0

所以我一直在玩 WSO2 身份服务器,我不得不说它对我的伤害大于它的帮助。无论如何,我对如何与 Active Directory 集成有疑问。我已经到了可以在 WSO2 IS 中看到我所有 AD 的用户和组的地步。但是,我遇到了以下情况:

  • 我无法使用任何 AD 凭据登录 WSO2 IS。
  • 我无法在 WSO2 中为 AD 用户配置域 (foo.com\)。
  • 当我以管理员身份登录 WSO2 时,我看到所有 AD 用户,但他们没有任何角色(组)。不知何故,当 WSO2 从 AD 读取这些用户时,它不会读取用户所属的 AD 组。

我漫长而无聊的 WSO2 IS 配置:

<UserManager>
  <Realm>
    <Configuration>
      <AdminRole>admin</AdminRole>
      <AdminUser>
        <UserName>admin</UserName>
        <Password>admin</Password>
      </AdminUser>
      <EveryOneRoleName>everyone</EveryOneRoleName>
      <!-- By default users in this role sees the registry root -->
      <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
      <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.CommonLDAPRealmConfigBuilder</Property>
    </Configuration>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
      <Property name="defaultRealmName">WSO2.ORG</Property>
      <Property name="kdcEnabled">false</Property>
      <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
      <Property name="ConnectionName">uid=admin,ou=system</Property>
      <Property name="ConnectionPassword">admin</Property>
      <Property name="passwordHashMethod">SHA</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserEntryObjectClass">identityPerson</Property>
      <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
      <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
      <Property name="UserNameAttribute">uid</Property>
      <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
      <Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
      <Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
      <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="ReadLDAPGroups">true</Property>
      <Property name="WriteLDAPGroups">true</Property>
      <Property name="EmptyRolesAllowed">true</Property>
      <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
      <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
      <Property name="GroupEntryObjectClass">groupOfNames</Property>
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
      <Property name="SCIMEnabled">true</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
    </UserStoreManager>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
      <Property name="ReadOnly">true</Property>
      <Property name="MaxUserNameListLength">100</Property>
      <Property name="ConnectionURL">ldap://10.10.10.72:389</Property>
      <Property name="ConnectionName">CN=Firstname Lastname,OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="ConnectionPassword">Password1*</Property>
      <Property name="passwordHashMethod">SHA</Property>
      <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserNameAttribute">sAMAccountName</Property>
      <Property name="ReadLDAPGroups">false</Property>
      <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
      <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
      <!--Property name="DomainName">foo.com</Property-->
    </UserStoreManager>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
      <Property name="defaultRealmName">NYSTSTest</Property>
      <Property name="kdcEnabled">false</Property>
      <Property name="ConnectionURL">ldap://10.10.10.72:389</Property>
      <Property name="ConnectionName">CN=Firstname Lastname,OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="ConnectionPassword">Password1*</Property>
      <Property name="passwordHashMethod">PLAIN_TEXT</Property>
      <Property name="UserSearchBase">OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="UserEntryObjectClass">person</Property>
      <Property name="UserNameAttribute">sAMAccountName</Property>
      <Property name="isADLDSRole">false</Property>
      <Property name="userAccountControl">512</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>
      <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
      <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="ReadLDAPGroups">true</Property>
      <Property name="WriteLDAPGroups">false</Property>
      <Property name="EmptyRolesAllowed">true</Property>
      <Property name="GroupSearchBase">OU=Groups,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="GroupEntryObjectClass">group</Property>
      <Property name="GroupNameAttribute">sAMAccountName</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="GroupNameListFilter">(objectCategory=group)</Property>
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <!--Property name="Referral">follow</Property-->
      <Property name="BackLinksEnabled">false</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
      <!--Property name="DomainName">foo.com</Property-->
    </UserStoreManager>

    <AuthorizationManager
            class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
      <Property name="AdminRoleManagementPermissions">/permission</Property>
      <Property name="AuthorizationCacheEnabled">true</Property>
    </AuthorizationManager>
  </Realm>
</UserManager>
4

3 回答 3

0

您似乎配置了多个用户存储。在这种情况下,您需要使用此属性指定一个域名:

  <!--Property name="DomainName">foo.com</Property-->

请参阅:http ://docs.wso2.org/wiki/display/IS400/Configuring+Multiple+User+Stores 。

希望这会有所帮助,伊莎贝尔。

于 2013-03-14T12:23:17.580 回答
0

这在最新的 WSO2 IS 版本中得到了解决,但仍在 Alpha 中。

于 2013-04-03T21:54:20.677 回答
0

我正在经历,我相信的,完全相同的事情。当我查看“角色”时,一切看起来都很好,我可以看到扮演该角色的用户。但是当我从用户那里去并尝试查看它分配给了哪些角色时,它说没有分配任何角色。 wso2 api manager 1.6.0 使用 ActiveDirectoryUserStoreManager 管理用户存储的问题

你是如何让你的设置工作的,它是否仍在使用 API-manager 1.6.0?

于 2014-04-10T15:06:55.107 回答