By default WSO2 IS uses embedded ldap, which is shipped with the product, as the primary user store. But it's possible to configure other user stores (such as OpenLDAP, Active Directory and JDBC user stores) as primary user store. In this blog post I'm going to explain how to configure OpenLDAP as the primary user store of WSO2 IS 4.5.0 in following modes.
- Below I've attached a sample configuration.
Now let's walk through the above configuration to identity the properties that needs to be changed.
1)
Here you have to provide the connection url of openldap. Pay attention to accuracy of ip and port when specifying it.
2)
This is the bind dn or the user. i.e. Distinguished name used to authenticate to the Directory server when performing an operation. This user has permission to read all users and perform search operations in Directory server
3)
This is the password of above bind dn or user
4)
This is the directory in which users created through IS are stored. Also LDAP search for users starts from this location
5)
This is the attribute to which the user name is mapped. "cn" and "uid" are commonly used for this purpose
6)
This property specifies whether groups in LDAP should be read from IS or not. If we do not want to read LDAP groups then non of the other group related properties need to be changed
For more information, please go through IS documentation
7)
If this is set to false, you cannot add groups to LDAP through Identity Server.
8)
OpenLDAP does not allow to create roles without at least one user assigned to it. Therefore, if you are going to use openldap this property should be false.
9)
This is the directory in which groups created through Identity Server are stored. In addition to that LDAP search for groups begin from this place.
Note : Changing the rest of the properties are optional and you can configure them according to your requirement.
- This configuration can be found on top part of user-mgt.xml
- If AddAdmin is set to true, at the first startup of Identity server it checks whether this admin user/admin role is in LDAP. If admin user/admin role are not there, IS adds them to LDAP.
You can set this to false if you need an existing admin user/role for IS.
- Admin user name, admin password and admin role can be changed according to your requirement.
OpenLDAP in Read-Only mode
- For this also we should first comment out the default user store manager as I've explained before.
- Since we need to configure LDAP in read only mode, uncomment following user store manager class
- Below I've attached a sample configuration.
- Read/Write mode
- Read-only mode
- Now let's comment out the default user store manager in user-mgt.xml which resides in IS_HOME/repository/conf.
OpenLDAP in Read/Write mode
OpenLDAP in Read/Write mode
- First uncomment relevant user store manager configuration. i.e.
Note : There are three such user store manager classes in user-mgt.xml. You have to uncomment the configuration which is available after following comment.
Note : There are three such user store manager classes in user-mgt.xml. You have to uncomment the configuration which is available after following comment.
- Below I've attached a sample configuration.
Now let's walk through the above configuration to identity the properties that needs to be changed.
Here you have to provide the connection url of openldap. Pay attention to accuracy of ip and port when specifying it.
2)
This is the bind dn or the user. i.e. Distinguished name used to authenticate to the Directory server when performing an operation. This user has permission to read all users and perform search operations in Directory server
3)
This is the password of above bind dn or user
4)
This is the directory in which users created through IS are stored. Also LDAP search for users starts from this location
5)
This is the attribute to which the user name is mapped. "cn" and "uid" are commonly used for this purpose
6)
This property specifies whether groups in LDAP should be read from IS or not. If we do not want to read LDAP groups then non of the other group related properties need to be changed
For more information, please go through IS documentation
7)
If this is set to false, you cannot add groups to LDAP through Identity Server.
8)
OpenLDAP does not allow to create roles without at least one user assigned to it. Therefore, if you are going to use openldap this property should be false.
9)
This is the directory in which groups created through Identity Server are stored. In addition to that LDAP search for groups begin from this place.
Note : Changing the rest of the properties are optional and you can configure them according to your requirement.
- This configuration can be found on top part of user-mgt.xml
- If AddAdmin is set to true, at the first startup of Identity server it checks whether this admin user/admin role is in LDAP. If admin user/admin role are not there, IS adds them to LDAP.
You can set this to false if you need an existing admin user/role for IS.
- Admin user name, admin password and admin role can be changed according to your requirement.
OpenLDAP in Read-Only mode
- For this also we should first comment out the default user store manager as I've explained before.
- Since we need to configure LDAP in read only mode, uncomment following user store manager class
- Below I've attached a sample configuration.
- Properties are same as what I've explained earlier. Only difference is there's no need of having properties like UsernameJavaRegEx, UsernameJavaScriptRegEx, RolenameJavaScriptRegEx, RolenameJavaRegEx, PasswordJavaScriptRegEx, WriteGroups and EmptyRolesAllowed because we are not going to add users or role through Identity Server.
-
Since this is a read-only user store, you should provide a user who's already there in user store as the admin user.
But depending on your requirement you can provide and existing or non-existing admin role. If admin role is already not there in user store, then it will be added as an internal role at Identity serer first startup.
Special Note : You can find sample user-mgt.xml files for read/write mode in this location and for read-only mode here.
Below I've attached some images of LDAP to understand the LDAP structure used in this sample.