Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to make external ldap as primary user store in wso2 identity server 5.10.0

Tags:

ldap

wso2

apache-directory

wso2-identity-server

I am trying to setup Apache Directory studio as external ldap(Primary user store) in wso2is 5.10.0 with following configuration in deployment.toml file

[super_admin]
username = "admin"
password = "admin"
#admin_role = "admin"
create_admin_account = true

[user_store]
type = "read_write_ldap_unique_id"
user_entry_object_class = "inetOrgPerson"
connection_url = "ldap://localhost:10390"
connection_name = "uid=admin,ou=system"
connection_password = "secret"
#scim_enabled = "false"
user_id_attribute = "uid"
user_search_base = "ou=users,ou=system"
base_dn = "ou=system"

When i start wso2, ldap connection gets established successfully

 INFO {org.wso2.carbon.user.core.ldap.UniqueIDReadWriteLDAPUserStoreManager} - LDAP connection created successfully in read-write mode

but i get the following error in the log before it

 ERROR {org.wso2.carbon.user.core.ldap.UniqueIDReadWriteLDAPUserStoreManager} - There is no user with the user name: a9fbdaba-ef0a-422c-a3c7-150d8e62bc44,admin to be added to this role.

Also afterwards i get

 ERROR {org.wso2.carbon.identity.scim.common.internal.SCIMCommonComponent} - Error occurred while setting SCIM attributes for the Admin org.wso2.carbon.user.core.UserStoreException: Error in adding SCIM metadata to the admin in tenant domain: carbon.super
        at org.wso2.carbon.identity.scim.common.utils.SCIMCommonUtils.setAdminSCIMAttributes(SCIMCommonUtils.java:250)
        at org.wso2.carbon.identity.scim.common.internal.SCIMCommonComponent.activate(SCIMCommonComponent.java:79)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
        at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
        at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:345)
        at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
        at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
        at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
        at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SCRManager.java:222)
        at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.serviceChanged(FilteredServiceListener.java:113)
        at org.eclipse.osgi.internal.framework.BundleContextImpl.dispatchEvent(BundleContextImpl.java:985)
        at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:234)
        at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:151)
        at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEventPrivileged(ServiceRegistry.java:866)
        at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEvent(ServiceRegistry.java:804)
        at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.register(ServiceRegistrationImpl.java:130)
        at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.registerService(ServiceRegistry.java:228)
        at org.eclipse.osgi.internal.framework.BundleContextImpl.registerService(BundleContextImpl.java:525)
        at org.eclipse.osgi.internal.framework.BundleContextImpl.registerService(BundleContextImpl.java:544)
        at org.wso2.carbon.identity.core.internal.IdentityCoreServiceComponent.activate(IdentityCoreServiceComponent.java:171)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
        at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
        at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:345)
        at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
        at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
        at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
        at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SCRManager.java:222)
        at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.serviceChanged(FilteredServiceListener.java:113)
        at org.eclipse.osgi.internal.framework.BundleContextImpl.dispatchEvent(BundleContextImpl.java:985)
        at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:234)
        at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:151)
        at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEventPrivileged(ServiceRegistry.java:866)
        at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEvent(ServiceRegistry.java:804)
        at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.register(ServiceRegistrationImpl.java:130)
        at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.registerService(ServiceRegistry.java:228)
        at org.eclipse.osgi.internal.framework.BundleContextImpl.registerService(BundleContextImpl.java:525)
        at org.eclipse.osgi.internal.framework.BundleContextImpl.registerService(BundleContextImpl.java:544)
        at org.wso2.carbon.core.init.CarbonServerManager.initializeCarbon(CarbonServerManager.java:529)
        at org.wso2.carbon.core.init.CarbonServerManager.removePendingItem(CarbonServerManager.java:305)
        at org.wso2.carbon.core.init.PreAxis2ConfigItemListener.bundleChanged(PreAxis2ConfigItemListener.java:118)
        at org.eclipse.osgi.internal.framework.BundleContextImpl.dispatchEvent(BundleContextImpl.java:973)
        at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:234)
        at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:345)
Caused by: org.wso2.carbon.user.core.UserStoreException: userName value is null.
        at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:205)
        at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserClaimValue(AbstractUserStoreManager.java:1548)
        at org.wso2.carbon.identity.scim.common.utils.SCIMCommonUtils.setAdminSCIMAttributes(SCIMCommonUtils.java:231)
        ... 50 more
Caused by: java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException
        at java.security.AccessController.doPrivileged(Native Method)
        at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:191)
        ... 52 more
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.wso2.carbon.user.core.common.AbstractUserStoreManager$2.run(AbstractUserStoreManager.java:194)
        ... 54 more
Caused by: org.wso2.carbon.user.core.UserStoreException: userName value is null.
        at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.getUserPropertyValues(ReadOnlyLDAPUserStoreManager.java:571)
        at org.wso2.carbon.user.core.ldap.UniqueIDReadOnlyLDAPUserStoreManager.getUserPropertyValuesWithID(UniqueIDReadOnlyLDAPUserStoreManager.java:640)
        at org.wso2.carbon.user.core.common.AbstractUserStoreManager.doGetUserClaimValuesWithID(AbstractUserStoreManager.java:11346)
        at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserClaimValue(AbstractUserStoreManager.java:1581)
        ... 59 moreanager.

The admin user gets registered in the ldap but i am not able to login to the management console.

Am i missing any configuration setting or is there any other way to do the same?

