This is resolved in newest WSO2 IS build, but still in Alpha.
WSO2 Identity Server and Active Directory Integration
-
23-03-2022 - |
Question
So I've been playing and toying with WSO2 Identity Server for a while and I have to say it hurts me more than it helps. Anyway, I have question on how to integrate with Active Directory. I've got to a point where I can see all my AD's Users and Groups in WSO2 IS. However, I encountered the following:
- I can't login to WSO2 IS with any AD credential.
- I can't configure domain (foo.com\) for AD users in WSO2.
- When I login to WSO2 with admin, I see all AD users but they don't have any Roles (Groups). Somehow when WSO2 read these Users from AD, it doesn't read the AD Group the Users belong to.
My long and boring WSO2 IS configuration:
<UserManager>
<Realm>
<Configuration>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin</UserName>
<Password>admin</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<!-- By default users in this role sees the registry root -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
<Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.CommonLDAPRealmConfigBuilder</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="kdcEnabled">false</Property>
<Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">identityPerson</Property>
<Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
<Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
<Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="WriteLDAPGroups">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
<Property name="SCIMEnabled">true</Property>
<Property name="maxFailedLoginAttempt">0</Property>
</UserStoreManager>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="ReadOnly">true</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="ConnectionURL">ldap://10.10.10.72:389</Property>
<Property name="ConnectionName">CN=Firstname Lastname,OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
<Property name="ConnectionPassword">Password1*</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="ReadLDAPGroups">false</Property>
<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="maxFailedLoginAttempt">0</Property>
<!--Property name="DomainName">foo.com</Property-->
</UserStoreManager>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="defaultRealmName">NYSTSTest</Property>
<Property name="kdcEnabled">false</Property>
<Property name="ConnectionURL">ldap://10.10.10.72:389</Property>
<Property name="ConnectionName">CN=Firstname Lastname,OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
<Property name="ConnectionPassword">Password1*</Property>
<Property name="passwordHashMethod">PLAIN_TEXT</Property>
<Property name="UserSearchBase">OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
<Property name="UserEntryObjectClass">person</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="WriteLDAPGroups">false</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">OU=Groups,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">sAMAccountName</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="GroupNameListFilter">(objectCategory=group)</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<!--Property name="Referral">follow</Property-->
<Property name="BackLinksEnabled">false</Property>
<Property name="maxFailedLoginAttempt">0</Property>
<!--Property name="DomainName">foo.com</Property-->
</UserStoreManager>
<AuthorizationManager
class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
</AuthorizationManager>
</Realm>
</UserManager>
Solution 2
OTHER TIPS
It seems you have multiple user stores configured. In this case, you need to specify a domain name, using this property:
<!--Property name="DomainName">foo.com</Property-->
See: http://docs.wso2.org/wiki/display/IS400/Configuring+Multiple+User+Stores.
Hope this helps, Isabelle.
I'am experiencing, what I believe to be, the exact same thing. Everything looks good when I look at the "roles" and I can see the users in that role. But when I go from the user and try to look at which roles it is assigned to, it says no roles assigned. wso2 api manager 1.6.0 problems with User store management using ActiveDirectoryUserStoreManager
How did you get you setup working, and is it still working with API-manager 1.6.0?