Sunday, August 17, 2014

Configure WSO2 carbon with Active Directory as a primary user store and user role mapping

Following are some steps to carry on to configure WSO2 carbon product with an external active directory.

To add as a primary user store

1. Following documentation can be referred.

2. Following is  a sample configuration of the user-mgt.xml. Comment out the default configuration and uncomment the configuration related to Active directory and provide the following configurations.

 <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">

          <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>

          <Property name="defaultRealmName">WSO2.ORG</Property>

          <Property name="Disabled">false</Property>

          <Property name="kdcEnabled">false</Property>

          <Property name="ConnectionURL">ldaps://192.100.10.1:636</Property>

          <Property name="ConnectionName">CN=Administrator,CN=Users,DC=wso2,DC=test</Property>

          <Property name="ConnectionPassword">password</Property>

          <Property name="passwordHashMethod">PLAIN_TEXT</Property>

          <Property name="UserSearchBase">CN=Users,DC=wso2,DC=test</Property>

          <Property name="UserEntryObjectClass">user</Property>

          <Property name="UserNameAttribute">cn</Property>

          <Property name="isADLDSRole">false</Property>

          <Property name="userAccountControl">512</Property>

          <Property name="UserNameListFilter">(objectClass=user)</Property>

          <Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>

          <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>

          <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>

          <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>

          <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>

          <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>

          <Property name="ReadGroups">true</Property>

          <Property name="WriteGroups">true</Property>

          <Property name="EmptyRolesAllowed">true</Property>

          <Property name="GroupSearchBase">CN=Users,DC=wso2,DC=test</Property>

          <Property name="GroupEntryObjectClass">group</Property>

          <Property name="GroupNameAttribute">cn</Property>

          <Property name="SharedGroupNameAttribute">cn</Property>

          <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>

          <Property name="SharedGroupEntryObjectClass">groups</Property>

          <Property name="SharedTenantNameListFilter">(object=organizationalUnit)</Property>

          <Property name="SharedTenantNameAttribute">ou</Property>

          <Property name="SharedTenantObjectClass">organizationalUnit</Property>

          <Property name="MembershipAttribute">member</Property>

          <Property name="GroupNameListFilter">(objectcategory=group)</Property>

          <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>

          <Property name="UserRolesCacheEnabled">true</Property>

          <Property name="Referral">follow</Property>

          <Property name="BackLinksEnabled">true</Property>

          <Property name="MaxRoleNameListLength">100</Property>

          <Property name="MaxUserNameListLength">100</Property>

          <Property name="SCIMEnabled">false</Property>

      </UserStoreManager>



3. If you need to add a user to login initially, you can configure it in the  user-mgt.xml. As an example we are going to create a user called dominoz with the password password#.


  <Configuration>

              <AddAdmin>true</AddAdmin>

              <AdminRole>admin</AdminRole>

              <AdminUser>

                   <UserName>dominoz</UserName>

                   <Password>password#</Password>

              </AdminUser>

          <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->

          <Property name="dataSource">jdbc/WSO2CarbonDB</Property>

      </Configuration>

4. If you need to add  the user “dominoz” under the  wso2.test tree structure, you should configure the following attribute.

<Property name="UserSearchBase">CN=Users,DC=wso2,DC=test</Property>


5. Following is a screenshot of the  Active directory configured with the user “dominoz”.

screen.pngFigure 1 : AD added initial user

6. Now your initial user is created  once you have started the setup.

7. Now you can login to carbon console as below providing the initial user credentials.
Username : dominoz           Password : password#

dominozlogin.png
Figure 2 : Carbon login page


8. Then you can create a role  with the preferred  permission or update the permission in  a role which is already created.  The newly created role will be created in the  tree structure defined in the following attribute.

<Property name="GroupSearchBase">CN=Users,DC=wso2,DC=test</Property>

9. Click on the Configure -> Users  and Roles -> Roles -> Add New roles.   Select the Domain and provide the role name.
When you click on the roles, existing roles  in the given tree structure, will be displayed.

1.png
Figure 3 : Adding a role

10. Click next and the provide the required permission by selecting them.

2.png
Figure 4 : Configure permission

11. Then select the users you  need to add to the relevant role. You can search the users from the search function. All the existing users in the t configured tree structure will be displayed.

3.png
Figure 5 : add users to the role

12. Once you click on finish  the particular role should be added in the configured tree structure of the active directory.  following is a screenshot of the added role.
E.g., CN=Users,DC=wso2,DC=test


5.png
Figure 6 : Added role in the AD



13. Same as above, any other users can also be added  in the same manner into the given tree structure of the active directory.