WSO2 IS error 389DS, cannot find admin

Question

I have connected OpenLdap with Identity Server(IS) and authentication was also successful. Now I am trying to connect an 389 Directory Server with IS. Connection is successful but I'm getting an error,

Caused by: org.wso2.carbon.user.core.UserStoreException: Admin user can not be created in primary user store. User store is read only. Please pick a user name which is exist in the primary u
ser store as Admin user

My configuration is,

<Configuration>
    <AddAdmin>False</AddAdmin>
        <AdminRole>wsoadmin</AdminRole>
        <AdminUser>
            <UserName>banderson</UserName>
            <Password>*****</Password>
        </AdminUser>
        <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
        <Property name="isCascadeDeleteEnabled">true</Property>
        <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
    </Configuration>

<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
        <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
        <Property name="ConnectionURL">ldap://URL:389/o=NetscapeRoot</Property>
        <Property name="ConnectionName">cn=Directory Manager</Property>
        <Property name="ConnectionPassword">password</Property>
        <Property name="UserSearchBase">ou=People,dc=example,dc=edu</Property>
        <Property name="UserNameAttribute">uid</Property> <!--i even tried "cn" here -->
        <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
        <Property name="UserNameListFilter">(objectClass=person)</Property>
        <Property name="DisplayNameAttribute"/>
        <Property name="ReadGroups">true</Property>
        <Property name="GroupSearchBase">ou=system</Property>
        <Property name="GroupNameAttribute">cn</Property>
        <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
        <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
        <Property name="MembershipAttribute">member</Property>
        <Property name="BackLinksEnabled">false</Property>
        <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
        <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
        <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
        <Property name="SCIMEnabled">false</Property>
        <Property name="PasswordHashMethod">PLAIN_TEXT</Property>
        <Property name="MultiAttributeSeparator">,</Property>
        <Property name="MaxUserNameListLength">100</Property>
        <Property name="MaxRoleNameListLength">100</Property>
        <Property name="UserRolesCacheEnabled">true</Property>
        <Property name="ConnectionPoolingEnabled">true</Property>
        <Property name="LDAPConnectionTimeout">5000</Property>
        <Property name="ReadTimeout"/>
        <Property name="RetryAttempts"/>
        <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
    </UserStoreManager>

This is my user.ldif,

dn: cn=admin,dc=example,dc=edu
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: password
description: LDAP administrator
dn: uid=jsmith,ou=People,dc=example,dc=edu
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: inetOrgPerson
givenName: Joe
uid: jsmith
sn: Smith
cn: John Smith
userPassword: password
dn: uid=banderson,ou=People,dc=example,dc=edu
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: inetOrgPerson
givenName: Bob
uid: banderson
sn: Anderson
cn: Bob Anderson
userPassword: password

ds-setup info,

[General]
AdminDomain = example.edu
ConfigDirectoryAdminID = admin
ConfigDirectoryAdminPwd = admin
ConfigDirectoryLdapURL = ldap://localhost:389/o=NetscapeRoot
FullMachineName = localhost
ServerRoot = /usr/lib64/dirsrv
SuiteSpotGroup = nobody
SuiteSpotUserID = nobody
[admin]
Port = 9830
ServerAdminID = admin
ServerAdminPwd = admin
ServerIpAddress = 0.0.0.0
SysUser = nobody
[slapd]
AddOrgEntries = Yes
AddSampleEntries = No
InstallLdifFile = suggest
RootDN = cn=Directory Manager
RootDNPwd = password
ServerIdentifier = dir
ServerPort = 389
SlapdConfigForMC = yes
Suffix = dc=example,dc=edu
UseExistingMC = No

Ldap Structure, http://prntscr.com/ay7p6r

Kindly help me debug this, I have gone through the WSO2 docs tried several combinations but could not solve this.

Thanks

---edit--- Secondary user store config file,

   <?xml version="1.0" encoding="UTF-8"?><UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
      <Property name="ConnectionURL">ldap://URL:389</Property>
      <Property name="ConnectionName">cn=Directory Manager</Property>
      <Property encrypted="true" name="ConnectionPassword">U57XaWZIJHoj8hyMpGTHriXtOdSwZwEBSPjvHmDM/Td9QPGFo1obCWbW/z6W5ebVAKdsIQ7Tii9sUYtNptW2DH14SfUbPTZO80dIl3W2LPMLlWQVJ8DyDedAJo9WgP8490r56TjoJKHN4J5EdJwApYuQPDZMsuBSj80gaAJlpfk=</Property>
      <Property name="UserSearchBase">ou=People,dc=example,dc=edu</Property>
      <Property name="UserNameAttribute">uid</Property>
      <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserDNPattern"/>
      <Property name="DisplayNameAttribute">uid</Property>
      <Property name="Disabled">false</Property>
      <Property name="ReadGroups">true</Property>
      <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
      <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
      <Property name="RoleDNPattern"/>
      <Property name="MembershipAttribute">member</Property>
      <Property name="MemberOfAttribute"/>
      <Property name="BackLinksEnabled">false</Property>
      <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
      <Property name="SCIMEnabled">false</Property>
      <Property name="PasswordHashMethod">PLAIN_TEXT</Property>
      <Property name="MultiAttributeSeparator">,</Property>
      <Property name="MaxUserNameListLength">100</Property>
      <Property name="MaxRoleNameListLength">100</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <Property name="ConnectionPoolingEnabled">false</Property>
      <Property name="LDAPConnectionTimeout">5000</Property>
      <Property name="ReadTimeout">5000</Property>
      <Property name="RetryAttempts">0</Property>
      <Property name="DomainName">389ds.com</Property>
      <Property name="Description">testing 389 DS</Property>
</UserStoreManager>

Answer 1

As per the logs you shared in the comment, you are getting following error,

Caused by: org.wso2.carbon.user.core.UserStoreException: Admin role can not be created in primary user store. Add-Admin has been set to false. Please pick a Role name which is exist in the primary user store as Admin Role

This happens because as per configs you specified in the user-mgt.xml, admin role "wsoadmin" cannot be found in the 389 Directory server.

And it seems like your group related configurations also wrong in the user-mgt.xml. If you don't want to pick group information from 389 directory server following property in the user-mgt.xml, <Property name="ReadGroups">true</Property>

Above property will void checking on group information on the directory server and automatically switch to looking groups from IS internal database, create a internal role called "wsoadmin", assign admin user "banderson" to role internal wsoadmin role and complete the startup process successfully.

HTH, DarRay

Answer 2

In your user store manager configuration, you have org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager

But, can you try the same after adding the configuration under the class org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager

Also set true so that if the admin user does not exist, it will add.