When WSO2 ESB does not read groups from external LDAP

Once I configured external LDAP (In my case using Apache DS) to use by both WSO2 Identity Server and WSO2 ESB, I came across a situation where WSO2 ESB does not show any of the user roles that has been created through Identity Server. Neither Identity server show any roles created in ESB.

After going through lot of configurations I found it was due to this small line. So thought to blog about this for future use of other.

Within “<UserStoreManager>” tags in your external LDAP configuration (in {wso2-esb-root}/repository/conf/user-mgt.xml folder), just add following line.

<Property name=”ReadLDAPGroups”>true</Property>

Configure WSO2 Identity server to use Apache DS LDAP

1. Configure a LDAP from Apache DS.

To configure Apache DS first download the latest version of apache directory studio from here.

Then install the setup (for windows users) and start the Apache Directory Studio.

Then go to “Window - > show view -> other ” and select “LDAP servers”.

In the server view click on “new server” and create a new server instance. Start the server by right clicking on the server instance and click on “start”.

Then go to connections tab next to the LDAP servers tab and create a new connection.

This will open “New LDAP Connection" wizard.

Enter the connection details and click next. (Here in my example i run on localhost port 10389.)

In the next window you will be asked for parameters for authentication details.

Enter the parameters for simple authentication. In the Bind DN or user field, enter the DN of the administrator’s account on the directory server (for the default instance of the Apache directory server, this is uid=admin,ou=system). In the Bind password field, enter the administrator’s password (for the default instance of the Apache directory server, the administrator’s password is secret). Click Finish

If the connection is successfully established, you should see an outline of the Directory Information Tree (DIT) in the LDAP Browser view. In the LDAP Browser view, drill down to the ou=users node, as shown.

Right-click on the ou=users node and select New Entry. The New Entry wizard appears. Leave the Entry Creation Method by clicking next. In the Object Classes pane, select inetOrgPerson from the list of Available object classes on the left and then click Add to populate the list of Selected object classes. Click Next.

In the Distinguished Name pane, complete the RDN field, putting uid in front and jdoe after the equals sign. Click Next.

Fill in the remaining mandatory attributes in the Attributes pane. Set the cn (common name) attribute to John Doe and the sn (surname) attribute to Doe. Click Finish.

To add a userPassword attribute to the user entry. In the LDAP Browser view, you should now be able to see a new node, uid=jdoe. Select the uid=jdoe node. Now, right-click in the Entry Editor view and select New Attribute. The New Attribute wizard appears. From the Attribute type drop-down list, select userPassword. Click Finish. The Password Editor dialog appears. In the Enter New Password field, enter the password, secret. Click Ok.

Point wso2 Identity server to the newly created external LDAP

Goto Identity server root folder and browse in to “wso2esb-{version}\repository\conf”. Open “user-mgt.xml” in the editor.

Un-comment the commented section about external LDAP.

Change the password of connection as following line. (since our previously entered default password is “secret” we entered that below)

<Property name=”ConnectionPassword”>secret</Property>

Run the Identity server and create a new user by signup.

If all goes correctly you may be able to add new users by Identity server and, in Apache DS you may see the newly added  users.