WSO2 身份服务器和 Active Directory 集成

Question

所以我玩 WSO2 身份服务器已经有一段时间了，我不得不说它对我的伤害大于它的帮助。无论如何，我对如何与 Active Directory 集成有疑问。我已经到了可以在 WSO2 IS 中看到我所有 AD 的用户和组的地步。但是，我遇到了以下情况：

• 我无法使用任何 AD 凭据登录 WSO2 IS。
• 我无法在 WSO2 中为 AD 用户配置域 (foo.com\)。
• 当我使用管理员登录 WSO2 时，我看到所有 AD 用户，但他们没有任何角色（组）。不知何故，当 WSO2 从 AD 读取这些用户时，它不会读取用户所属的 AD 组。

我漫长而无聊的 WSO2 IS 配置：

<UserManager>
  <Realm>
    <Configuration>
      <AdminRole>admin</AdminRole>
      <AdminUser>
        <UserName>admin</UserName>
        <Password>admin</Password>
      </AdminUser>
      <EveryOneRoleName>everyone</EveryOneRoleName>
      <!-- By default users in this role sees the registry root -->
      <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
      <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.CommonLDAPRealmConfigBuilder</Property>
    </Configuration>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
      <Property name="defaultRealmName">WSO2.ORG</Property>
      <Property name="kdcEnabled">false</Property>
      <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
      <Property name="ConnectionName">uid=admin,ou=system</Property>
      <Property name="ConnectionPassword">admin</Property>
      <Property name="passwordHashMethod">SHA</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserEntryObjectClass">identityPerson</Property>
      <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
      <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
      <Property name="UserNameAttribute">uid</Property>
      <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
      <Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
      <Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
      <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="ReadLDAPGroups">true</Property>
      <Property name="WriteLDAPGroups">true</Property>
      <Property name="EmptyRolesAllowed">true</Property>
      <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
      <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
      <Property name="GroupEntryObjectClass">groupOfNames</Property>
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
      <Property name="SCIMEnabled">true</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
    </UserStoreManager>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
      <Property name="ReadOnly">true</Property>
      <Property name="MaxUserNameListLength">100</Property>
      <Property name="ConnectionURL">ldap://10.10.10.72:389</Property>
      <Property name="ConnectionName">CN=Firstname Lastname,OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="ConnectionPassword">Password1*</Property>
      <Property name="passwordHashMethod">SHA</Property>
      <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserNameAttribute">sAMAccountName</Property>
      <Property name="ReadLDAPGroups">false</Property>
      <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
      <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
      <!--Property name="DomainName">foo.com</Property-->
    </UserStoreManager>

    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
      <Property name="defaultRealmName">NYSTSTest</Property>
      <Property name="kdcEnabled">false</Property>
      <Property name="ConnectionURL">ldap://10.10.10.72:389</Property>
      <Property name="ConnectionName">CN=Firstname Lastname,OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="ConnectionPassword">Password1*</Property>
      <Property name="passwordHashMethod">PLAIN_TEXT</Property>
      <Property name="UserSearchBase">OU=Users,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="UserEntryObjectClass">person</Property>
      <Property name="UserNameAttribute">sAMAccountName</Property>
      <Property name="isADLDSRole">false</Property>
      <Property name="userAccountControl">512</Property>
      <Property name="UserNameListFilter">(objectClass=person)</Property>
      <Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>
      <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
      <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
      <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
      <Property name="ReadLDAPGroups">true</Property>
      <Property name="WriteLDAPGroups">false</Property>
      <Property name="EmptyRolesAllowed">true</Property>
      <Property name="GroupSearchBase">OU=Groups,OU=New York,OU=Offices,DC=foo,DC=bar,DC=com</Property>
      <Property name="GroupEntryObjectClass">group</Property>
      <Property name="GroupNameAttribute">sAMAccountName</Property>
      <Property name="MembershipAttribute">member</Property>
      <Property name="GroupNameListFilter">(objectCategory=group)</Property>
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <!--Property name="Referral">follow</Property-->
      <Property name="BackLinksEnabled">false</Property>
      <Property name="maxFailedLoginAttempt">0</Property>
      <!--Property name="DomainName">foo.com</Property-->
    </UserStoreManager>

    <AuthorizationManager
            class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
      <Property name="AdminRoleManagementPermissions">/permission</Property>
      <Property name="AuthorizationCacheEnabled">true</Property>
    </AuthorizationManager>
  </Realm>
</UserManager>

Answer 1

您似乎配置了多个用户存储。在这种情况下，您需要指定一个域名，使用此属性：

  <!--Property name="DomainName">foo.com</Property-->

请参阅：http://docs.wso2.org/wiki/display/IS400/Configuring+Multiple+User+Stores。

希望这会有所帮助， 伊莎贝尔。

Answer 2

这已在最新的 WSO2 IS 版本中得到解决，但仍处于 Alpha 阶段。

Answer 3

我正在经历，我所相信的，完全相同的事情。当我查看“角色”时，一切看起来都很好，我可以看到扮演该角色的用户。但是当我从用户那里去并尝试查看它分配给了哪些角色时，它说没有分配任何角色。 wso2 api manager 1.6.0 problems with User store management using ActiveDirectoryUserStoreManager

你是如何让你的设置工作的，它是否仍在使用 API-manager 1.6.0？