When you configure a product to read users/roles from your company LDAP in read-only mode, it does not write any data into the LDAP.
Info | ||
---|---|---|
| ||
|
...
User management functionality is provided by default in all WSO2 Carbon-based products and is configured in the <PRODUCT_HOME>/repository/conf/user-mgt.xml
file.
...
Given below is a sample for the LDAP user store. This configuration is found in the <PRODUCT_HOME>
/repository/conf/user-mgt.xml
file, however, you need to uncomment them and make the appropriate adjustments. Also ensure that you comment out the configurations for other user stores which you are not using.
Code Block | ||
---|---|---|
| ||
<UserManager>
<Realm>
...
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ReadOnly">true</Property>
<Property name="Disabled">false</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="ConnectionURL">ldap://localhost:10389</Property>
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="UserSearchBase">ou=system</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="ReadGroups">true</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>
<Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
<Property name="SharedTenantNameAttribute">ou</Property>
<Property name="SharedTenantObjectClass">organizationalUnit</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
</Realm>
</UserManager> |
...
Update the connection details to match your user store. For example:
Code Block | ||
---|---|---|
| ||
<Property name="ConnectionURL">ldap://localhost:10389</Property> |
...
Obtain a user who has permission to read all users/attributes and perform searches on the user store from your LDAP/Active Directory administrator. For example, if the privileged user is "AdminLDAP" and the password is "2010#Avrudu", update the following sections of the realm configuration as follows:
Code Block | ||
---|---|---|
| ||
<Property name="ConnectionName">uid=AdminLDAP,ou=system</Property>
<Property name="ConnectionPassword">2010#Avrudu</Property> |
...
Update <Property name="UserSearchBase">
with the directory name where the users are stored. When LDAP searches for users, it will start from this location of the directory.
Code Block | ||
---|---|---|
| ||
<Property name="UserSearchBase">ou=system</Property> |
...
Set the attribute to use as the username, typically either cn or uid for LDAP. Ideally, <Property name="UserNameAttribute">
and <Property name="UserNameSearchFilter">
should refer to the same attribute. If you are not sure what attribute is available in your user store, check with your LDAP/Active Directory administrator.
For example:
Code Block | ||
---|---|---|
| ||
<Property name="UserNameAttribute">uid</Property> |
...
For the UserName
, set the same username you set for the uid in the ConnectionName
configuration in step 4 (you do not have to update the password element; leave it as it is).
Code Block | ||
---|---|---|
| ||
<AdminUser>
<UserName>AdminLDAP</UserName>
<Password>XXXXXX</Password>
</AdminUser> |
...
Optionally, configure the realm to read roles from the user store by reading the user/role mapping based on a membership (user list) or backlink attribute. The following code snippet represents reading roles based on a membership attribute. This is used by the ApacheDirectory
server and OpenLDAP
.
Code Block | ||
---|---|---|
| ||
<Property name="ReadLDAPGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property> |
...
For the UserName
element, set the same username you set for the uid in the connection name configuration in step 4. You do not have to update the password element; leave it as is.
Code Block | ||
---|---|---|
| ||
<AdminUser>
<UserName>AdminLDAP</UserName>
<Password>XXXXXX</Password>
</AdminUser> |
...
This file is shipped with user store manager configurations for all possible user store types (JDBC, read-only LDAP/Active Directory, read-write LDAP and read-write Active directory). The instructions given below explains how to configure a read-only LDAP or Active Directory as the primary user store for the WSO2 server.
Include Page | ||||
---|---|---|---|---|
|
Panel | ||
---|---|---|
| ||
The following topics provide more information on configuring a read-only LDAP user store.
|