Entgra IoT Server with External User Store

Working with Entgra IoT Platform

Entgra IoT Server is the successor of WSO2 IoT server that includes facilities to manage mobile devices (MDM), manage mobile applications (MAM) and IoT devices all in a single platform.

Entgra IoT server has the ability to authenticate users by easily interfacing with LDAP, Active Directory and JDBC. In this article, we will explore how LDAP user store can plug-in to Entgra IoT Server.

Entgra IoT Server is based on WSO2 Carbon based products and as are all WSO2 Carbon based products, it can read and write users and roles from external LDAP user stores.

Photo by NASA on Unsplash

Configure Apache Directory Studio

In this scenario, Apache Directory Studio will be used to create and configure an LDAP server.

• Initially create an LDAP server by clicking the new server icon of LDAP Servers tab.

• Select LDAP server ApacheDS 2.0.0 and click Finish.

An overview of the created server will be as follows.

• Right-click on the server that has been created and click Create a Connection. A connection with the default settings will be created.

Creating a connection

Connection creation confirmation dialog

• Now start the server. Once the server is started, the state of the server will change from Stopped to Started.

Connect Entgra IoT Server with LDAP

The latest Entgra IoT Server can be downloaded via Entgra homepage. After downloading the latest pack start the IoT server and once the server is started successfully, the console can be accessed via https://localhost:9443/carbon and login to the console via default login credentials (admin admin).

• Click Add under User Stores to add a new user store configuration.

• The relevant user store manager class can thereafter be selected.

In this scenario it will be org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager which will allow to read from the LDAP user store and also write to LDAP user store.

• A name can be given to the user store configuration in the Domain Name section.
• The Connection URL can be retrieved from ApacheDS. Click the connection and select Open Configuration.

Since the LDAP server is running locally on localhost or the relevant IP can be given along with the port which is 10389. So then the connection URL will be ldap://localhost:10389

• For the Connection Name, right-click the connection, select properties and go to the Authentication tab. The value in the Bind DN or User is the value for the connection name.

The connection name is the username given as the Bind DN or user in the Authentication properties of the connection. The user is used to connect to the database and perform various operations. This user should have permission to read the user list and user attributes to perform search operations on the user store.

• The Connection password is the password of the user entered in the connection name property. In this scenario user is the admin, therefore select the admin user in the LDAP browser.

Double click on the user Password and under the current password tab click Show current password details.

• To get the value for the user search base click on the users in the LDAP browser.

The object under which the user entries are stored in the user store is the “users” container. So the value of the user search base is ou=users,ou=system

• The most common value for the UserEntryObjectClass is inetOrgPerson.
• Then to get the value for the group search base, click on the users in the LDAP browser.

So the value of group search base is ou=groups,ou=system

• Then under User search filter and Group search filter remove amp; (this should be added only when configuring value via user-mgt.xml) and save the configuration.

Try creating a new user or role and under the created user store domain and then check whether the created user or role has been created under LDAP browser in Apache DS.

This same configuration can also be done via editing the user-mgt.xml in <iot-home>/conf/user-mgt.xml.

Before editing user-mgt.xml make sure Entgra IoT server is stopped. Go to user-mgt.xml file, uncomment the relevant UserStoreManager block and update the values as described above. Once the configuration is done, save the file and start the Entgra IoT server.

There are many more interesting features facilitated by the Entgra IoTS, contact Entgra team to learn more. We’d love to hear from you!