Saturday, January 22, 2011

Tenant management in WSO2 Carbon with a multi-tenanted embedded LDAP

You may refer to my previous blog post to get an idea what I meant by a multi-tenanted LDAP.

WSO2 stratos currently does tenant management with JDBC user store. And there is a requirement of achieving that functionality with a multi-tenanted LDAP too.

In achieving that requirement, the current solution that is there in WSO2 carbon takes a hybrid approach, where meta data related to tenants is stored in JDBC database and have the user stores of tenants in a LDAP server--which is an embedded Apache Directory Server.

Following is a high level design (as per now) related with tenant management with LDAP.

Here, apacheds-server component and apacheds orbit bundle are responsible in registering LDAPTenantManagementService (please refer the above diagram) and managing partitions in the embedded-ldap.

You can easily explore this functionality by installing multi-tenancy support on a WSO2 carbon based stand alone product. You may refer to post: Installing multi-tenancy support for WSO2 Identity Server.

In addition to the steps mentioned there, please take the following steps to connect a multi-tenanted IS to embedded ApacheDS LDAP and explore what happens in tenant management at the LDAP server's side:

Step 1: Place a file named: 'tenant-config.xml' in IS_HOME/repostory/conf directory with the following entry:

By default, it is the JDBC tenant manager that is being used and with this configuration file you can configure it to specify which tenant manager to be initialized at the initialization of the user manager.

Step 2: Start the server --> log in as admin and create few tenants as I  have described in the aforementioned post.

Step 3: Connect to the embedded-ApacheDS LDAP server through a LDAP browser like ApacheDS Studio. For that you need to:
      i. locate  user-mgt.xml file in IS_HOME/repository/conf 
     ii. obtain connection name and password to connect to the LDAP server from the browser. 

Step 4: View how separate partitions have been created for separate tenants as shown in the following image.

Few remarks:
      i. You can see the dc=cse,dc=com partition in the left panel of the above image and that is created for a tenant with the domain name:
     ii. Inside that partition, two contexts have been created as ou=users and ou=groups to store the tenant user entries and group information.
     iii. At the creation of the partition, an entry of the tenant admin will also be created under the ou=users context. And that tenant admin can login to the system and create users for his tenant which will be stored in the particular tenant partition.

So above is one way you can manage users in LDAP in a multi-tenanted environment. But it is specific to ApacheDS and also to embedded-ApacheDS since we use ApacheDS API to manipulate storage.
We also need a solution where we can use any directory server that implements LDAP protocol to maintain the multi-tenanted user store. I will discuss about this in a future post.


  1. Interesting layout on your blog. I really enjoyed reading it and also I will be back to read more in the future.
    Eviction Defense

  2. I have a use case where we need to support a multi tenant capable identity server and found WSO2 identity module solves my problem. I am trying to understand how the user management is working in the WSO2 identity server. I looked at UI and got some info but i don't find enough documentation on where to start if some customization's are needed.

    I started with the tenant-mgt.xml file and I am unable to find the source code for (or defined in tenant-mgt.xml file) under 4.0.0 code base. Appreciate any help here.

  3. Hi Hasini!

    Same here...
    I am working on 4.1. IS and following some posts, but as I understand it is not necesary to use Stratos. So as Venkata I started changing the tenant-mgt.xml to achieve multitenancy in the IS. But the IS is not generating the new domain neither the the user in the LDAP. It throws an error:
    The following error details are available. Please refer logs for more details.
    java.lang.Exception: Failed to add tenant config. tenant-domain:, tenant-admin: johannes.
    at org.wso2.carbon.tenant.mgt.ui.utils.TenantMgtUtil.addTenantConfigBean(
    Am I wrong? Or do I have to install the whole Stratos package to organize my tenants/users via IS?

    I would be very happy if you have time to help me out.

    Thanks a lot in advance!


Note: Only a member of this blog may post a comment.