Open in app

Sign in

Write

Sign in

Integrating OpenLDAP with WSO2 Identity Server and Mapping Users and Groups

Ramindu De Silva
3 min readSep 14, 2023

In cases where we need to plugin the LDAP servers to the WSO2 Identity server, There are several aspects that we need to look into.

  • Installing and configuring OpenLDAP
  • Extending the inetOrgPerson to match the WSO2 Identity Server’s identity.
  • Connection parameters
  • Mechanism to map the already available groups in the LDAP server to the Identity server’s user groups.

Installing and Configuring the OpenLDAP.

I have used OpenLDAP docker version. And started using the command

docker run -p 10389:389 -p 10636:636 — name openldap — detach — env LDAP_DOMAIN=”seller-delivery.com” osixia/openldap:1.5.0

Extending the inetOrgPerson to match the WSO2 Identity Server’s identity

By default, the available inetOrgPerson doesn't contain all the attributes that needed from the WSO2 identity. If someone needed to have the exact attributes thats needed by the identity server, the inetOrgPerson has to be extended. This can be done using this blog post.

If not, there can be errors such as below.

Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute 'scimId' not allowed]; remaining name 'uid=admin'
 at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3185)
 at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
 at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)

Workaround without extending inetOrgPerson

As a workaround you could List Claims and select http://wso2.org/claims

And Edit the attribute which gave the exception.

Add a new attribute mapping and provide an attribute which is in the LDAP intOrgPerson which is not used by the identity server such as departmentNumber and click on save. You may need to do that for several attributes such as cretedDate, resourceType, etc.

Adding Users and Groups in the LDAP

If you are going to use the workaround, use the intOrgPerson when creating the user and if not use the IdentityPerson object.

Create two different groups and add users as uniqueMember

And the LDAP will contain multiple users which will be assigned to different groups as below.

Adding the LDAP server as a secondary userstore in WSO2 Identity Server

Once we map the compulsory settings and optional settings when configuring the secondary LDAP as follows

Validating the configuration

And when we view the users, You will be able to see the users as follows in the carbon console.

When we view the user profile, it should be shown as bellow.

When we view the roles, it should be shown as bellow

With this article, I hope you will be able to get your OpenLDAP configured in the WSO2 Identity Server with ease and map the user groups so that you could do permission related operations accordingly.

Wso2
Wso2is
Openldap
Claim Mapping

--

--

Ramindu De Silva

Written by Ramindu De Silva

32 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams