Setting up LDAP User Store with WSO2 Identity Server 6.0.0
With the newly released WSO2 Identity Server 6.0.0, embedded LDAP feature has been removed from the WSO2 Identity Server pack. Hence, embedded H2 database is used as the primary user store in the default Identity Server pack. This blog will guide you to setup an LDAP user store as the primary user store in WSO2 Identity Server.
Configuring the LDAP Server
First, we need to configure and run an LDAP server. For that, we can use an ApacheDS or OpenLDAP. We will use Apache Directory Studio to run ApacheDS in this blog.
You can download the Apache Directory Studio from this link.
After downloading Apache Directory Studio, we need to create a fresh LDAP server. We can do it by clicking “New Server” icon in LDAP Servers tab.
Then we need to select “ApacheDS 2.0.0” and give a server name and finish the wizard.
Then you can find the newly created LDAP server in LDAP Servers tab with the given server name.
Right click on the server and click “Open Configuration”. Then the configuration window will be opened. Default ports used will be 10389 and 10636. But you can change the ports as you wish. In the configuration window, you will see two partitions defined as “example” and “system”. You can change the default partition by clicking on “Advanced Partition configuration…” button.
In the partitions tab, click on the example partition and change the ID and Suffix. Here, suffix is the base DN of the partition and it will be used as the base DN of the user store as well. We will set ID to root and Suffix to “dc=wso2,dc=org” in this guide.
Now you can run the LDAP server by right clicking the LDAP server.
Connect and Browse the LDAP Server
Now we need to browse the entries in the LDAP server. For that, you can again right click and click on “Create a connection”. Then you will see a new connection in the Connections tab. You can browse the LDAP server by clicking “open connection” button in the Connections tab.
Alternatively, you can connect to the LDAP server by creating a new connection in the Connections tab. If you are running the LDAP server externally (without using Apache Directory Studio), you need to connect with this option by providing network and authentication parameters.
After opening the connection, now you can browse the LDAP server entries.
Here we can see four partitions.
- “dc=wso2,dc=org” — Default partition configured for user store.
- “ou=schema” — Partition with all the attribute type and object class definition information.
- “ou=config” — Partition with ldap server configuration information.
- “ou=system” — Partition with system information including the bind user. (“uid=admin,ou=system” is the bind user that we use to connect to the LDAP server. We can also use this partition to store users and groups. For the convenience, we are using a separate partition for the user store.)
Import Custom Schemas and Add Organizational Units
WSO2 Identity Server uses custom attributes and object classes other than default attributes and object classes in the LDAP schemas. We need to either import the schemas with custom attributes and object classes to the LDAP server or map the claims related to custom attributes to unused attributes in default schema. In this guide, we will import the custom schemas using WSO2 schema LDIF files which can be downloaded from here.
WSO2 Identity Server schemas contains three custom object classes (wso2Person, scimPerson and identityPerson) with relevant attributes belong to each object class. We can right click on “ou=schema” partition and import custom schema LDIFs.
When importing the LDIFs, make sure to import them in the following order because identityPerson object class is inherited by scimPerson object class and scimPerson object class is inherited by wso2Person object class.
- wso2Person.ldif
- scimPerson.ldif
- identityPerson.ldif
Next, we need to add organizational units for users and groups. We can create those entries using Apache Directory Studio or create them programmatically using JNDI or import them using a LDIF file. For the convenience, We will import the entries using the following LDIF file. You can right click on the “dc=wso2,dc=org” partition and import the LDIF file similar to the way that schema LDIF files were imported. (Here the default partition attributes and object classes are also modified.)
After importing the above file, restart the LDAP server. Now we are ready to connect with WSO2 Identity Server.
Connect LDAP User Store as Primary User Store in WSO2 Identity Server
Go to <IS-HOME>/repository/conf/deployment.toml file and add the following configurations.
[super_admin]
username = "admin"
password = "admin"
create_admin_account = true[user_store]
type = "read_write_ldap_unique_id"
connection_url = "ldap://localhost:10389"
connection_name = "uid=admin,ou=system"
connection_password = "secret"
base_dn = "dc=wso2,dc=org"
If you need to configure an external LDAP in Identity Server versions below 6.0.0, you need to add the below configuration additionally to disable embedded LDAP.
[embedded_ldap]
enable = falseNow you can start the Identity Server and use LDAP user store as the primary user store. You can simply browse entries using LDAP browser tab in Apache Directory Studio.
Following diagram shows the hierarchical structure used in WSO2 Identity Server to store tenant and super-tenant users.
Default partition contains “ou=Users” and “ou=Groups” organizational units to store super tenant users and groups. In addition to that, there are organizational units for tenants as well. For example, there is a separate entry called “ou=abc.com” for abc.com tenant. Inside “ou=abc.com” organizational unit, there are child organizational units (“ou=users” and “ou=groups”) to store users and groups belongs to that tenant.
Hope you got a good idea about setting up an LDAP user store with WSO2 Identity Server.
Thanks for reading!
