How to use Active Directory as a secondary user store in tenant mode for WSO2 products.
In this post, my target is help users to be able to configure an Active Directory as the secondary user store in a tenant domain of a WSO2 product. I will break this down into three main sections as explained below.
1. How to create a tenant
2. How to plug in an Active Directory as the secondary user store within a tenant domain
3. How to import Active Directory public key to the tenant keystore
1. How to create a tenant
Before creating a tenant, it is important to understand what it means by a tenant. A tenant is a separate domain of the product which is independent of the main domain. This means in a tenant domain it is possible to maintain a separate set of users and a separate set of artifacts from the main domain.
eg :- If you create a tenant domain with postfix qa.com it means all the users are and artifacts in this domain are independent of main domain and the other tenant domains.
Please follow the instructions given below in order to create a new domain. I will use WSO2 API Manager 1.10.0 product to explain the steps.
1. Login to WSO2 API Manager Carbon Console as a super admin
2. Access Configure section from the left-hand side
3. Click on Add New Tenant link
4. Provide a domain name eg:- “qa.com”
5. Provide all the other mandatory fields marked with an asterisk
6. Hit save button
Now that you have successfully created a tenant domain it is also important to understand how a user can log in to this tenant domain.
When logging into the system user should use the following format in username when signing in
username : [username]@[tenant_domain]
eg:- admin@qa.com
2. How to plug in an Active Directory as the secondary user store within a tenant domain
All WSO2 products come with a default user store. Users can change this user store by modifying the $[HOME]/repository/conf/user-mgt.xml file
Other than this, users are able to plugin secondary user stores as well. A secondary user store could be added to the main domain as well as the tenant domains.
In this section, I will walk you through on how to plug in an Active Directory as a secondary user store to a tenant domain.
Pre-Requisites:-
- User should have active directory configuration details
1. Login to the tenant domain using valid credentials
2. Go to Main > User Stores > Add from left-hand menu
3. Provide a domain name for the secondary user store
4. Provide all mandatory fields under ‘Define Properties for’ section (Please refer to the screenshot below)
5. Provide all details you could find in active directory configuration under Optional section (Please refer to the screenshot below)
6. Hit save button
You should see a success message on screen if you have provided all the details correctly as per the Active Directory configuration.
This task is not completed until you import the public key of the Active Directory into the tenant keystore.
3. How to import Active Directory public key to the tenant keystore
Next and the final step of adding an Active Directory as a secondary user store is to import the public key of the active directory into the keystore of tenant domain.
Pre-Requisites:-
- User should have the public key of Active Directory
Please follow the instructions given below in order to import the public key of active directory in to the keystore of tenant domain
1. Login to the carbon console using the tenant admin credentials eg:- admin@qa.com
2. Goto Main > Keystores > List section from the left-hand side menu
3. Click on import cert and the browse to the public key provided by the Active Directory server.
4. Hit Import button
The user should see a success message on the screen.
If the Active Directory is successfully configured you can test it by doing the following.
Go to Users and Roles > List and see if you can view the existing list of users coming from the active directory.
Hope that was helpful. Please leave a comment if you have any feedback. Thanks!