This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

When you configure a product to read users/roles from your company LDAP in read-only mode, it does not write any data into the LDAP.

Before you begin

  • If you create the user-mgt.xml file yourself, be sure to save it in the <PRODUCT_HOME>/repository/conf directory.
  • The class attribute for a read-only LDAP is <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> 

  1. Comment out the following user store which is enabled by default in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file.
    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"> 

  2. Given below is a sample for the LDAP user store. This configuration is found in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file, however, you need to uncomment them and make the appropriate adjustments. Also ensure that you comment out the configurations for other user stores which you are not using. 

    <UserManager>
 <Realm>
  ...
   <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> 
            <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property> 
            <Property name="ReadOnly">true</Property> 
            <Property name="Disabled">false</Property> 
            <Property name="MaxUserNameListLength">100</Property> 
            <Property name="ConnectionURL">ldap://localhost:10389&lt;/Property> 
            <Property name="ConnectionName">uid=admin,ou=system</Property> 
            <Property name="ConnectionPassword">admin</Property> 
            <Property name="passwordHashMethod">PLAIN_TEXT</Property> 
            <Property name="UserSearchBase">ou=system</Property> 
            <Property name="UserNameListFilter">(objectClass=person)</Property> 
            <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property> 
            <Property name="UserNameAttribute">uid</Property> 
            <Property name="ReadGroups">true</Property> 
            <Property name="GroupSearchBase">ou=system</Property> 
            <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> 
            <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property> 
            <Property name="GroupNameAttribute">cn</Property> 
            <Property name="SharedGroupNameAttribute">cn</Property> 
            <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property> 
            <Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property> 
            <Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property> 
            <Property name="SharedTenantNameAttribute">ou</Property> 
            <Property name="SharedTenantObjectClass">organizationalUnit</Property> 
            <Property name="MembershipAttribute">member</Property> 
            <Property name="UserRolesCacheEnabled">true</Property> 
            <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property> 
            <Property name="MaxRoleNameListLength">100</Property> 
            <Property name="MaxUserNameListLength">100</Property> 
            <Property name="SCIMEnabled">false</Property> 
        </UserStoreManager>
 </Realm>
</UserManager>

     

  3. Update the connection details to match your user store. For example:

    <Property name="ConnectionURL">ldap://localhost:10389</Property>

  4. Obtain a user who has permission to read all users/attributes and perform searches on the user store from your LDAP/Active Directory administrator. For example, if the privileged user is "AdminLDAP" and the password is "2010#Avrudu", update the following sections of the realm configuration as follows:

    <Property name="ConnectionName">uid=AdminLDAP,ou=system</Property>
<Property name="ConnectionPassword">2010#Avrudu</Property>

  5. Update <Property name="UserSearchBase"> with the directory name where the users are stored. When LDAP searches for users, it will start from this location of the directory.

    <Property name="UserSearchBase">ou=system</Property>

  6. Set the attribute to use as the username, typically either cn or uid for LDAP. Ideally, <Property name="UserNameAttribute"> and <Property name="UserNameSearchFilter"> should refer to the same attribute. If you are not sure what attribute is available in your user store, check with your LDAP/Active Directory administrator. 

    For example:

    <Property name="UserNameAttribute">uid</Property>

  7. Optionally, configure the realm to read roles from the user store by reading the user/role mapping based on a membership (user list) or backlink attribute. The following code snippet represents reading roles based on a membership attribute. This is used by the ApacheDirectory server and OpenLDAP.

    <Property name="ReadLDAPGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>

     

  8. For the UserName element, set the same username you set for the uid in the connection name configuration in step 4. You do not have to update the password element; leave it as is.

    <AdminUser>
	<UserName>AdminLDAP</UserName>
	<Password>XXXXXX</Password>
</AdminUser>

  9. Start your server and try to log in as the admin user you specified. The password is the admin user's password in the LDAP server.

  • No labels