Following are some steps to carry on to configure WSO2 carbon product with an external active directory.
To add as a primary user store
1. Following documentation can be referred.
2. Following is a sample configuration of the user-mgt.xml. Comment
out the default configuration and uncomment the configuration related
to Active directory and provide the following configurations.
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="Disabled">false</Property>
<Property name="kdcEnabled">false</Property>
<Property name="ConnectionURL">ldaps://192.100.10.1:636</Property>
<Property name="ConnectionName">CN=Administrator,CN=Users,DC=wso2,DC=test</Property>
<Property name="ConnectionPassword">password</Property>
<Property name="passwordHashMethod">PLAIN_TEXT</Property>
<Property name="UserSearchBase">CN=Users,DC=wso2,DC=test</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="UserNameListFilter">(objectClass=user)</Property>
<Property name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">CN=Users,DC=wso2,DC=test</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>
<Property name="SharedGroupEntryObjectClass">groups</Property>
<Property name="SharedTenantNameListFilter">(object=organizationalUnit)</Property>
<Property name="SharedTenantNameAttribute">ou</Property>
<Property name="SharedTenantObjectClass">organizationalUnit</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
3. If you need to add a user to login initially, you can configure it in the user-mgt.xml. As an example we are going to create a user called dominoz with the password password#.
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>dominoz</UserName>
<Password>password#</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
4. If you need to add the user “dominoz” under the wso2.test tree structure, you should configure the following attribute.
<Property name="UserSearchBase">CN=Users,DC=wso2,DC=test</Property>
5. Following is a screenshot of the Active directory configured with the user “dominoz”.
Figure 1 : AD added initial user
6. Now your initial user is created once you have started the setup.
7. Now you can login to carbon console as below providing the initial user credentials.
Username : dominoz Password : password#
Figure 2 : Carbon login page
8.
Then you can create a role with the preferred permission or update
the permission in a role which is already created. The newly created
role will be created in the tree structure defined in the following
attribute.
<Property name="GroupSearchBase">CN=Users,DC=wso2,DC=test</Property>
9. Click on the Configure -> Users and Roles -> Roles -> Add New roles. Select the Domain and provide the role name.
When you click on the roles, existing roles in the given tree structure, will be displayed.
Figure 3 : Adding a role
10. Click next and the provide the required permission by selecting them.
Figure 4 : Configure permission
11.
Then select the users you need to add to the relevant role. You can
search the users from the search function. All the existing users in the
t configured tree structure will be displayed.
Figure 5 : add users to the role
12.
Once you click on finish the particular role should be added in the
configured tree structure of the active directory. following is a
screenshot of the added role.
E.g., CN=Users,DC=wso2,DC=test
Figure 6 : Added role in the AD
13. Same as above, any other users can also be added in the same manner into the given tree structure of the active directory.