WSO2 (IdM) 无法在 Active Directory 中将用户添加为主用户存储
WSO2 (IdM) cannot add user in Active Directory as primary user store
环境:
- wso2 5.3.0 安装在
- Windows 7 sp1
- jdk_1.8.0_151 与外部 主要用户存储 在
- AD(Windows 服务器 2016 Active Directory)
操作:
- wso2正常启动
- wsoadmin 用户在 AD 中可用
- wso2 通过 ldaps 绑定到 AD
- 以管理员身份登录win 7客户端上的wso2管理菜单正常
- 所有现有的 AD 用户都显示在 wso2 用户列表视图中(只有那些有电子邮件地址的用户)
如果我想添加新用户 "wsotest" 会抛出一个错误:
ERROR {org.wso2.carbon.user.mgt.ui.UserAdminClient} -
Error while adding the user to the Active Directory for user :
wsotest
[...]
Caused by: javax.naming.directory.NoSuchAttributeException:
[LDAP: error code 16 - 00000057: LdapErr: DSID-0C091027, comment:
Error in attribute conversion operation, data 0, v3839 ];
remaining name 'cn=wsotest'
用户-mgt.xml:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>False</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>wsoadmin</UserName><!-- already be available in user store, here: AD -->
<Password>admin</Password><!-- keep default; real pw is already set in AD -->
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">wso.ad.org</Property>
<Property name="Disabled">false</Property>
<Property name="kdcEnabled">true</Property>
<Property name="ConnectionURL">ldaps://dc.wso.ad.org:636</Property>
<Property name="ConnectionName">CN=wsoadmin,OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
<Property name="ConnectionPassword">*******</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UserNameSearchFilter">(&(objectClass=user)(sAMAccountName=?))</Property>
<Property name="UserNameListFilter">(&(objectClass=user)(sAMAccountName=*))</Property>
<!-- -->
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">false</Property>
<Property name="GroupSearchBase">CN=Users,DC=wso,DC=ad,DC=org</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<!-- -->
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="IsBulkImportSupported">false</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="UserRolesCacheEnabled">false</Property><!-- default true -->
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">false</Property>
</AuthorizationManager>
</Realm>
</UserManager>
嵌入式-ldap.xml
<EmbeddedLDAP>
<Property name="enable">false</Property>
有什么建议吗?
找到解决方案:
将此 属性 添加到 user-mgt.xml 中的 UserStoreManager
<Property name="UserDNPattern">cn={0},ou=AllUsers,dc=wso,dc=ad,dc=com</Property>
这样CN就可以正常构建了。显然,您必须根据您的 AD LDAP 调整此 DN 字符串的结构和内容。
我花了很长时间才找到这个,因为 WSO2's manual 有点误导 re UserDNPattern:
The patten for user's DN. It can be defined to improve the LDAP search. When there are many user entries in the LADP, defining a "UserDNPattern" provides more impact on performances as the LDAP does not have to travel through the entire tree to find users.
听起来像是一个选项,但似乎是必要的。
环境:
- wso2 5.3.0 安装在
- Windows 7 sp1
- jdk_1.8.0_151 与外部 主要用户存储 在
- AD(Windows 服务器 2016 Active Directory)
操作:
- wso2正常启动
- wsoadmin 用户在 AD 中可用
- wso2 通过 ldaps 绑定到 AD
- 以管理员身份登录win 7客户端上的wso2管理菜单正常
- 所有现有的 AD 用户都显示在 wso2 用户列表视图中(只有那些有电子邮件地址的用户)
如果我想添加新用户 "wsotest" 会抛出一个错误:
ERROR {org.wso2.carbon.user.mgt.ui.UserAdminClient} -
Error while adding the user to the Active Directory for user :
wsotest
[...]
Caused by: javax.naming.directory.NoSuchAttributeException:
[LDAP: error code 16 - 00000057: LdapErr: DSID-0C091027, comment:
Error in attribute conversion operation, data 0, v3839 ];
remaining name 'cn=wsotest'
用户-mgt.xml:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>False</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>wsoadmin</UserName><!-- already be available in user store, here: AD -->
<Password>admin</Password><!-- keep default; real pw is already set in AD -->
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">wso.ad.org</Property>
<Property name="Disabled">false</Property>
<Property name="kdcEnabled">true</Property>
<Property name="ConnectionURL">ldaps://dc.wso.ad.org:636</Property>
<Property name="ConnectionName">CN=wsoadmin,OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
<Property name="ConnectionPassword">*******</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UserNameSearchFilter">(&(objectClass=user)(sAMAccountName=?))</Property>
<Property name="UserNameListFilter">(&(objectClass=user)(sAMAccountName=*))</Property>
<!-- -->
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">false</Property>
<Property name="GroupSearchBase">CN=Users,DC=wso,DC=ad,DC=org</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<!-- -->
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="IsBulkImportSupported">false</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="UserRolesCacheEnabled">false</Property><!-- default true -->
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">false</Property>
</AuthorizationManager>
</Realm>
</UserManager>
嵌入式-ldap.xml
<EmbeddedLDAP>
<Property name="enable">false</Property>
有什么建议吗?
找到解决方案:
将此 属性 添加到 user-mgt.xml 中的 UserStoreManager
<Property name="UserDNPattern">cn={0},ou=AllUsers,dc=wso,dc=ad,dc=com</Property>
这样CN就可以正常构建了。显然,您必须根据您的 AD LDAP 调整此 DN 字符串的结构和内容。
我花了很长时间才找到这个,因为 WSO2's manual 有点误导 re UserDNPattern:
The patten for user's DN. It can be defined to improve the LDAP search. When there are many user entries in the LADP, defining a "UserDNPattern" provides more impact on performances as the LDAP does not have to travel through the entire tree to find users.
听起来像是一个选项,但似乎是必要的。