This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Configuring an External Active Directory User Store
All WSO2 Carbon-based products can read users and roles from external Active Directory user stores. You can configure Carbon products to read users/roles from your organization's Active Directory. Carbon does not write any data into the Active Directory.
Following are the steps that differ from the steps described in section 6.1 above.
1. A sample user-mgt.xml
configuration file for Active Directory is as follows:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager"> <Property name="ReadOnly">true</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="ConnectionURL">ldap://10.100.1.211:389</Property> <Property name="ConnectionName">cn=Administrator,cn=users,dc=wso2,dc=lk</Property> <Property name="ConnectionPassword">admin123</Property> <Property name="UserSearchBase">cn=users,dc=wso2,dc=lk</Property> <Property name="UserNameListFilter">(objectClass=person)</Property> <Property name="UserNameAttribute">sAMAccountName</Property> <Property name="ReadLDAPGroups">true</Property> <Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property> <Property name="GroupNameListFilter">(objectcategory=group)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MemberOfAttribute">memberOf</Property> <Property name="Referral">follow</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="BackLinksEnabled">true</Property> </UserStoreManager >
2. Find a valid user that resides in the Directory Server. For example, let's say a valid user name is "AdminSOA." Update the Admin user section of your LDAP configuration as follows.
You do not have to update the password element. Just leave it as it is.
<AdminUser> <UserName>AdminSOA</UserName> <Password>XXXXXX</Password> </AdminUser>
3. If you wish to connect to the user store in read-only mode, make sure the value of the <ReadOnly>
element is set to true
as follows:
<ReadOnly>true</ReadOnly>
4. Update the connection details to suit your Directory Server.
<Property name="ConnectionURL">ldap://localhost:10389</Property>
5. Obtain a user who has permission to read all users/attributes and to perform searches on the Directory Server from your LDAP administrator. For example, let's say your privileged user is "AdminLDAP" and the password is "2010#Avrudu." Update the following sections of the realm configuration.
<Property name="ConnectionName">uid=AdminLDAP,ou=system,dc=ABCompany,dc=lk</Property> <Property name="ConnectionPassword">2010#Avrudu </Property>
6. Update the <Property name="UserNameAttribute">
by giving the directory where the users are stored. LDAP searches for users will start from this location.
<Property name="UserNameAttribute">sAMAccountName</Property>
7. Set the attribute that you wish to use as the username. The most common case is to use either "cn" or "uid" as the username. If you are not sure which attribute is available in your LDAP, please ask your LDAP administrator.
<Property name="UserNameAttribute">uid</Property>
8. The realm can read roles from the Active Directory. It can read user/role mapping based on a backlink attribute.
Following are the properties related to reading roles based on a backlink attribute.
<Property name="ReadLDAPGroups">true</Property> <Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property> <Property name="GroupSearchFilter">(objectcategory=group)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MemberOfAttribute">memberOf</Property>
See detailed descriptions of each of the above-mentioned properties here.