Question

所以我一直在和WSO2身份识别服务器玩耍和玩弄一段时间，我不得不说它伤害了我而不是它有帮助。无论如何，我对如何与Active Directory集成有疑问。我已经到了可以在WSO2 IS中看到我所有AD的用户和组的地方。但是，我遇到了以下情况：

我无法使用任何AD凭证登录WSO2 IS。
我无法在WSO2中为AD用户配置域名（foo.com \）。
当我使用admin登录WSO2时，我看到所有AD用户，但他们没有任何角色（组）。不知何故，当WSO2从AD读取这些用户时，它不会读取用户所属的AD组。

我漫长而无聊的WSO2 IS配置：

<UserManager>
  <Realm>
    <Configuration>
      <AdminRole>admin</AdminRole>
      <AdminUser>
        <UserName>admin</UserName>
        <Password>admin</Password>
      </AdminUser>
      <EveryOneRoleName>everyone</EveryOneRoleName>
      <!-- By default users in this role sees the registry root -->
      <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
      <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.CommonLDAPRealmConfigBuilder</Property>
    </Configuration>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
      <Property name="defaultRealmName">WSO2.ORG</Property>
      <Property name="kdcEnabled">false</Property>
      <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
      <Property name="ConnectionName">uid=admin,ou=system</Property>
      <Property name="ConnectionPassword">admin</Property>
      <Property name="passwordHashMethod">SHA</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserEntryObjectClass">identityPerson</Property>
      <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
      <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
      <Property name="UserNameAttribute">uid</Property>
      <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
      <Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
      <Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
      <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="ReadLDAPGroups">true</Property>
      <Property name="WriteLDAPGroups">true</Property>
      <Property name="EmptyRolesAllowed">true</Property>
      <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
      <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
      <Property name="GroupEntryObjectClass">groupOfNames</Property>
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
      <Property name="SCIMEnabled">true</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
    </UserStoreManager>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
      <Property name="ReadOnly">true</Property>
      <Property name="MaxUserNameListLength">100</Property>
      <Property name="ConnectionURL">ldap://10.10.10.72:389</Property>
      <Property name="ConnectionName">CN=Firstname Lastname,OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="ConnectionPassword">Password1*</Property>
      <Property name="passwordHashMethod">SHA</Property>
      <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserNameAttribute">sAMAccountName</Property>
      <Property name="ReadLDAPGroups">false</Property>
      <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
      <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
      <!--Property name="DomainName">foo.com</Property-->
    </UserStoreManager>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
      <Property name="defaultRealmName">NYSTSTest</Property>
      <Property name="kdcEnabled">false</Property>
      <Property name="ConnectionURL">ldap://10.10.10.72:389</Property>
      <Property name="ConnectionName">CN=Firstname Lastname,OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="ConnectionPassword">Password1*</Property>
      <Property name="passwordHashMethod">PLAIN_TEXT</Property>
      <Property name="UserSearchBase">OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="UserEntryObjectClass">person</Property>
      <Property name="UserNameAttribute">sAMAccountName</Property>
      <Property name="isADLDSRole">false</Property>
      <Property name="userAccountControl">512</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>
      <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
      <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="ReadLDAPGroups">true</Property>
      <Property name="WriteLDAPGroups">false</Property>
      <Property name="EmptyRolesAllowed">true</Property>
      <Property name="GroupSearchBase">OU=Groups,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="GroupEntryObjectClass">group</Property>
      <Property name="GroupNameAttribute">sAMAccountName</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="GroupNameListFilter">(objectCategory=group)</Property>
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <!--Property name="Referral">follow</Property-->
      <Property name="BackLinksEnabled">false</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
      <!--Property name="DomainName">foo.com</Property-->
    </UserStoreManager>

    <AuthorizationManager
            class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
      <Property name="AdminRoleManagementPermissions">/permission</Property>
      <Property name="AuthorizationCacheEnabled">true</Property>
    </AuthorizationManager>
  </Realm>
</UserManager>

Answer 1

您似乎配置了多个用户存储。在这种情况下，您需要使用以下属性指定域名：

  <!--Property name="DomainName">foo.com</Property-->

请参阅：http://docs.wso2.org/wiki/display/IS400/Configuring+Multiple+User+Stores。

希望这有帮助，伊莎贝尔。

Answer 2

这是在最新的WSO2 IS版本中解决的，但仍然在Alpha中。

Answer 3

我正在经历，我相信的是，完全相同的事情。当我查看“角色”时，一切看起来都很好，我可以看到该角色的用户。但是当我离开用户并尝试查看分配给哪个角色时，它表示没有分配任何角色。 wso2 api manager 1.6.0 problems with User store management using ActiveDirectoryUserStoreManager

你是如何让你安装工作的，它是否仍在使用API-manager 1.6.0？

WSO2身份服务器和Active Directory集成

3 个答案: