Configuring Active Directory as a User Store in WSO2 Identity Server
Today, I am going to show you how you can configure a Microsoft AD as a secondary User Store in WSO2 IS.
Before we start, a few considerations that I have grabbed in the WSO2 official and latest documentation.
“By default, has an embedded LDAP that is shipped with WSO2 Identity Server is configured as the primary user store. It is recommended to change this default configuration in the production system.”
It is very important. It sounds to me like, if you are running a production system, please consider use a robust LDAP server, with fault tolerance, sync, etc.
“ Only one user store can be configured as the primary user store.”
The sentence above is already self explained.
We will create a AD as secondary user store, because our idea would have as many as secondary users stories as external system we have. Tomorrow or later, we could create a JDBC secondary user store as well.
Let’s begin the work. Before, I’ve created a new admin user for WSO2 called ‘WSO2 Provider’, just necessary for authenticating the AD with a admin nominated user.
Right now, we have to log-in with admin user privilegies in WSO2 Management Console. Navigate to Identity > User Stores > Add. Select ‘ActiveDirectoryUserStoreManager’ and fill the fields like below:
Click in Update button and you’ll see the message below.
Right now, you have to be attention in the logs. If you see a stacktrace something was wrong. In my case, the error below was fired.
org.wso2.carbon.user.core.UserStoreException: Cannot create connection to LDAP server. Error message Error obtaining connection. [LDAP: error code 49–80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]
If you search at google you’ll see that it is related you invalid password. I really put the wrong password.
data 52e — Returns when username is valid but password/credential is invalid.
After put the correct password, if you go to Identity > Users and Roles > List, you must be able to see every single user in your AD. In my case, I was looking for my personal credentials.
Everything perfect, right now, what we would like to do is log out from admin user, and try to log in with a particular user from AD.
However, something was wrong.
Unfortunately, this message is not very good, and if you are looking for some log information it won’t have a clue about it.
After few minutes, I figured out what was happening. You should grab a login permission on a role. Let’s do this, with admin user log in again in management console. Navigate to Identity > Users and Roles > List and click on ‘Permissions’ in the ‘Internal/everyone’ . Mark ‘Login’ check and Update.
Try to login with your AD user and voilá! You will be able to see the main page.
That’s it!
References: