[DEPRECATED] WSO2: Use LDAP as the Carbon user-store for any WSO2 product

Tested Products

WSO2 Data Services Server 3.0.1
WSO2 API Manager 1.3.1

Overview

All WSO2 Carbon-based products can be configured to work with LDAP simply by changing the configuration files. Out of the box Carbon uses one H2 database as a user-store that stores usernames, passwords, etc and another H2 database to store roles and permissions. This guide is for replacing the first database with LDAP. This configuration has been tested with both the WSO2 API Manager and WOS2 Data Services Server.

1. Import LDAP server PEM file into Java trust store

sudo keytool -import -v -trustcacerts -alias <alias> -file <path/to/pem/file> -keystore <path/to/carbon/truststore> -storepass <truststore-password>

1	sudo keytool -import -v -trustcacerts -alias <alias> -file <path/to/pem/file> -keystore <path/to/carbon/truststore> -storepass <truststore-password>

Default Carbon trust store: /repository/resources/security/client-truststore.jks
Defatul Carbon trust store password: wso2carbon

2. Edit <carbon-home>/repository/conf/user-mgt.xml

<UserManager>
  <Realm>
    <Configuration>
      <AdminRole>admin</AdminRole>
        <AdminUser>
          <UserName>LDAP_admin</UserName>
          <Password>not_used</Password>
        </AdminUser>
        <EveryOneRoleName>everyone</EveryOneRoleName>
        <!-- By default users in thsi role sees the registry root -->
        <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
        <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
    </Configuration>
    <!-- Active directory configuration follows -->
   <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
     <Property name="ConnectionURL">ldap://&lthostname>:389</Property>
     <Property name="ConnectionName">cn=LDAP_search,ou=Users Service Accounts,dc=lancegatlin,dc=org</Property>
     <Property name="ConnectionPassword">XXXXXX</Property>
     <Property name="UserSearchBase">dc=lancegatlin,dc=org</Property>
     <Property name="UserNameListFilter">(objectClass=person)</Property>
     <Property name="UserNameAttribute">sAMAccountName</Property>
     <Property name="UserEntryObjectClass">person</Property>
     <Property name="UserNameSearchFilter">(&(objectClass=person)(sAMAccountName=?))</Property>
     <Property name="GroupEntryObjectClass">group</Property>
     <Property name="ReadLDAPGroups">false</Property>
     <Property name="GroupSearchBase">cn=users</Property>
     <Property name="GroupNameSearchFilter">(objectClass=group)</Property>
     <Property name="GroupNameAttribute">cn</Property>
     <Property name="MembershipAttribute">member</Property>
     <Property name="Referral">follow</Property>
   </UserStoreManager>
   <AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
     <Property name="AdminRoleManagementPermissions">/permission</Property>
   </AuthorizationManager>
  </Realm>
</UserManager>

<Realm>

<AdminRole>admin</AdminRole>

<UserName>LDAP_admin</UserName>

</AdminUser>

<EveryOneRoleName>everyone</EveryOneRoleName>

<Property name="dataSource">jdbc/WSO2CarbonDB</Property>

<Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>

</Configuration>

<Property name="ConnectionURL">ldap://&lthostname>:389</Property>

<Property name="ConnectionName">cn=LDAP_search,ou=Users Service Accounts,dc=lancegatlin,dc=org</Property>

<Property name="ConnectionPassword">XXXXXX</Property>

<Property name="UserSearchBase">dc=lancegatlin,dc=org</Property>

<Property name="UserNameListFilter">(objectClass=person)</Property>

<Property name="UserNameAttribute">sAMAccountName</Property>

<Property name="UserEntryObjectClass">person</Property>

<Property name="UserNameSearchFilter">(&(objectClass=person)(sAMAccountName=?))</Property>

<Property name="GroupEntryObjectClass">group</Property>

<Property name="ReadLDAPGroups">false</Property>

<Property name="GroupSearchBase">cn=users</Property>

<Property name="GroupNameSearchFilter">(objectClass=group)</Property>

<Property name="MembershipAttribute">member</Property>

<Property name="Referral">follow</Property>

</UserStoreManager>

<Property name="AdminRoleManagementPermissions">/permission</Property>

</AuthorizationManager>

</Realm>

</UserManager>

Note1: The password field /UserManager/Realm/Configuration/AdminRole/AdminUser/Password has no effect since the user-store is external and pre-configured.
Note2: The admin user specified at /UserManager/Realm/Configuration/AdminRole/AdminUser must be the first account to log in. Other users will not be able to log in until they are assigned a WSO2 role that has authentication privileges.
Note3: The connection name must exist in the UserSearchBase.
Note4: The user specified by /UserManager/Realm/Configuration/UserStoreManager/Property[@name="ConnectionName"] does not need to be the LDAP admin. However, it must have sufficient privileges to search all accounts that need to be authenticated.
Note5: /UserManager/Realm/Configuration/UserStoreManager/Property[@name="ReadLDAPGroups"] determines if Carbon will retain its own roles or use the LDAP server’s groups.
3. Change default admin account for Carbon applications
Note1: the file will vary depending on the WSO2 product being configured
Note2: not all WSO2 products require this (DSS does not)

API Manager

Set the username at the following XPaths:

/APIManager/AuthManager/Username/text()
/APIManager/APIGateway/Username/text()
/APIManager/APIKeyManager/Username/text()

Set the password at the following XPaths:

/APIManager/AuthManager/Password/text()
/APIManager/APIGateway/Password/text()
/APIManager/APIKeyManager/Password/text()

Decidable Dreams

[DEPRECATED] WSO2: Use LDAP as the Carbon user-store for any WSO2 product

Tested Products

Overview

API Manager

Sources

Leave a Reply Cancel reply