WSO2 Identity Server and Active Directory Integration

Question

So I've been playing and toying with WSO2 Identity Server for a while and I have to say it hurts me more than it helps. Anyway, I have question on how to integrate with Active Directory. I've got to a point where I can see all my AD's Users and Groups in WSO2 IS. However, I encountered the following:

I can't login to WSO2 IS with any AD credential.
I can't configure domain (foo.com\) for AD users in WSO2.
When I login to WSO2 with admin, I see all AD users but they don't have any Roles (Groups). Somehow when WSO2 read these Users from AD, it doesn't read the AD Group the Users belong to.

My long and boring WSO2 IS configuration:

<UserManager>
  <Realm>
    <Configuration>
      <AdminRole>admin</AdminRole>
      <AdminUser>
        <UserName>admin</UserName>
        <Password>admin</Password>
      </AdminUser>
      <EveryOneRoleName>everyone</EveryOneRoleName>
      <!-- By default users in this role sees the registry root -->
      <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
      <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.CommonLDAPRealmConfigBuilder</Property>
    </Configuration>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
      <Property name="defaultRealmName">WSO2.ORG</Property>
      <Property name="kdcEnabled">false</Property>
      <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
      <Property name="ConnectionName">uid=admin,ou=system</Property>
      <Property name="ConnectionPassword">admin</Property>
      <Property name="passwordHashMethod">SHA</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserEntryObjectClass">identityPerson</Property>
      <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
      <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
      <Property name="UserNameAttribute">uid</Property>
      <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
      <Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
      <Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
      <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="ReadLDAPGroups">true</Property>
      <Property name="WriteLDAPGroups">true</Property>
      <Property name="EmptyRolesAllowed">true</Property>
      <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
      <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
      <Property name="GroupEntryObjectClass">groupOfNames</Property>
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
      <Property name="SCIMEnabled">true</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
    </UserStoreManager>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
      <Property name="ReadOnly">true</Property>
      <Property name="MaxUserNameListLength">100</Property>
      <Property name="ConnectionURL">ldap://10.10.10.72:389</Property>
      <Property name="ConnectionName">CN=Firstname Lastname,OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="ConnectionPassword">Password1*</Property>
      <Property name="passwordHashMethod">SHA</Property>
      <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserNameAttribute">sAMAccountName</Property>
      <Property name="ReadLDAPGroups">false</Property>
      <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
      <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
      <!--Property name="DomainName">foo.com</Property-->
    </UserStoreManager>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
      <Property name="defaultRealmName">NYSTSTest</Property>
      <Property name="kdcEnabled">false</Property>
      <Property name="ConnectionURL">ldap://10.10.10.72:389</Property>
      <Property name="ConnectionName">CN=Firstname Lastname,OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="ConnectionPassword">Password1*</Property>
      <Property name="passwordHashMethod">PLAIN_TEXT</Property>
      <Property name="UserSearchBase">OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="UserEntryObjectClass">person</Property>
      <Property name="UserNameAttribute">sAMAccountName</Property>
      <Property name="isADLDSRole">false</Property>
      <Property name="userAccountControl">512</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>
      <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
      <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="ReadLDAPGroups">true</Property>
      <Property name="WriteLDAPGroups">false</Property>
      <Property name="EmptyRolesAllowed">true</Property>
      <Property name="GroupSearchBase">OU=Groups,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="GroupEntryObjectClass">group</Property>
      <Property name="GroupNameAttribute">sAMAccountName</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="GroupNameListFilter">(objectCategory=group)</Property>
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <!--Property name="Referral">follow</Property-->
      <Property name="BackLinksEnabled">false</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
      <!--Property name="DomainName">foo.com</Property-->
    </UserStoreManager>

    <AuthorizationManager
            class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
      <Property name="AdminRoleManagementPermissions">/permission</Property>
      <Property name="AuthorizationCacheEnabled">true</Property>
    </AuthorizationManager>
  </Realm>
</UserManager>

score 0 · Answer 1 · answered Mar 14 '13 at 12:23

0

It seems you have multiple user stores configured. In this case, you need to specify a domain name, using this property:

  <!--Property name="DomainName">foo.com</Property-->

See: http://docs.wso2.org/wiki/display/IS400/Configuring+Multiple+User+Stores.

Hope this helps, Isabelle.

answered Mar 14 '13 at 12:23

Isabelle

86
4

Well, the only user store I have is WSO2 built-in data store (I believe it's called H2) and Active Directory. My configuration above has 3 User Stores (ReadWrite, ReadOnly, Active Directory), but I point ReadOnly to same Connection URL as Active Directory, I did eventually find a way to remove Active Directory config section and just use ReadOnly to integrate with AD. Regardless of all my excuses / explanation, I did what you say, uncommented 'DomainName' property, but it still behave the same way. – stack247 Mar 14 '13 at 16:29

score 0 · Accepted Answer · answered Apr 03 '13 at 21:54

0

This is resolved in newest WSO2 IS build, but still in Alpha.

answered Apr 03 '13 at 21:54

stack247

5,579
4
41
64

score 0 · Answer 3 · edited May 23 '17 at 12:27

0

I'am experiencing, what I believe to be, the exact same thing. Everything looks good when I look at the "roles" and I can see the users in that role. But when I go from the user and try to look at which roles it is assigned to, it says no roles assigned. wso2 api manager 1.6.0 problems with User store management using ActiveDirectoryUserStoreManager

How did you get you setup working, and is it still working with API-manager 1.6.0?

edited May 23 '17 at 12:27

Community

1
1

answered Apr 10 '14 at 15:06

OneMuppet

132
10

This is not an answer.Anyway what you missing may be you want to add memberOf attribute to your userstoremanager configuration.. – DarRay Apr 10 '14 at 19:25
Do you mean using memberOf instead of member in the, MembershipAttribute property? If so I have tried this but it did not work, because the MembershipAttribute in out AD is member. If you meant in some other way please tell me more, I will listen to any suggestions. – OneMuppet Apr 10 '14 at 19:47
need to have both afaik – DarRay Apr 11 '14 at 03:11
So I can have multiple MembershipAttribute properties in my xml-config? @DarRay – OneMuppet Apr 11 '14 at 06:04
member memberOf – DarRay Apr 11 '14 at 08:58

WSO2 Identity Server and Active Directory Integration

3 Answers3