[DEPRECATED] WSO2: Use LDAP as the Carbon user-store for any WSO2 product

Tested Products

  • WSO2 Data Services Server 3.0.1
  • WSO2 API Manager 1.3.1


All WSO2 Carbon-based products can be configured to work with LDAP simply by changing the configuration files. Out of the box Carbon uses one H2 database as a user-store that stores usernames, passwords, etc and another H2 database to store roles and permissions. This guide is for replacing the first database with LDAP. This configuration has been tested with both the WSO2 API Manager and WOS2 Data Services Server.

1. Import LDAP server PEM file into Java trust store

  • Default Carbon trust store: /repository/resources/security/client-truststore.jks
  • Defatul Carbon trust store password: wso2carbon

2. Edit <carbon-home>/repository/conf/user-mgt.xml

Note1: The password field /UserManager/Realm/Configuration/AdminRole/AdminUser/Password has no effect since the user-store is external and pre-configured.
Note2: The admin user specified at /UserManager/Realm/Configuration/AdminRole/AdminUser must be the first account to log in. Other users will not be able to log in until they are assigned a WSO2 role that has authentication privileges.
Note3: The connection name must exist in the UserSearchBase.
Note4: The user specified by /UserManager/Realm/Configuration/UserStoreManager/Property[@name="ConnectionName"] does not need to be the LDAP admin. However, it must have sufficient privileges to search all accounts that need to be authenticated.
Note5: /UserManager/Realm/Configuration/UserStoreManager/Property[@name="ReadLDAPGroups"] determines if Carbon will retain its own roles or use the LDAP server’s groups.
3. Change default admin account for Carbon applications
Note1: the file will vary depending on the WSO2 product being configured
Note2: not all WSO2 products require this (DSS does not)

API Manager

Set the username at the following XPaths:

  • /APIManager/AuthManager/Username/text()
  • /APIManager/APIGateway/Username/text()
  • /APIManager/APIKeyManager/Username/text()

Set the password at the following XPaths:

  • /APIManager/AuthManager/Password/text()
  • /APIManager/APIGateway/Password/text()
  • /APIManager/APIKeyManager/Password/text()


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">