Integrating OpenLDAP with WSO2 Identity Server and Mapping Users and Groups
In cases where we need to plugin the LDAP servers to the WSO2 Identity server, There are several aspects that we need to look into.
- Installing and configuring OpenLDAP
- Extending the inetOrgPerson to match the WSO2 Identity Server’s identity.
- Connection parameters
- Mechanism to map the already available groups in the LDAP server to the Identity server’s user groups.
Installing and Configuring the OpenLDAP.
I have used OpenLDAP docker version. And started using the command
sudo docker run -p 10389:389 -p 10636:636 --name openldap --detach --env LDAP_DOMAIN="seller-delivery.com" --env LDAP_ORGANISATION="CusromerOrg" --env LDAP_ADMIN_PASSWORD="admin" osixia/openldap:1.5.0
Extending the inetOrgPerson to match the WSO2 Identity Server’s identity
By default, the available inetOrgPerson doesn't contain all the attributes that needed from the WSO2 identity. If someone needed to have the exact attributes thats needed by the identity server, the inetOrgPerson has to be extended. This can be done using this blog post.
If not, there can be errors such as below.
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute 'scimId' not allowed]; remaining name 'uid=admin'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3185)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
Workaround without extending inetOrgPerson
As a workaround you could List Claims
and select http://wso2.org/claims
And Edit the attribute which gave the exception.
Add a new attribute mapping and provide an attribute which is in the LDAP intOrgPerson which is not used by the identity server such as departmentNumber
and click on save. You may need to do that for several attributes such as cretedDate, resourceType, etc
.
Adding Users and Groups in the LDAP
If you are going to use the workaround, use the intOrgPerson
when creating the user and if not use the IdentityPerson
object.
Create two different groups and add users as uniqueMember
And the LDAP will contain multiple users which will be assigned to different groups as below.
Adding the LDAP server as a secondary userstore in WSO2 Identity Server
Once we map the compulsory settings and optional settings when configuring the secondary LDAP as follows
Validating the configuration
And when we view the users, You will be able to see the users as follows in the carbon console.
When we view the user profile, it should be shown as bellow.
When we view the roles, it should be shown as bellow
With this article, I hope you will be able to get your OpenLDAP configured in the WSO2 Identity Server with ease and map the user groups so that you could do permission related operations accordingly.