This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring an External LDAP User Store

All WSO2 Carbon-based products can read and write users and roles from external LDAP user stores. You can configure Carbon products for your organization's LDAP with one of the following modes:

  • Read-Only mode
  • Read/Write users and Read-Only groups
  • Read/Write both users and groups


Read-Only mode

The following steps describe how to configure an external LDAP in read-only mode.

1. Back up IS_HOME/repository/conf/user-mgt.xml. A sample file for the LDAP user store is available here. Download the relevant file and save it as IS_HOME/repository/conf/user-mgt.xml. Observe the following attributes in your file:

<UserStoreManager class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager">

2. Find a valid user residing in the Directory Server. For example, let's say a valid user name is "AdminSOA." Update the Admin user section of your LDAP configuration as follows.

Note

You don't have to update the password element. Just leave it as it is.

<AdminUser>

<UserName>AdminSOA</UserName>

<Password>XXXXXX</Password>

</AdminUser>

3. If you wish to connect to the user store in read-only mode, make sure the value of the <ReadOnly> element is set to true as follows:

<ReadOnly>true</ReadOnly>

4. Update the connection details to suit your Directory Server.

<Property name="ConnectionURL">ldap://localhost:10389</Property>

5. Obtain a user who has permission to read all users/attributes and to perform searches on the Directory Server from your LDAP administrator. For example, let's say your privileged user is "AdminLDAP" and the password is "2010#Avrudu." Update the following sections of the realm configuration.

<Property name="ConnectionName">uid=AdminLDAP,ou=system,dc=ABCompany,dc=lk</Property>

<Property name="ConnectionPassword">2010#Avrudu </Property>

6. Update <Property name="UserSearchBase"> by specifying the directory where the users are stored. LDAP searches for users will start from this location.

<Property name="UserSearchBase"> ou=system,dc=ABCompany,dc=lk </Property>

7. Set the attribute that you wish to use as the username. The most common case is to use either "cn" or "uid" as the username. If you are not sure which attribute is available in your LDAP, please ask your LDAP administrator.

<Property name="UserNameAttribute">uid</Property>

8. This is the most basic configuration. For more advanced options such as "external roles," please jump to the next step. Otherwise, you are done; you can start your server and try to log in as "AdminSOA." The password is the AdminSOA's password in the LDAP server. If you are unable to log in, please send an email to the Carbon user group.

9. The realm can read roles from the Directory Server. It can read user/role mapping based on membership attributes in ApacheDirectory server and OpenLDAP. Following are the properties in user-mgt.xml related to LDAP groups.

The ReadLDAPGroups property indicates whether to read groups from the external LDAP. If this value is false, then none of the attributes following it need to be set and Carbon roles will be written and read from the internal JDBC database only. If it is true, then Carbon roles will be written to the internal JDBC database and will be read from both the internal JDBC database and the external LDAP user store.

<Property name="ReadLDAPGroups">false</Property>

<Property name="GroupSearchBase">ou=system</Property>

<Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property>

<Property name="GroupNameAttribute">cn</Property>

<Property name="MembershipAttribute">member</Property>

See detailed descriptions of each of the above-mentioned properties here.


Read/Write users and Read-only groups

If you wish to connect to the external LDAP user store such that only the user entries are written to the external LDAP and roles are not written to the external LDAP, the only difference from the steps in the previous section is as follows:

Set the ReadOnly property to false in the third step.


Read/Write both users and groups

From this release onward, you can configure Carbon products to read and write both users and roles in your organization's LDAP. Following are the steps that differ from the steps for read-only mode:

Step 1. Use the sample user-mgt.xml configuration file for the LDAP user store, available here.

Step 9: The following two additional configuration properties described in step 9 differ as follows:

<Property name="WriteLDAPGroups">true</Property>

<Property name="EmptyRolesAllowed">false</Property>

Usually, LDAP servers do not allow you to create empty groups. Hence, the property value EmptyRolesAllowed is by default set to false. When it is set to false, you have to assign at least one user to a role that you are creating through the Carbon admin console.