APIM 3.0.0 Key manager runtime support following user stores by default.
Since Key manager provides JDBC and LDAP default implementation by default, in the configuration you can select which user store to be used. By Default JDBC is selected and you can select it to LDAP.
To change the connector type the following property in deployment.yaml
connectorType: JDBC
jdbcProperties: dataSource: WSO2_UM_DB
default User Management DB’s JNDI name is set to WSO2_UM_DB and it need to be configured in the deployment.yaml as follow.
dataSources: - name: WSO2_UM_DB description: The datasource used for user management # JNDI mapping of a data source jndiConfig: # JNDI name # THIS IS A MANDATORY FIELD name: jdbc/WSO2UM_DB # JNDI Reference Flag useJndiReference: false # data source definition definition: # data source type # THIS IS A MANDATORY FIELD type: RDBMS # data source configuration configuration: jdbcUrl: 'jdbc:h2:./database/UM_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000' username: wso2carbon password: wso2carbon driverClassName: org.h2.Driver maxPoolSize: 50 idleTimeout: 60000 connectionTestQuery: SELECT 1 validationTimeout: 30000 isAutoCommit: false
Ldap related configurations can be found under the ldapProperties in deployment yaml as follow.
ldapProperties: ldap.ConnectionName: uid=admin,ou=system ldap.GroupEntryObjectClass: groupOfNames ldap.UserNameSearchFilter: (&(objectClass=person)(uid=?)) ldap.ConnectionURL: ldap://localhost:10389 ldap.InitialContextFactory: com.sun.jndi.ldap.LdapCtxFactory ldap.connectorClass: org.wso2.carbon.auth.user.store.connector.ldap.LDAPUserStoreConnector ldap.GroupSearchBase: ou=Groups,dc=wso2,dc=org ldap.ConnectionPassword: admin ldap.UserNameAttribute: uid ldap.GroupSearchFilter: (&(objectClass=groupOfNames)(cn=?)) ldap.UserEntryObjectClass: identityPerson ldap.GroupAttribute: cn ldap.SecurityAuthentication: simple ldap.UserNameListFilter: (objectClass=person) ldap.GroupListFilter: (objectClass=groupOfNames) ldap.UserSearchBase: ou=Users,dc=wso2,dc=org
Ldap Server need to be configure with user/group nodes. Also, new schemes need to be import to LDAP server before working with the key manager. These schemes can be found in the following location and can be imported into LDAP server.
You can use the following command to import schemas
ldapadd -Y EXTERNAL -H ldapi:// -f 1-wso2Person.ldif ldapadd -Y EXTERNAL -H ldapi:// -f 2-scimPerson.ldif ldapadd -Y EXTERNAL -H ldapi:// -f 3-identityPerson.ldif ldapadd -Y EXTERNAL -H ldapi:// -f userPassInfo.ldif
You also need to create a tree node for both users and groups in your LDAP.
Ex:
ou=Groups,dc=wso2,dc=org ou=Users,dc=wso2,dc=org
Or else you can import group.ldif and users.ldif into LDAP to create them. Before import edit them and edit dn record as suitable to your LDAP.
Also, you can get preconfigured docker image from docker hub with name ruks/ldap.
So full set of configuration parameters is looks like below. You can override them and can be include into deployment.yaml of appropriate runtime in order to configure key manager components.
wso2.carbon.auth: # User Store Configurations userStoreConfiguration: attributes: - attribute: userName displayName: Username regex: .* required: true unique: true - attribute: givenName displayName: First Name regex: .* required: false unique: false - attribute: lastName displayName: Last Name regex: .* required: false unique: false - attribute: email displayName: Email regex: .* required: false unique: false - attribute: phoneNumber displayName: Phone Number regex: .* required: false unique: false - attribute: address displayName: Address regex: .* required: false unique: false - attribute: organization displayName: Organization regex: .* required: false unique: false connectorType: JDBC hashAlgo: SHA256 iterationCount: 4096 jdbcProperties: dataSource: WSO2_UM_DB keyLength: 256 ldapProperties: ldap.ConnectionName: uid=admin,ou=system ldap.GroupEntryObjectClass: groupOfNames ldap.UserNameSearchFilter: (&(objectClass=person)(uid=?)) ldap.ConnectionURL: ldap://localhost:10389 ldap.InitialContextFactory: com.sun.jndi.ldap.LdapCtxFactory ldap.connectorClass: org.wso2.carbon.auth.user.store.connector.ldap.LDAPUserStoreConnector ldap.GroupSearchBase: ou=Groups,dc=wso2,dc=org ldap.ConnectionPassword: admin ldap.UserNameAttribute: uid ldap.GroupSearchFilter: (&(objectClass=groupOfNames)(cn=?)) ldap.UserEntryObjectClass: identityPerson ldap.GroupAttribute: cn ldap.SecurityAuthentication: simple ldap.UserNameListFilter: (objectClass=person) ldap.GroupListFilter: (objectClass=groupOfNames) ldap.UserSearchBase: ou=Users,dc=wso2,dc=org readOnly: false superUser: admin superUserPass: admin # Key Management Configurations keyManagerConfigs: # Access token default validity period defaultTokenValidityPeriod: 3600
Add Comment
Comments (0)