Connecting WSO2 Identity Server to an External LDAP source using startTLS - ssl

We have recently migrated our internal ApacheDS embedded LDAP service over to an external OpenLDAP server in our WSO2 Identity Server (4.6.0). That has been working well for last month.
In an effort to secure the environment further, I have created a new OpenLDAP cluster which enforces the use of TLS (startTLS). Below is my user-mgt.xml file. I have also imported the cacert.pem from the OpenLDAP server into the ./resources/security/client-truststore.jks on both of our IS nodes.
At startup I receive the follow errors:
Cannot create connection to LDAP server. Error message Error obtaining connection. [LDAP: error code 13 - TLS confidentiality required]
Below is my user-mgt.xml
<UserManager>
<Realm>
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin</UserName>
<Password>SECRET</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="dataSource">jdbc/bpsdbq</Property>
</Configuration>
<!-- If product is using an external LDAP as the user store in read/write mode, use following user manager
In case if user core cache domain is needed to identify uniquely set property <Property name="UserCoreCacheIdentifier">domain</Property>
-->
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://ourldap.server.com</Property>
<Property name="Disabled">false</Property>
<Property name="ConnectionName">cn=admin,dc=wso2,dc=org</Property>
<Property name="ConnectionPassword">SECRET</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">inetOrgPerson</Property>
<Property name="UserSearchBase">ou=users,dc=wso2,dc=org</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(cn=?))</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="EmptyRolesAllowed">false</Property>
<Property name="GroupSearchBase">ou=groups,dc=wso2,dc=org</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>
<Property name="SharedGroupEntryObjectClass">groupOfNames</Property>
<Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="SharedGroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
<Property name="SharedTenantNameAttribute">ou</Property>
<Property name="SharedTenantObjectClass">organizationalUnit</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
<AuthorizationManager
class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
</AuthorizationManager>
</Realm>
</UserManager>
Any help would be appreciated!
Thanks!

WSO2IS does not support to connect with startTLS. You can find an open jira for this. However, you can connect with normal SSL/TLS. Yes..then you need to import the openLDAP certificate in to resources/security/client-truststore.jks and connect to the SSL LDAPS port of the openLDAP

Related

WSO2 APIM 4.0.0 - Groups are not assigned to Users

I'm trying to configure API Manager 4.0.0 against OpenLDAP.
The users and groups are correctly fetched from the ldap and I can see them on carbon UI.
When I navigate to "View Users" of one group, I can see the users that are fetched using the attribute "uniqueMember" of the ldap.
But when I navigate to "View Roles" of one user, only "Internal/everyone" is displayed. The groups of the user are not assigned to him.
Is it normal to see the relationship in one way only ?
My OpenLDAP has no "memberOf" attribute schema. Maybe it is required ?
I am using a fresh install from wso4am-4.0.0.zip all-in-one without modification.
Here is the configuration of the userstore:
<?xml version="1.0" encoding="UTF-8"?><UserStoreManager class="org.wso2.carbon.user.core.ldap.UniqueIDReadWriteLDAPUserStoreManager">
<Property name="ConnectionURL">ldap://xxx:389</Property>
<Property name="ConnectionName">cn=admin,dc=mycompany-dev,dc=fr</Property>
<Property encrypted="true" name="ConnectionPassword">xxx</Property>
<Property name="UserSearchBase">ou=Users,ou=wso2,dc=mycompany-dev,dc=fr</Property>
<Property name="UserEntryObjectClass">person</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserIDAttribute">scimId</Property>
<Property name="UserIdSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserDNPattern"/>
<Property name="DisplayNameAttribute"/>
<Property name="Disabled">false</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="GroupSearchBase">ou=Groups,ou=wso2,dc=mycompany-dev,dc=fr</Property>
<Property name="GroupEntryObjectClass">groupOfUniqueNames</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfUniqueNames)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfUniqueNames)</Property>
<Property name="RoleDNPattern"/>
<Property name="MembershipAttribute">uniqueMember</Property>
<Property name="MemberOfAttribute"/>
<Property name="BackLinksEnabled">true</Property>
<Property name="UserNameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UserNameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated.</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password pattern policy violated.</Property>
<Property name="RoleNameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RoleNameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="LDAPInitialContextFactory">com.sun.jndi.ldap.LdapCtxFactory</Property>
<Property name="DateAndTimePattern">Date And Time Pattern</Property>
<Property name="CaseInsensitiveUsername">true</Property>
<Property name="BulkImportSupported">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="kdcEnabled">false</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="UserRolesCacheEnabled">false</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout">5000</Property>
<Property name="RetryAttempts">0</Property>
<Property name="CountRetrieverClass"/>
<Property name="java.naming.ldap.attributes.binary"/>
<Property name="ClaimOperationsSupported">true</Property>
<Property name="MembershipAttributeRange">0</Property>
<Property name="UserCacheExpiryMilliseconds"/>
<Property name="UserDNCacheEnabled">true</Property>
<Property name="StartTLSEnabled">false</Property>
<Property name="ConnectionRetryDelay">120000</Property>
<Property name="ImmutableAttributes"/>
<Property name="TimestampAttributes"/>
<Property name="DomainName">CompanyUsers</Property>
<Property name="Description"/>
</UserStoreManager>
FYI I found the answer after activating logs :
DEBUG
{org.wso2.carbon.user.core.ldap.UniqueIDReadOnlyLDAPUserStoreManager} - No UserID found for the property: uid, value: user1, in domain: COMPANYUSERS
My user was incorrectly fetched because of scimId not exists in my Ldap
<Property name="UserIDAttribute">scimId</Property>
I changed to uid and it is working now.
<Property name="UserIDAttribute">uid</Property>

