I have used Identity Server 5.3.0 and OpenDJ 3.0.0 for this explanation.
Setting up OpenDJ :
- Download the OpenDJ server. I have used latest Trial Edition which can be download from https://forgerock.org/opendj/
- Then navigate to the root directory of downloaded LDAP server and run "setup" script to configure the OpenDJ server. (If your environment is windows, run setup.bat file)
- Configure the OpenDJ based on your requirement. You can refer the steps shown below,
- Server Settings,
- Topology Options,
- Directory Data,
- Runtime Options,
- Review,
- Now we have successfully configured OpenDJ configuration. To launch the control panel of the OpenDJ LDAP server, you can click the "Launch Control Panel" button as in the following image. If not, you can start it by running "control-panel" script which can be found under <OpenDJ_Home>/bin directory. (for Windows users, this can be found under <OpenDJ_Home>/bat directory)
- Please refer below images for more details about my OpenDJ LDAP configurations.
Configuring Identity Server :
- WSO2 Identity server has configured with ApacheDS embedded LDAP by default. So to configure external LDAP with same ports, we have to disable it.
- We can disable the embedded LDAP by changing "EmbeddedLDAP" property to "false" on embedded-ldap.xml file which can be found under <IS_HOME>/repository/conf/identity directory.
- Then configure the user-mgt.xml file which can be found under <IS_HOME>/repository/conf directory as per the LDAP server configurations. (make sure to comment the existing user store manager configuration)
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://localhost:1389</Property>
<Property name="Disabled">false</Property>
<Property name="ConnectionName">cn=TestServer</Property>
<Property name="ConnectionPassword">root</Property>
<Property name="passwordHashMethod">PLAIN_TEXT</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">inetOrgPerson</Property>
<Property name="UserSearchBase">ou=users,dc=shanaka,dc=com</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="EmptyRolesAllowed">false</Property>
<Property name="GroupSearchBase">ou=groups,dc=shanaka,dc=com</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfUniqueNames)</Property>
<Property name="GroupEntryObjectClass">groupOfUniqueNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfUniqueNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=example,dc=com</Property>
<Property name="SharedGroupEntryObjectClass">groupOfUniqueNames</Property>
<Property name="SharedGroupNameListFilter">(objectClass=groupOfUniqueNames)</Property>
<Property name="SharedGroupNameSearchFilter">(&(objectClass=groupOfUniqueNames)(cn=?))</Property>
<Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
<Property name="SharedTenantNameAttribute">ou</Property>
<Property name="SharedTenantObjectClass">organizationalUnit</Property>
<Property name="MembershipAttribute">uniqueMember</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://localhost:1389</Property>
<Property name="Disabled">false</Property>
<Property name="ConnectionName">cn=TestServer</Property>
<Property name="ConnectionPassword">root</Property>
<Property name="passwordHashMethod">PLAIN_TEXT</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">inetOrgPerson</Property>
<Property name="UserSearchBase">ou=users,dc=shanaka,dc=com</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="EmptyRolesAllowed">false</Property>
<Property name="GroupSearchBase">ou=groups,dc=shanaka,dc=com</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfUniqueNames)</Property>
<Property name="GroupEntryObjectClass">groupOfUniqueNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfUniqueNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=example,dc=com</Property>
<Property name="SharedGroupEntryObjectClass">groupOfUniqueNames</Property>
<Property name="SharedGroupNameListFilter">(objectClass=groupOfUniqueNames)</Property>
<Property name="SharedGroupNameSearchFilter">(&(objectClass=groupOfUniqueNames)(cn=?))</Property>
<Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
<Property name="SharedTenantNameAttribute">ou</Property>
<Property name="SharedTenantObjectClass">organizationalUnit</Property>
<Property name="MembershipAttribute">uniqueMember</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
We have configured OpenJD as the primary userstore of Identity server. Now start the Identity Server.
According to the configuration that I have done under user-mgt.xml file, admin user has been added to the LDAP and admin role has been created in the very first startup of the server. If you have define an existing user as admin user, that user will be shown as admin user without adding new entry to LDAP.
Note : Admin user of the WSO2 Identity Server must be a user in that OpenDJ search base and that user who is configured as admin must be in the admin role.
To verify the configurations, I have added new user "shanaka" and new role "Manager" through the management console of Identity server.
Hope this will helpful. Thank you.
