I have multiple tenants. Some tenant has single ldap server and some are using multiple so I want to configure multiple ldap connection using some user interface in WSO2 Identity Server. Please suggest what is the best way?
Configuring multiple user stores can be done and a detailed guide line of configuring ldap user store can be found in this blog post.
Configuring tenant specific user stores ain't support for the current versions of Identity Server but it is an one of new features of Identity Server 4.5.0 which will be released in July 2013.
Thanks,
Related
I am only getting started with WSO2 Identity Server.
What do I need?
- getting verification from LDAP server that user (entry) is existing there through WSO2 Identity Server.
Is it possible? Can I do this by adding a new identity Provider in https://localhost:9444/carbon/?
Any ideas or help.
Sorry, if my question is dumb.
Identity server comes with an embedded LDAP server as its primary userstore. But you can change userstore configurations so that IS works with your LDAP too. You also can add your LDAP as a secondary userstore as well.
After that, if you go to User and Roles section in UI, you should see Users and Roles existing in your LDAP.
We have a scenario where we have a java web application deployed at a weblogic instance and OBIEE in another. Now, what we want is to authenticate the OBIEE users from using our already existing user base from our webapp database table. I don't have much experience regarding OBIEE or weblogic server administration but by googling a little I have found that OBIEE by default uses the weblogic's embeded LDAP server for authenticating it's users. What we need is a way to configure obiee to use our existing database table users for authentication purpose. How do we achieve this? What are the necessary steps ? Do we need to create a custom weblogic authentication provider for this ? Any guidance is highly appreciated. Thanks in advance.
Database authentication is possible on OBIEE 11.1.1.5 and higher. I asume that you are good on that side.
Oracle documentation is quite good on this topic, you can check detailed scenario here
The basic idea is that you create a SQLAuthenticator that talks between a virtualised identity provider and your database where your users are defined.
It's important to notice that this method works with users/passwords defined in one of your tables and not with database accounts.
Good luck!
#adn.911,
After setting up your db authentication are you facing the login issue only on analytics or even on weblogic console and em?
If you are able to login to weblogic console but not to analytics, try setting the virtualize property to true and reset the BISystemUser password.
I am using MarkLogic version 8.04 on CentOS 6. I am trying to do external authentication/authorization using LDAP.
I've created an external security authentication object:
name ldap-config-simple
authentication ldap
authorization ldap
ldap server url ldap://<my server address>:389
ldap base ou=<mycompany>,dc=<info>,dc=<my org>
ldap attribute sAMAccountName
ldap default user cn=<user id>,ou=xxxx,ou=yyyyy,dc=<info>,dc=<my org>
ldap bind method simple
and associated it with an HTML App server (here are the pertinent settings):
authentication basic
internal security true
external security ldap-config-simple
And I have associated an LDAP group to a role (here are the pertinent settings):
external name cn=marklogic,ou=groups,dc=<info>,dc=<my org>
The problem is that authentication fails when I try to access the App server using my LDAP user. The log for the external LDAP server shows that the search string that MarkLogic sends looks like this:
(member=cn=marklogic,ou=groups,dc=<info>,dc=<my org>)
But the LDAP server is expecting the search to be:
(memberOf=cn=marklogic,ou=groups,dc=<info>,dc=<my org>)
The LDAP Server admin assures me that "memberOf" is the accepted standard for this type of query. We are using an OpenLDAP server - it is a pretty standard LDAP installation. Is there a way to have MarkLogic send "memberOf=" for the search rather than "member=" ?
Note that I was able to authenticate with my LDAP user ID through the App Server when I associated my user's DN in the LDAP server to a configured MarkLogic user. But I would prefer to use the Role based authentication since that puts the access controls in the LDAP server.
Any help appreciated.
Answering my own question. It is working now with the configuration above - although I didn't make any changes. MarkLogic support told me that a previous configuration may have been cached. In the process of debugging this I did a network packet trace to see exactly what MarkLogic was sending and it looks like it actually requests both the "memberOf" and "member" groups - I guess the LDAP admin only saw the latter in the logs.
I'm evaluating WSO2 Identity Server and WSO2 API Manager.
I registered an API and an application on API Manager. I can call the resources successfully.
I could also add an user into Identity Server and log into that using oAuth authentication.
But, it's not too clear how I can use those two systems together. I would like to use API Manager to expose my API's to some applications. And, I would like to use Identity Server to log the final user. Is that possible? How can I "plug" those two systems?
I am not sure if that's the best way to do that, so, please, advice me.
Thanks
According to my understanding of your use case is you need to expose the API's securely. So you need to used WSO2 Identity Server and WSO2 API Manger. In addition to that you need the best approach for above use case.
With above two product we have below two option.
Configuring WSO2 Identity Server as the Key Manager in WSO2 API
Manager (This link gives a different version combination of both products)
Here we need to add key manger feature to the WSO2 IS.
Configuring the Pre-Packaged Identity Server 5.0.0 with API Manager
1.9.0
In here 1st option have manual configurations. But,2nd option minimized the manual configuration.
The purpose of using the Identity Server is not too clear. Is it to separate the authentication/authorization from the API Manager instance?
By default API Manager is shipped with a Key Management Server component that is responsible for all security and key related operations.This can be configured to authenticate users against a defined user store or multiple user stores. Authorization is based on oAuth 2.0. However, in a production deployment, we recommend that this component is deployed as a separate server instance so that it runs as an external Key Management Server.
This is done by simply using another copy of the API Manager distribution and configuring it as a Key Manager server node.
Hope this helps.
Regards,
Gillian
My understanding is,
if you wanted to use WSO2 API manager (AM) as an API gateway, you don't need a separate IS as AM included an IS engine with security mechanism included such as key manager.
If you need single sign on across all AM components, and you do NOT have other identity provider (IdP), you need a aeparate IS
However, if you do have a separate IdP, you don't need to install an IS server to implement SSO for AM, although the documentation from IS may suggest you do so. For example, a successful SSO implementation has been done with PingFederate/PingIdentity. See How to integrate WSO2 API Manager (AM) 1.10.0 with PingFederate SAML 2.0?
how can i setup security realm in weblogic 10.3? i wan't to add user roles and let weblogic server to check those users for what resources they can access. Where weblogic stores authentication data? how can authentication data can be accessed and updated by weblogic server automatically?
Thanks in advance.....
Your question is a bit vague since there are a lot of ways to configure security within Weblogic. Oracle's documentation would be a good starting point.
You can setup the security realm under Security Realms in the console. There are some default groups with specific roles that you could assign to user accounts (for example, monitor = readonly).
LDAP data is stored in the internal LDAP folder within the domain directory. However, you can configure it to use an external LDAP.