Configuring the WSO2 IS to external LDAP

I've been following this documentation on how to connect to external LDAP server from WSO2 Identity Server.
Now I am stuck at running the product. Upon running the WSO2 IS, I got an error saying that the admin user is not exist in PRIMARY. If I am using the existing configuration, everything went well. So i thought, this might be because of the configuration that I make at the user-mgt.xml and tenant-mgt.xml
This is my external LDAP configuration:
LDAP User and Group
This is my user-mgt.xml file looks like
<UserManager>
<Realm>
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin</UserName>
<Password>*****</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://10.251.45.200:389</Property>
<Property name="ConnectionName">cn=ldap,dc=ei,dc=local</Property>
<Property name="ConnectionPassword">P#ssw0rd</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">ou=People,dc=ei,dc=local</Property>
<Property name="UserEntryObjectClass">identityPerson</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="DisplayNameAttribute"/>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="GroupSearchBase">ou=Group,dc=ei,dc=local</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="SCIMEnabled">true</Property>
<Property name="IsBulkImportSupported">false</Property>
<Property name="EmptyRolesAllowed">false</Property>
</UserStoreManager>
</Realm>
Please help me here, I so stuck at this process. Any advice would be great !

wso2 is secondary user store authentication

I have a wso2 is 5.1.0 server runign on Debian. I have a simple servlet that is authenticating using Oauth2 and works perfectly with the users in the primary store.
I have created a secondary store pointing to an openldap server. I have some users and groups and are seen correctly from the IS. I see that when I try to see the User Profile i get the following error:
Error while loading user profile metadata
But when I try to authenticate using the users in the ldap server i get a Login Failed error. I have tried to use both username, DOMAIN/username and username#DOMAIN but none of the worked.
I am starting to think that it could be related to the Calim configuration as the users in the different stores have different values but I don't know how to solve it.
Any ideas on what I am doing wrong?
UPDATED:
This is how I have defined the secondary store.
<?xml version="1.0" encoding="UTF-8"?><UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="ConnectionURL">ldap://xxxx:389</Property>
<Property name="ConnectionName">cn=admin,dc=xx,dc=xx</Property>
<Property encrypted="true" name="ConnectionPassword">xxxx</Property>
<Property name="UserSearchBase">ou=users,dc=nextel,dc=es</Property>
<Property name="UserEntryObjectClass">inetOrgPerson</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)cn=?))</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserDNPattern"/>
<Property name="DisplayNameAttribute"/>
<Property name="Disabled">false</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="GroupSearchBase">ou=groups,dc=xx,dc=xx</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="RoleDNPattern"/>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute"/>
<Property name="BackLinksEnabled">false</Property>
<Property name="UserNameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UserNameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated.</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password pattern policy violated.</Property>
<Property name="RoleNameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RoleNameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="BulkImportSupported">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="kdcEnabled">false</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="ReadTimeout">5000</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="RetryAttempts">0</Property>
<Property name="DomainName">incloudLDAP</Property>
<Property name="Description"/>
</UserStoreManager>
I can see the users in the list and even create a new one on the LDAP through WSO2 Is, but i cannot see the parameters.
UPDATED:
THe user structure in the LDAP is quite simple.
For the authentication issue, you need to verify "UserNameSearchFilter" attribute is correctly configured. It must mapped to the user name attribute in your ladp server.
<Property name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property>
Also you can map attibutes from different user stores to a same wso2 claim. In the mapped attibute section use something like follows,
PRIMARY/attribute1;FOO/attribute2;BAR/attribute3
Also refer - https://docs.wso2.com/display/IS510/Adding+Claim+Mapping

How to change primary LDAP domain of WSO2 IS 4.5.0

I would like modify the domain of the primary user storage (based on LDAP), but i can not get successfully.
The current domain in user-mgt.xml is dc=wso2,dc=org and I would like to change to dc=foobar,dc=com
My modified user-mgt.xml is:
...
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">FOOBAR.COM</Property>
<Property name="kdcEnabled">false</Property>
<Property name="Disabled">false</Property>
<Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">identityPerson</Property>
<Property name="UserSearchBase">ou=Users,dc=foobar,dc=com</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
<Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">ou=Groups,dc=foobar,dc=com</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=foobar,dc=com</Property>
<Property name="SharedGroupEntryObjectClass">groupOfNames</Property>
<Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="SharedGroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
<Property name="SharedTenantNameAttribute">ou</Property>
<Property name="SharedTenantObjectClass">organizationalUnit</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="UserDNPattern">uid={0},ou=Users,dc=foobar,dc=com</Property>
<Property name="RoleDNPattern">cn={0},ou=Groups,dc=foobar,dc=com</Property>
<Property name="SCIMEnabled">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
</UserStoreManager>
...
The error when starting WSO2 IS is:
Caused by: org.wso2.carbon.user.core.UserStoreException: [LDAP: error code 32 - NO_SUCH_OBJECT: failed for SearchRequest
baseDn : 'ou=Groups,dc=foobar,dc=com'
filter : '(&(2.5.4.0=groupofnames)(2.5.4.3=*))'
scope : whole subtree
typesOnly : false
Size Limit : 100
Time Limit : 11
Deref Aliases : deref Always
attributes : 'cn'
: ERR_268 Cannot find a partition for ou=Groups,dc=foobar,dc=com]
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.getLDAPRoleNames(ReadOnlyLDAPUserStoreManager.java:1024)
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.doGetRoleNames(ReadOnlyLDAPUserStoreManager.java:1134)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleNames(AbstractUserStoreManager.java:2485)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleNames(AbstractUserStoreManager.java:2382)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleNames(AbstractUserStoreManager.java:2375)
at org.wso2.carbon.event.core.internal.subscription.registry.RegistrySubscriptionManager.<init>(RegistrySubscriptionManager.java:91)
... 65 more
What should I be missing?
Solved !
I have replaced older domain and defaultRealmName in the following files:
IS_HOME/repository/conf/user-mgt.xml
IS_HOME/repository/conf/tenant-mgt.xml
IS_HOME/repository/conf/embedded-ldap.xml
I have replaced dc=wso2,dc=org for dc=foobar,dc=com and defaultRealmName=WSO2.ORG for FOOBAR.COM, then I deleted the directory named root located in the IS_HOME/repository/data/org.wso2.carbon.directory
.. so a fresh default partition will be created again at the restart.
Now, if you connect to WSO2IS' embedded LDAP (10389 port) using any LDAP client, you will see the new domain FOOBAR.COM instead of WSO2.ORG.
I hope that be useful.
I guess, you are trying to change the "dc=wso2,dc=org" value. You can not change it using user-mgt.xml file. user-mgt.xml file is used to connect WSO2IS with LDAP or AD or JDBC user stores. It means there can be LDAP running externally and you need to configure user-mgt.xml file to connect that LDAP using proper configurations. By default WSO2IS is shipped with embedded LDAP server and by default user-mgt.xml file has been configured to point to that embedded LDAP server. This embedded LDAP is created with "dc=wso2,dc=org" value. You can find the configurations of this embedded LDAP in the "embedded-ldap.xml" file. But there is no parameter to configure the domain ""dc=wso2,dc=org". It means, we can not configure it. But you can still create your own LDAP server using ApacheDS, OpenDJ and OpenLDAP and can point it to WSO2 Identity Server.

wso2 governance registry 4.6 LDAP cannot login with users

I've changed the user-mgt.xml to connect with the active directory of my company.
If I enter with the admin user, I can login and see the users of the active directory. But when I try with another user, the registry always said wrong uername or password (and I know both are right).
With a sniffer like wireshark I can see that the active directory is returning the complete name of the user and more data, so I donĀ“t understand why the registry doesn't let me login.
Authentication failure. Wrong username or password is provided {org.wso2.carbon.user.core.common.AbstractUserStoreManager}
<AddAdmin>true</AddAdmin>
<AdminRole>wso2admin</AdminRole>
<AdminUser>
<UserName>XXXXX</UserName>
<Password>XXXXX</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="Disabled">false</Property>
<Property name="kdcEnabled">false</Property>
<Property name="ConnectionURL">ldap://XXXXXXXX:389</Property>
<Property name="ConnectionName">cn=XXXXX,CN=Users,DC=itlab,DC=bk</Property>
<Property name="ConnectionPassword">XXXXXX</Property>
<Property name="passwordHashMethod">PLAIN_TEXT</Property>
<Property name="UserSearchBase">CN=Users,DC=itlab,DC=bk</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="UserNameListFilter">(objectClass=user)</Property>
<Property name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">false</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">ou=Grupos,DC=itlab,DC=bk </Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
Thanks!
You mean, that you can not login to Governance registry using AD users except admin user in the user-mgt.xml file ? Normally, to login to management console of the Governance registry,
User needs to authenticate with the AD properly
User must have login permission to access management console.
According to the your comment, it seems to be that authentication is fine. Then user has been failed due to reason 2
Please login as admin and go to user role management page. Here you can see a role called "everyone". Please provide "login" permission for that role.
"everyone" is a role that has been mapped with all the users in the AD. Therefore if we provide permission to "everyone" role, It means all the users in AD can login...
If it is also not success, please enable debug logs for org.wso2.carbon.use.core package using log4j.properties file which can be found at conf directory.