CODEWITHSUNDEEP
active-directorywso2
Adam
Adam

Reputation: 28858

WSO2 Identity Server - LDAP user store not working

I'm trying to configure the Identity Server (4.1.0) against our corporate Active Directory.

I am using the ReadOnlyLDAPUserStoreManager class. Here is the configuration for the user store:

<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
            <Property name="ReadOnly">true</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="ConnectionURL">ldap://host</Property>
            <Property name="ConnectionName">ommitted</Property>
            <Property name="ConnectionPassword">xxxxxx</Property>
            <Property name="passwordHashMethod">PLAIN_TEXT</Property>
            <Property name="UserSearchBase">searchbase</Property>
            <Property name="UserNameListFilter">(objectClass=user)</Property>
            <Property name="UserNameAttribute">sAMAccountName</Property>
            <Property name="ReadLDAPGroups">true</Property>
            <Property name="GroupSearchBase">groupbase</Property>
            <Property name="GroupNameListFilter">(objectClass=group)</Property>
            <Property name="GroupNameAttribute">sAMAccountName</Property>
            <Property name="MembershipAttribute">memberOf</Property>
            <Property name="UserRolesCacheEnabled">false</Property>
            <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
            <Property name="maxFailedLoginAttempt">0</Property> 
        </UserStoreManager>

I've removed specific connection details and UserSearchBase and GroupSearchBase. IS starts up successfully, and I can see users and roles listed.

I'm encountering the following issues:

Does anyone have any suggestion for integrating with a readonly LDAP store that is ACtive directory?

Update Working with WSO2 support, I would advise everyone to wait until IS 4.1.1 before attempting this particular use case. Older versions of the product simply do not work very well. I will update as I know more.

Upvotes: 3

Views: 3645

Answers (4)

Adam
Adam

Reputation: 28858

Update:

I can confirm that the WSO2 IS 4.1.1 resolves the issue and this works as expected. I've come to the conclusion the product 4.1.0 flat out doesn't work.

The dev team has fixed the issues in those features and it's in the latest release.

Good luck.

Upvotes: 0

Alan Weiss
Alan Weiss

Reputation: 69

I don't know about Active Directory, but we were facing a similar problem on OpenLDAP, we could not list the roles of a user, the reason was, our LDAP was relating a user to a group by only using it's UID, for example, on the role the attribute memberUid was:

memberUid = alandaniel

but the way WSO2 org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager expects is:

memberUid = uid=alandaniel,ou=x,dc=y,dc=z

so i had to customize the user.core plugin. Instead of creating the query:

(&(objectClass=posixGroup)(memberUid=uid=alandaniel,ou=x,dc=y,dc=z))

it will now use

(&(objectClass=posixGroup)(memberUid=alandaniel))

So if you really need to customize it, extend ReadOnlyLDAPUserStoreManager and customize the method getExternalRoleListOfUser(..)

*The versions used were WSO2 IS 4.1.0 and WSO2 ESB 4.6.0.

Upvotes: 1

Isuru Perera
Isuru Perera

Reputation: 1905

Please refer following blog post by Suresh.

http://sureshatt.blogspot.com/2012/07/how-to-connect-wso2-api-manager-to.html

It has an example of using ReadOnlyLDAPUserStoreManager.

I hope that helps.

Thanks.

Upvotes: 0

Isabelle
Isabelle

Reputation: 86

I have used the attached configuration in a recent customer engagement Can you try with this, connecting with a user which has read access to AD ?

Also, newest version of IS now supports multiple user stores. If you want a single active store, make sure to comment the default one. Otherwise, you need to add a domain name per user store (here ad-domain).

User stores setup is described here: http://docs.wso2.org/wiki/display/IS400/Configuring+User+Stores

Hope this helps, Isabelle.

<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="DomainName">ad-domain</Property>
<Property name="defaultRealmName">My-Realm</Property>
<Property name="kdcEnabled">false</Property>
<Property name="ConnectionURL">ldap://myserver:389</Property>
<Property name="ConnectionName">CN=yyyy,ou=xxxxx</Property>
<Property name="ConnectionPassword">xxxxxxx</Property>
<Property name="passwordHashMethod">PLAIN_TEXT</Property>
<Property name="UserSearchBase">ou=xxxx,...</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="UserNameListFilter">(objectClass=user)</Property>
<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="WriteLDAPGroups">false</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">ou=xxxxx</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="maxFailedLoginAttempt">0</Property>
</UserStoreManager>

Upvotes: 0

Related Questions