0

New to WSO2 so be gentle. I'm building an instance of Ellucian's Ethos wso2 identity server (version 5.10.0) and when I point it to Active Directory the Tomcat server does start and I can login as the admin user I created in Active Directory for Ethos, but when I run "wso2server.bat -Dsetup" I see errors like the following in the wso2carbon.log file and I want to know if I should be worried.

ERROR {org.wso2.carbon.identity.scim.common.internal.SCIMCommonComponent} - Error occurred while setting SCIM attributes for the Admin org.wso2.carbon.user.core.UserStoreException: Error in adding SCIM metadata to the admin in tenant domain: carbon.super

[LDAP: error code 16 - 00000057: LdapErr: DSID-0C090D77, comment: Error in attribute conversion operation, data 0, v2580 ]; remaining name 'CN=ouruser,OU=OurContainer'

ERROR {org.wso2.carbon.identity.scim2.common.utils.AdminAttributeUtil} - Error occurred while updating the admin user's attributes in Tenant ID : -1234, Error : One or more attributes you are trying to add/update are not supported by underlying LDAP for user : ouruser org.wso2.carbon.user.core.UserStoreException: One or more attributes you are trying to add/update are not supported by underlying LDAP for user : ouruser

I intend for AD to be treated as a read-only LDAP database so I have "eis.admin.create.user" set to false in the eis_config.properties file and the Ethos admin user I created in AD does not have AD admin privileges. AD is only being used for authentication and for pulling attributes and releasing them to service providers. Could it be trying to write attributes to the Ethos admin user I created in AD?

Or is it an attribute mapping issue (mapping AD attributes back into Ethos?). I noticed in the eis_config.properties file the following mappings section

eis.add.claim.logonname=sAMAccountName

eis.add.claim.upn=userPrincipalName

eis.add.claim.objectguid=objectGUID

eis.add.claim.udcid=udcid

eis.add.claim.personid=employeeNumber

eis.add.claim.challenge.question.uris=

eis.add.claim.challenge.question.1=

eis.add.claim.challenge.question.2=

eis.add.claim.resource.type=pager

And i know for a fact that attributes like "udcid" are specific to Ellucian products and are not an LDAP attribute in AD so I set it to "cn". And for the attribute mappings above that are blank I mapped them to real AD attributes to see if I could get rid of the errors but they remain.

Any thoughts?

Community
  • 1
  • 1
Brian Gibson
  • 1

1 Answers1

0

Have you tried eis.add.claim.employeeType=memberOf in your eis_config.properties file?

And are the AD values correct for:

eis.admin.role.name=, 

eis.admin.username=,

eis.userstore.ConnectionURL=, 

eis.userstore.ConnectionName=,

eis.userstore.ConnectionPassword=,

eis.userstore.UserSearchBase=,

eis.userstore.UserNameAttribute=,

eis.userstore.GroupSearchBase=,

eis.userstore.SharedGroupSearchBase=, 

eis.userstore.defaultRealmName=,

along with the user-mgt.xml settings?

rob
  • 1