Saturday, September 28, 2013

Configuring OpenLDAP as external user store of WSO2 IS 4.5.0

By default WSO2 IS uses embedded ldap, which is shipped with the product, as the primary user store. But it's possible to configure other user stores (such as OpenLDAP, Active Directory and JDBC user stores) as primary user store. In this blog post I'm going to explain how to configure OpenLDAP as the primary user store of WSO2 IS 4.5.0 in following modes.
  • Read/Write mode
  • Read-only mode
- Since we no longer need embedded ldap, let's disable starting it at server start up. This can be changed in IS_HOME/repository/conf/embedded-ldap.xml

- Now let's comment out the default user store manager in user-mgt.xml which resides in IS_HOME/repository/conf.

OpenLDAP in Read/Write mode

- First uncomment relevant user store manager configuration. i.e.

Note : There are three such user store manager classes in user-mgt.xml. You have to uncomment the configuration which is available after following comment.

- Below I've attached a sample configuration.

Now let's walk through the above configuration to identity the properties that needs to be changed.

Here you have to provide the connection url of openldap. Pay attention to accuracy of ip and port when specifying it.

This is the bind dn or the user. i.e. Distinguished name used to authenticate to the Directory server when performing an operation. This user has permission to read all users and perform search operations in Directory server

This is the password of above bind dn or user

This is the directory in which users created through IS are stored. Also LDAP search for users starts from this location

This is the attribute to which the user name is mapped. "cn" and "uid" are commonly used for this purpose

This property specifies whether groups in LDAP should be read from IS or not. If we do not want to read LDAP groups then non of the other group related properties need to be changed

For more information, please go through IS documentation

If this is set to false, you cannot add groups to LDAP through Identity Server.

OpenLDAP does not allow to create roles without at least one user assigned to it. Therefore, if you are going to use openldap this property should be false.

This is the directory in which groups created through Identity Server are stored. In addition to that LDAP search for groups begin from this place.

Note : Changing the rest of the properties are optional and you can configure them according to your requirement.

- This configuration can be found on top part of user-mgt.xml

- If AddAdmin is set to true, at the first startup of Identity server it checks whether this admin user/admin role is in LDAP. If admin user/admin role are not there, IS adds them to LDAP.
You can set this to false if you need an existing admin user/role for IS.

- Admin user name, admin password and admin role can be changed according to your requirement.

OpenLDAP in Read-Only mode

- For this also we should first comment out the default user store manager as I've explained before.

- Since we need to configure LDAP in read only mode, uncomment following user store manager class

- Below I've attached a sample configuration.

- Properties are same as what I've explained earlier. Only difference is there's no need of having properties like UsernameJavaRegEx, UsernameJavaScriptRegEx, RolenameJavaScriptRegEx, RolenameJavaRegEx, PasswordJavaScriptRegEx, WriteGroups and EmptyRolesAllowed because we are not going to add users or role through Identity Server.

Since this is a read-only user store, you should provide a user who's already there in user store as the admin user.
But depending on your requirement you can provide and existing or non-existing admin role. If admin role is already not there in user store, then it will be added as an internal role at Identity serer first startup.

Special Note : You can find sample user-mgt.xml  files for read/write mode in this location  and for read-only mode here.

Below I've attached some images of LDAP to understand the LDAP structure used in this sample.

1 comment: