How to Start WSO2 ESB with external LDAP
WSO2
ESB is a fast, light-weight, and versatile Enterprise Service Bus.
Using WSO2 ESB you can perform a variety of enterprise
integration patterns,
including filtering, transforming, and routing SOAP, binary, plain
XML, and text messages that pass through your business systems by
HTTP, HTTPS, JMS, mail, etc.
For
more information read:
http://wso2.com/products/enterprise-service-bus/.
By
default, ESB uses embedded jdbc user store as user management data
source.
Default
configuration as follows:
<UserStoreManager
class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
<Property name="ReadOnly">false</Property>
<Property
name="MaxUserNameListLength">100</Property>
<Property
name="IsEmailUserName">false</Property>
<Property
name="DomainCalculation">default</Property>
<Property
name="PasswordDigest">SHA-256</Property>
<Property
name="StoreSaltedPassword">true</Property>
<Property
name="UserNameUniqueAcrossTenants">false</Property>
<Property
name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property
name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
<Property
name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
<Property
name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property
name="RolenameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
<Property
name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property
name="UserRolesCacheEnabled">true</Property>
<Property name="maxFailedLoginAttempt">0</Property>
</UserStoreManager>
Now,
I'll explain how to use external LDAP for ESB user-management user
store.
WSO2
IS has its embedded LDAP and here I am going to use it as ESB's
external LDAP.
Prerequisites:
You
need WSO2 ESB and WSO2 IS.
Download
them form http://wso2.com/products/enterprise-service-bus/
and (http://wso2.com/products/identity-server)
Any
version you can choose as per the requirement and extract them
Step
1: Start IS with default port.
Step
2: Change ESB offset (since WSO2 IS uses the default port as per
Step 1)
- Navigate to ESB_HOME/repository/conf/carbon.xmlex: <Offset>1</Offset>
Step
3: Chage user-mgt.xml (ESB_HOME/repository/user-mgt.xml
- <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.CommonLDAPRealmConfigBuilder</Property>
- Comment default internal JDBC user store configurations ( showed in the beginning of this article)
- Uncomment external LDAP section
<!--
If product is using an external LDAP as the user store in read/write
mode, use following user manager
In
case if user core cache domain is needed to identify uniquely set
property <Property
name="UserCoreCacheIdentifier">domain</Property>
-->
<UserStoreManager
class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property
name="ConnectionURL">ldap://localhost:10389</Property>
<Property
name="ConnectionName">uid=admin,ou=system</Property>
<Property
name="ConnectionPassword">secret</Property>
<Property
name="passwordHashMethod">PLAIN_TEXT</Property>
<Property
name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">inetOrgPerson</Property>
<Property
name="UserSearchBase">ou=system</Property>
<Property
name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property
name="UserNameAttribute">uid</Property>
<Property
name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property
name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property
name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
<Property
name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property
name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="WriteLDAPGroups">true</Property>
<Property name="EmptyRolesAllowed">false</Property>
<Property
name="GroupSearchBase">ou=system</Property>
<Property
name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property
name="GroupEntryObjectClass">groupOfNames</Property>
<Property
name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property
name="GroupNameAttribute">cn</Property>
<Property
name="MembershipAttribute">member</Property>
<Property
name="UserRolesCacheEnabled">true</Property>
<Property
name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="maxFailedLoginAttempt">0</Property>
<Property name="DomainName">domain.com</Property>
</UserStoreManager>
- You need to change some properties according to IS user-mgt.xml (Refer the IS user-mgt/xml and its default LDAP settings)
- No need to change the LDAP Port if IS started on default port(Othereise: 10389+<offset value>)ie: <Property name="ConnectionURL">ldap://localhost:10389</Property>
- <Property name="ConnectionPassword">admin</Property>
- <Property name="passwordHashMethod">SHA</Property>
- <Property name="UserEntryObjectClass">identityPerson</Property>
- <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
- <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
Step
4: Start ESB
