Integrating OpenLDAP with WSO2 Identity Server and Mapping Users and Groups
In cases where we need to plugin the LDAP servers to the WSO2 Identity server, There are several aspects that we need to look into.
- Installing and configuring OpenLDAP
- Extending the inetOrgPerson to match the WSO2 Identity Server’s identity.
- Connection parameters
- Mechanism to map the already available groups in the LDAP server to the Identity server’s user groups.
Installing and Configuring the OpenLDAP.
I have used OpenLDAP docker version. And started using the command
sudo docker run -p 10389:389 -p 10636:636 --name openldap --detach --env LDAP_DOMAIN="seller-delivery.com" --env LDAP_ORGANISATION="CusromerOrg" --env LDAP_ADMIN_PASSWORD="admin" osixia/openldap:1.5.0Extending the inetOrgPerson to match the WSO2 Identity Server’s identity
By default, the available inetOrgPerson doesn't contain all the attributes that needed from the WSO2 identity. If someone needed to have the exact attributes thats needed by the identity server, the inetOrgPerson has to be extended. This can be done using this blog post.
If not, there can be errors such as below.
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute 'scimId' not allowed]; remaining name 'uid=admin'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3185)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)Workaround without extending inetOrgPerson
As a workaround you could List Claims and select http://wso2.org/claims
And Edit the attribute which gave the exception.
Add a new attribute mapping and provide an attribute which is in the LDAP intOrgPerson which is not used by the identity server such as departmentNumber and click on save. You may need to do that for several attributes such as cretedDate, resourceType, etc.
Adding Users and Groups in the LDAP
Note: If you are going to use the workaround, use the
intOrgPersonwhen creating the user and if not use theIdentityPersonobject.
Create two organizationUnit as employees and groups
Within the groups section, create two groupOfUniqueNames such as delivery-agent and seller
In the employees, create entries as identityPerson for dextor, seltron, etc. Then add attributes and add the values for scimId and displayName.
Now add the employees to the groups created. Click on the user that needs to be added and copy the DN value.
Then click on the group to add the users and add uniqueMember attribute and click on finish. Then add the DN value copied in the previous step.
Finally the LDAP will contain multiple users which will be assigned to different groups as below.
Adding the LDAP server as a secondary userstore in WSO2 Identity Server
Once we map the compulsory settings and optional settings when configuring the secondary LDAP as follows
Use the felow values when configuring the userstore and in the groups section, rename groupOfNames to groupOfUniqueNames.
Connection URL: ldap://localhost:10389
Connection Name: cn=admin;dc=example;dc=org
Connection Password: admin
User Search Base: ou=employees,dc=example,dc=org
Username Attribute: cnValidating the configuration
And when we view the users, You will be able to see the users as follows in the carbon console.
When we view the user profile, it should be shown as bellow.
When we view the roles, it should be shown as bellow
With this article, I hope you will be able to get your OpenLDAP configured in the WSO2 Identity Server with ease and map the user groups so that you could do permission related operations accordingly.