/Active Directory user stores. You can configure Carbon products to read users/roles from your company LDAP. The "Read Only" mode does not write any data into the LDAP.

...

<UserManager>
 <Realm>
   <Configuration>
      <AdminRole>admin</AdminRole>
      <AdminUser>
         <UserName>admin</UserName>
         <Password>XXXXXX</Password>
      </AdminUser>
      <EveryOneRoleName>everyone</EveryOneRoleName>
      <!-- By default users in thsi role sees the registry root -->
      <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
      <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
   </Configuration>
 
   <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> 
      <Property name="ConnectionURL">ldap://localhost:10389</Property>
      <Property name="ConnectionName">uid=admin,ou=system</Property>
      <Property name="ConnectionPassword">admin123</Property>
      <Property name="UserSearchBase">ou=system</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserNameAttribute">uid</Property>
      <Property name="ReadLDAPGroups">false</Property>
      <Property name="GroupSearchBase">ou=system</Property>
      <Property name="GroupNameSearchFilter">(objectClass=groupOfNames)</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MembershipAttribute">member</Property>
   </UserStoreManager> 
   <AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
      <Property name="AdminRoleManagementPermissions">/permission</Property>
      <Property name="AuthorizationCacheEnabled">true</Property>
   </AuthorizationManager>
 </Realm>
</UserManager>

...

• A sample file for Active Directory is given below:

<UserManager>
  <Realm>
   <Configuration>
      <AdminRole>admin</AdminRole>
      <AdminUser>
         <UserName>admin</UserName>
         <Password>XXXXXX</Password>
      </AdminUser>
      <EveryOneRoleName>everyone</EveryOneRoleName>
      <!-- By default users in thsi role sees the registry root -->
      <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
      <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
   </Configuration>
 
    <!-- Active directory configuration follows -->
    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">>
       <Property name="ConnectionURL">ldap://10.100.1.211:389</Property>
       <Property name="ConnectionName">cn=Administrator,cn=users,dc=wso2,dc=lk</Property>
       <Property name="ConnectionPassword">admin123</Property>
       <Property name="UserSearchBase">cn=users,dc=wso2,dc=lk</Property>
       <Property name="UserNameListFilter">(objectClass=person)</Property>
       <Property name="UserNameAttribute">sAMAccountName</Property>
       <Property name="ReadLDAPGroups">true</Property>
       <Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property>
       <Property name="GroupNameSearchFilter">(objectcategory=group)</Property>
       <Property name="GroupNameAttribute">cn</Property>
       <Property name="MembershipAttribute">member</Property>
    </UserStoreManager> 
    <AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
       <Property name="AdminRoleManagementPermissions">/permission</Property>
       <Property name="AuthorizationCacheEnabled">true</Property>
    </AuthorizationManager>
  </Realm>
</UserManager>

Copy the user-mgt-ldap.xml file and save it as <carbon-home>/repository/conf/user-mgt.xml. When you are configuring for ActiveDirectory, do the same to user-mgt-actdir.xml.

...

Read/Write Mode

Anchor
Read/Write Users and Read-Only Groups Read/Write Users and Read-Only Groups

If you wish to connect to external LDAP user store such that only the user entries are written to external LDAP and roles are not written to external LDAP, the only difference from the steps in section "Read-Only Mode" is in following:

<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">

How to Configure an External JDBC User Store 

Anchor
JDBC JDBC

All Carbon based products can work with external RDBMSs. You can configure Carbon to read users/roles from your company RDBMS and even write to it. Therefore, the user core connected to two databases.

...

So the user-mgt.xml file must contain details for two database connections. The connection details mentioned earlier is used by the Authorization manager. If we specify another set of database connection details inside UserStoreManager, it will read/write users to that database. Step by step guidelines for connecting to an external JDBC user store in read-only mode is given below.

Step 1 : Backup Back-up the <carbon-home>/repository/conf/user-mgt.xml file. A sample file for JDBC user store (user-mgt-jdbc.xml) is available in <carbon-home>/repository/conf directory . Download the relevant file and save it as <carbon-home><IS_HOME>/repository/conf/user-mgt.xml. Note Uncomment the following section in your file if it is commented out.

<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">

Step 2 : Find a valid user that resides in the RDBMS. For example, say a valid username is "AdminSOA". Update the Admin user section of your ldap configuration as follows. You don't have to update the password element; leave it as it is.

<AdminUser>
   <UserName>AdminSOA</UserName>
   <Password>XXXXXX</Password>
</AdminUser>

Step 3 : In user-mgt.xml file, add passwordHashMethod property within the JDBCUserStoreManager. For example,

<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
     <Property name="passwordHashMethod">SHA</Property>
     ...
</UserStoreManager>

The passwordHashMethod property specifies how the password should be stored, and usually has the values:

• SHA - Uses SHA digest method.
• MD5 - Uses MD 5 digest method.
• PLAIN_TEXT - Plain text passwords.
• In addition, it also supports all digest methods in http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html.

Step 4 : Update connection details inside <UserStoreManager> class.

Step 5 : In user-mgt.xml file, under realm configuration, set the value of MultiTenantRealmConfigBuilder property to org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder. For example,

<Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>

Step 6 : Enable JDBCTenantManager in <IS_HOME>/repository/conf/tenant-mgt.xml file, and comment-out the config section for CommonHybridLDAPTenantManager.

Step 7 : Add the JDBC driver to the classpath by dropping the jar to <carbon-home>/repository/components/lib directory.

Step 48 : Update the connection details inside the <UserStoreManager> class.Step 5 : Edit the SQLs as you desire Edit the SQLs in user-mgt.xml file according to your requirements, and start the server.

...