无法将 OpenLDAP 设置为 wso2is 5.6.0 的主要用户存储:在管理控制台中添加新用户时出现 LDAP 错误 65
Unable to setup OpenLDAP as primary user store for wso2is 5.6.0: LDAP Error 65 when adding a new user in management console
我无法使用 OpenLDAP 将 WSO2 Identity Server v5.6.0 设置为主要的外部用户存储。身份服务器按预期启动(控制台中没有错误)并且管理员用户帐户也已自动创建。但是,如果我尝试为每个管理控制台添加一个新用户,Identity Server 会抛出以下错误:
Could not add user PRIMARY/johndoe@gmail.com. Error: Cannot access the directory context or user already exists in the system for user :johndoe@gmail.com
在 LDAP 控制台中,您可以看到 wso2is 正在尝试添加具有 ref 属性的用户:
5b7589c9 conn=1022 op=2 ADD dn="mail=johndoe@gmail.com,ou=Users,dc=wso2,dc=org"
5b7589c9 conn=1022 op=2 RESULT tag=105 err=65 text=attribute "ref" only allowed in the referral
我不知道 wso2is 到底为什么要这么做。 Referral-Option 被禁用并且 WSO2 特定的 ldif 文件已被导入。如何解决这个问题?
下面是我的 user-mgt.xml 配置:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin@wso2.com</UserName>
<Password>admin</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://ldap:389</Property>
<Property name="ConnectionName">cn=admin,dc=wso2,dc=org</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
<Property name="UserEntryObjectClass">identityPerson</Property>
<Property name="UserNameAttribute">mail</Property>
<Property name="UserNameSearchFilter">(&(objectClass=identityPerson)(mail=?))</Property>
<Property name="UserNameListFilter">(&(objectClass=identityPerson)(mail=*))</Property>
<Property name="UserDNPattern">mail={0},ou=Users,dc=wso2,dc=org</Property>
<Property name="DisplayNameAttribute"/>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="RoleDNPattern">cn={0},ou=Groups,dc=wso2,dc=org</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="BackLinksEnabled">false</Property>
<Property name="UsernameJavaRegEx">^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$</Property>
<Property name="UsernameJavaScriptRegEx">^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$</Property>
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._\-|//]{3,40}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,40}$</Property>
<Property name="SCIMEnabled">true</Property>
<Property name="IsBulkImportSupported">false</Property>
<Property name="EmptyRolesAllowed">false</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="kdcEnabled">false</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">false</Property>
</AuthorizationManager>
</Realm>
</UserManager>
出现上述错误的原因是,在 WSO2 IS 中用于表示 resourceType 我们已经映射了一个名为 "ref" 的 ldap 属性,但似乎 "ref" 是在 OpenLdap 中保留用于引用的属性.因此我们看到了上述错误。
要解决此问题,您可以按照以下说明操作,
- 启动身份服务器后,转到主页 -> 身份 -> 声明 -> 列表。
- Select "urn:ietf:params:scim:schemas:core:2.0" 然后点击编辑 "urn:ietf:params:scim:schemas:core:2.0:meta.resourceType".
- 对于 "Mapped Local Claim" select 您想要映射到此的适当声明。例如:http://wso2.org/claims/userType 并单击更新。
- 现在尝试通过管理控制台创建用户。
我无法使用 OpenLDAP 将 WSO2 Identity Server v5.6.0 设置为主要的外部用户存储。身份服务器按预期启动(控制台中没有错误)并且管理员用户帐户也已自动创建。但是,如果我尝试为每个管理控制台添加一个新用户,Identity Server 会抛出以下错误:
Could not add user PRIMARY/johndoe@gmail.com. Error: Cannot access the directory context or user already exists in the system for user :johndoe@gmail.com
在 LDAP 控制台中,您可以看到 wso2is 正在尝试添加具有 ref 属性的用户:
5b7589c9 conn=1022 op=2 ADD dn="mail=johndoe@gmail.com,ou=Users,dc=wso2,dc=org" 5b7589c9 conn=1022 op=2 RESULT tag=105 err=65 text=attribute "ref" only allowed in the referral
我不知道 wso2is 到底为什么要这么做。 Referral-Option 被禁用并且 WSO2 特定的 ldif 文件已被导入。如何解决这个问题?
下面是我的 user-mgt.xml 配置:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin@wso2.com</UserName>
<Password>admin</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://ldap:389</Property>
<Property name="ConnectionName">cn=admin,dc=wso2,dc=org</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
<Property name="UserEntryObjectClass">identityPerson</Property>
<Property name="UserNameAttribute">mail</Property>
<Property name="UserNameSearchFilter">(&(objectClass=identityPerson)(mail=?))</Property>
<Property name="UserNameListFilter">(&(objectClass=identityPerson)(mail=*))</Property>
<Property name="UserDNPattern">mail={0},ou=Users,dc=wso2,dc=org</Property>
<Property name="DisplayNameAttribute"/>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="RoleDNPattern">cn={0},ou=Groups,dc=wso2,dc=org</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="BackLinksEnabled">false</Property>
<Property name="UsernameJavaRegEx">^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$</Property>
<Property name="UsernameJavaScriptRegEx">^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$</Property>
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._\-|//]{3,40}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,40}$</Property>
<Property name="SCIMEnabled">true</Property>
<Property name="IsBulkImportSupported">false</Property>
<Property name="EmptyRolesAllowed">false</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="kdcEnabled">false</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">false</Property>
</AuthorizationManager>
</Realm>
</UserManager>
出现上述错误的原因是,在 WSO2 IS 中用于表示 resourceType 我们已经映射了一个名为 "ref" 的 ldap 属性,但似乎 "ref" 是在 OpenLdap 中保留用于引用的属性.因此我们看到了上述错误。
要解决此问题,您可以按照以下说明操作,
- 启动身份服务器后,转到主页 -> 身份 -> 声明 -> 列表。
- Select "urn:ietf:params:scim:schemas:core:2.0" 然后点击编辑 "urn:ietf:params:scim:schemas:core:2.0:meta.resourceType".
- 对于 "Mapped Local Claim" select 您想要映射到此的适当声明。例如:http://wso2.org/claims/userType 并单击更新。
- 现在尝试通过管理控制台创建用户。