EDIT : when i use

user_id_attribute = "scimId"

the ldap connection does not establish and i get the following error

ERROR {org.wso2.carbon.user.core.common.DefaultRealm} - nullType class java.lang.reflect.InvocationTargetException org.wso2.carbon.user.core.UserStoreException: nullType class java.lang.reflect.InvocationTargetException
        at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:397)
        at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:224)
        at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:129)
        at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:276)
        at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:102)
        at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:115)
        at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:72)
        at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
        at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:842)
        at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:1)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.eclipse.osgi.internal.framework.BundleContextImpl.startActivator(BundleContextImpl.java:834)
        at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:791)
        at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:1013)
        at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:365)
        at org.eclipse.osgi.container.Module.doStart(Module.java:598)
        at org.eclipse.osgi.container.Module.start(Module.java:462)
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel$1.run(ModuleContainer.java:1820)
        at org.eclipse.osgi.internal.framework.EquinoxContainerAdaptor$2$1.execute(EquinoxContainerAdaptor.java:150)
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1813)
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1770)
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.doContainerStartLevel(ModuleContainer.java:1735)
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1661)
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1)
        at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:234)
        at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:345)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:351)
        ... 25 more
Caused by: java.lang.NullPointerException
        at org.wso2.carbon.user.core.util.UserCoreUtil.addDomainToName(UserCoreUtil.java:561)
        at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addToUserNameCache(AbstractUserStoreManager.java:11877)
        at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserNameFromUserID(AbstractUserStoreManager.java:11842)
        at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserNamesFromUserIDs(AbstractUserStoreManager.java:11916)
        at org.wso2.carbon.user.core.ldap.UniqueIDReadWriteLDAPUserStoreManager.doAddRoleWithID(UniqueIDReadWriteLDAPUserStoreManager.java:1270)
        at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addInitialAdminData(AbstractUserStoreManager.java:8410)
        at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.<init>(ReadOnlyLDAPUserStoreManager.java:246)
        at org.wso2.carbon.user.core.ldap.UniqueIDReadOnlyLDAPUserStoreManager.<init>(UniqueIDReadOnlyLDAPUserStoreManager.java:148)
        at org.wso2.carbon.user.core.ldap.UniqueIDReadWriteLDAPUserStoreManager.<init>(UniqueIDReadWriteLDAPUserStoreManager.java:122)
        ... 30 more
like image 470
Arbaz Sheikh Avatar asked May 21 '20 18:05

Arbaz Sheikh

People also ask

What is LDAP in WSO2?

In the case of the WSO2 Identity Server, the default user store is an LDAP (Apache DS) that is shipped with the product. Note that the RDBMS used in the default configuration can remain as the database used for storing Authorization information.

What is user store in WSO2?

A user store is a data repository where user information and functions are saved, including, among many others, login name, password, name and surname and e-mail address. By default WSO2 Identity Server comes pre-configured with the following user stores: org. wso2. carbon.

What is IdP WSO2?

Introduction. An Identity Provider (IdP) is responsible for authenticating users and issuing identification information by using security tokens like SAML 2.0, OpenID Connect, OAuth 2.0 and WS-Trust. This is a favourable alternative to explicitly authenticating a user within a security realm.

How to set up LDAP user store in WSO2 Identity Server?

In WSO2 Identity Server, the embedded user store is LDAP. Instead of using the embedded user store, you can set your own user store as the primary user store. Navigate to <API-M_HOME>/repository/conf directory to open deployment.toml file and do user_store_properties configurations according to the LDAP user store provider.

What is the architecture of the WSO2 Identity Server?

WSO2 Identity Server architecture is such that you can configure a single primary user store and multiple secondary user stores in the server. Primary user store is shared among all the tenants within the product.

How to configure a read-only LDAP/AD as the primary user store?

Follow the given steps to configure a read-only LDAP/AD as the primary user store: API Manager is compatible with multiple user store. In WSO2 Identity Server, the embedded user store is LDAP. Instead of using the embedded user store, you can set your own user store as the primary user store.

What is the default user store for a WSO2 product?

The primary user store that is configured by default in the user-mgt.xml file is a JDBC user store, which reads/writes into the internal database of the product server. By default, the internal database is H2 for all WSO2 products excluding the Identity Server.

1 Answers

Configure the primary userstore in the <IS_HOME>/repository/conf/deployment.toml.

[user_store]
type = "read_write_ldap_unique_id"
base_dn = "ou=system"
connection_url = "ldap://localhost:10389"
connection_name = "uid=admin,ou=system"
connection_password = "admin"
<Property-Name> = <Property-Value>
read_groups = true

You can use existing user store manager or configure your own custom user store manager as well Writing a custom user store manager

Now, restart the server.

like image 149
Kayathiri Mahendrakumaran Avatar answered Nov 09 '22 11:11

Kayathiri Mahendrakumaran
Sign in to Comment

Related questions

How do I restrict Apache/SVN access to specific users (LDAP/file-based authentication)?
How can I use Regex to pull just the CN from a Distinguished Name with PowerShell
How do you search by dn in ldap
Ldap search filter multiple groups - squid
ImportError: No module named 'ldap' Python 3.5
How to change LDAP password via JNDI
LDAP to change user password
Why use Atlassian Crowd [closed]
Recursively querying LDAP group membership
LDAP Query that exclude computers
Spring Security LDAP authentication user must be a member of an AD group
How do I resolve "WILL_NOT_PERFORM" MS AD reply when trying to change password in scala w/ the unboundid LDAP SDK?
Why does LDAP requires a two step "login" (connect and then bind)
How to get password of active directory by ldap in php?
LDAP Authentication in PHP - Authenticated without giving a password
Can't verify CA certificate unless CApath or CAfile used
How to unlock user on ApacheDS
Why LDAP is not popular?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!