WSO2 products stack supports heterogeneous user stores ranging from JDBC based databases such as MySQL, Oracle, MS-SQL to LDAP based directory servers such as Active Directory, OpenLDAP, ApacheDS...
This post explains how to setup Oracle Directory Server (or Sun Directory Server earlier) as the user store of WSO2 Identity Server.
1. Download Oracle Directory Server Enterprise Edition that suits your Operating System from here. (I am installing on Linux.. hence selected the Zip distribution)
2. Download Identity Server from here.
3. Extract the "ofm_odsee_linux_11.1.1.5.0_64_disk1_1of1.zip" distribution and locate "/ODSEE_ZIP_Distribution/sun-dsee7.zip" inside and copy it to a separate location which would be the installation directory (say install_dir).
4. Extract "sun-dsee7.zip" there and go to "dsee7/bin"
Now we are ready to create and start a Directory Server instance. I am going to follow the installation through command line .
(You can find the official installation guide from here and there are two ways of creating an instance -through directory server controller and through command line. Directory server controller way didn't work for me since it failed at registering the DCCC agent. If anyone passed that step, please share with us.)
5. Go to [install_dir]/dsee7/bin from command line and execute:
./dsadm create -p 1389 -P 1636 ../local/dsInst
Select a password for Directory Manager which we need for future operations.
You will observer following in the command line:
Choose the Directory Manager password:secret12
Confirm the Directory Manager password:secret12
Use 'dsadm start '../local/dsInst'' to start the instance
6. Start the instance:
./dsadm start /local/dsInst
Console output: Directory Server instance '/home/hasini/install_dir/dsee7/local/dsInst' started: pid=6806
7. Now we have a directory server instance running in port 1389. We need to create a root context and populate it with some sub contexts and entries for our use.
- Let's create root as "dc=wso2,dc=org"..
It will prompt for directory manager password which you gave at the beginning.
- We can populate sub contexts and entries under this root, by importing a ldif file. I have created a WSO2.ldif which defines a user base, group base, admin user and admin group under the root "dc=wso2,dc=org". Download and place the file in "/dsee7/resources/ldif" directory.
- Import the ldif file:
You will be prompted to accept server certificate and for directory manager password.
End of console output upon successful import:
## Import complete. Processed 5 entries in 4 seconds. (1.25 entries/sec)
Task completed (slapd exit code: 0).
Now the directory server instance is ready for our usage and you can browse the directory tree by connecting to it through a LDAP browser such as Apache Directory Studio.
8. Provide host (localhost), port (1389) and bind DN (cn=Directory Manager), bind password (secret12) and connect Apache Directory Studio to the Oracle Directory Server instance.
9. Connecting Identity Server with Oracle Directory Server.
- Extract the downloaded Identity Server distribution and locate the user-mgt.xml inside [IS_home]/respository/conf/user-mgt.xml
- Comment out the existing UserStoreManager entry.
- Uncomment the following UserStoremanager entry and edit the parameters as below:
false
ldap://localhost:1389
cn=Directory Manager
secret12
SHA
(objectClass=person)
inetOrgPerson
ou=Users,dc=wso2,dc=org
(&(objectClass=person)(uid=?))
uid
[\\S]{5,30}
true
true
true
ou=Groups,dc=wso2,dc=org
(objectClass=groupOfNames)
groupOfNames
(&(objectClass=groupOfNames)(cn=?))
cn
member
Please note edited lines: 04, 05, 06,10, 16, 17 above to integrate IS with Oracle Directory Server.This directory server allows to create groups without an existing user. Hence line 16 parameter was set to "true".
Please note that I have connected to the directory server from IS, in read/write mode, if you want to connect in read-only mode, uncomment and change the read only LDAPUserStoreManager configuration element found in the user-mgt.xml of Identity Server.
10. Create some user entries and roles through Identity Server management console and you can browse the directory server through Apache Directory Studio and observe that they are created in directory server as below:
Thanks Prabath aiya for the request to integrating this and writing a post on it...
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.