All WSO2 Carbon based products can read and write users and roles from external
LDAP user stores. You can configure Carbon products to with your company LDAP in one of the
following modes.
6.1. Read Only mode
Following steps describe how to configure an external LDAP in read only mode.
Step 1 :
Backup the
${carbon-home}/repository/conf/user-mgt.xml.
A sample file for LDAP user store is available
here.
Download the relevant file
and save it as
${carbon-home}/repository/conf/user-mgt.xml.Please
observe the following in your file.
<UserStoreManager
class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager">
Step 2 :
Find a valid user that resides in the Directory Server. For
example let's say a valid user name is "AdminSOA". Update the Admin
user section of your ldap configuration as follows. You don't have to
update the password element - just leave it as it is.
<AdminUser>
<UserName>AdminSOA</UserName>
<Password>XXXXXX</Password>
</AdminUser>
Step 3 :
If you wish to connect the user store in read only mode, make sure the
value of the
<ReadOnly> element is set to be true as
follows.
<ReadOnly>true</ReadOnly>
Step 4 :
Update the connection details to suite your Directory Server.
<Property
name="ConnectionURL">ldap://localhost:10389</Property>
Step 5 :
Obtain a user who has permission to read all users/attributes
and to perform searches
on the Directory Server from your LDAP administrator. For example let's
say your privileged user is "AdminLDAP" and password is "2010#Avrudu".
Now update the following sections of the realm configuration.
<Property
name="ConnectionName">uid=AdminLDAP,ou=system,dc=ABCompany,dc=lk</Property>
<Property
name="ConnectionPassword">2010#Avrudu
</Property>
Step 6 : Update the
<Property
name="UserSearchBase">
by giving the directory where the
users are stored. LDAP searches for users will start from this location.
Property
name="UserSearchBase">
ou=system,dc=ABCompany,dc=lk
</Property>
Step 7 : Set the attribute that you wish to use as the username.
The most common case is to use either "cn" or "uid" as the username. If
you are not sure what attribute is available in your LDAP please ask
your LDAP administrator.
<Property
name="UserNameAttribute">uid</Property>
Step 8 : This is the most basic configuration. For more advanced
options like "external roles" please jump to next step. Otherwise you
are done now start your server and try to login as "AdminSOA". The
password is the AdminSOA's password in the LDAP server. If you are
unable to login please send a mail to carbon user group.
Step 9 : The realm can read roles from the Directory Server. It can
read user/role mapping based on membership attribute in ApacheDirectory server and OpenLDAP.
Following are the properties in user-mgt.xml that are related with LDAP groups.
'ReadLDAPGroups' property indicates whether to read groups from external LDAP.
If this is 'false' then none of the attributes following it, needs to be set and carbon
roles will be written and read from internal JDBC database only.
If this is 'true', then carbon roles will be written to internal JDBC database and
will be read from both internal JDBC database and external LDAP user store.
<Property
name="ReadLDAPGroups">false</Property>
<Property
name="GroupSearchBase">ou=system</Property>
<Property
name="GroupSearchFilter">(objectClass=groupOfNames)</Property>
<Property
name="GroupNameAttribute">cn</Property>
<Property
name="MembershipAttribute">member</Property>
The table 3.1 contains detail descriptions of each of the above mentioned properties.
6.2. Read/Write users and Read-only groups
If you wish to connect to external LDAP user store such that only the user entries are written to external LDAP
and roles are not written to external LDAP, the only difference from the steps in section 6.1 is:
In step 3: set the ReadOnly property to false.
6.3. Read/Write both users and groups
From this release onwards, you can configure Carbon products to read and write both users and roles
in your company LDAP.
Following are the steps that are different from the steps in section 6.1 above:
Step 1: Use the sample user-mgt.xml configuration file for LDAP user store that is available
here
Step 9: You may notice the following two additional properties in configuration than those
mentioned in the step 9 of the section 6.1 above:
<Property name="WriteLDAPGroups">true</Property>
<Property name="EmptyRolesAllowed">false</Property>
Usually LDAP servers do not allow to create empty groups. Hence the property value 'EmptyRolesAllowed'
is by default set to 'false'. When it is set to false, you have to assign at least one user to a role
that you are creating through carbon admin console.