WSO2 (IdM) 无法将 Active Directory 中的用户添加为主用户存储 [英] WSO2 (IdM) cannot add user in Active Directory as primary user store
本文介绍了WSO2 (IdM) 无法将 Active Directory 中的用户添加为主用户存储的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
环境:
- wso2 5.3.0安装在 上
- Windows 7 sp1
- jdk_1.8.0_151,外部主用户存储开启
- AD(Windows server 2016 Active Directory)
- wso2 5.3.0 installed on
- Windows 7 sp1
- jdk_1.8.0_151 with external primary user store on
- AD (Windows server 2016 Active Directory)
行动:
- wso2正常启动
- wsoadmin 用户在 AD 中可用
- wso2 通过 ldaps 绑定到 AD
- 以管理员身份登录 win 7 客户端上的 wso2 管理菜单 ok
- 所有现有的 AD 用户都会显示在 wso2 用户列表视图中(仅限具有电子邮件地址的用户)
如果我想添加一个新用户wsotest",则会引发错误:
If I want to add a new user "wsotest" an error is thrown:
ERROR {org.wso2.carbon.user.mgt.ui.UserAdminClient} -
Error while adding the user to the Active Directory for user :
wsotest
[...]
Caused by: javax.naming.directory.NoSuchAttributeException:
[LDAP: error code 16 - 00000057: LdapErr: DSID-0C091027, comment:
Error in attribute conversion operation, data 0, v3839 ];
remaining name 'cn=wsotest'
用户-mgt.xml:
user-mgt.xml:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>False</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>wsoadmin</UserName><!-- already be available in user store, here: AD -->
<Password>admin</Password><!-- keep default; real pw is already set in AD -->
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">wso.ad.org</Property>
<Property name="Disabled">false</Property>
<Property name="kdcEnabled">true</Property>
<Property name="ConnectionURL">ldaps://dc.wso.ad.org:636</Property>
<Property name="ConnectionName">CN=wsoadmin,OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
<Property name="ConnectionPassword">*******</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UserNameSearchFilter">(&(objectClass=user)(sAMAccountName=?))</Property>
<Property name="UserNameListFilter">(&(objectClass=user)(sAMAccountName=*))</Property>
<!-- -->
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">false</Property>
<Property name="GroupSearchBase">CN=Users,DC=wso,DC=ad,DC=org</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[S]{3,30}$</Property>
<!-- -->
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="IsBulkImportSupported">false</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="UserRolesCacheEnabled">false</Property><!-- default true -->
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">false</Property>
</AuthorizationManager>
</Realm>
</UserManager>
嵌入式-ldap.xml
embedded-ldap.xml
<EmbeddedLDAP>
<Property name="enable">false</Property>
有什么建议吗?
推荐答案
找到解决方案:
将此属性添加到 user-mgt.xml 中的 UserStoreManager
add this property to the UserStoreManager within user-mgt.xml
<Property name="UserDNPattern">cn={0},ou=AllUsers,dc=wso,dc=ad,dc=com</Property>
因此,CN 将正确构建.显然,您必须根据您的 AD LDAP 调整此 DN 字符串的结构和内容.
thus the CN will be properly constructed. Obviously you have to adapt the structure and content of this DN string according to your AD LDAP.
我花了很长时间才找到这个,对于 WSO2 的手册 对 UserDNPattern 有点误导:
Took me quite a time to find this, for WSO2's manual is a bit misleading re UserDNPattern:
用户 DN 的模式.可以定义它来改进 LDAP 搜索.当 LADP 中有许多用户条目时,定义UserDNPattern"会对性能产生更大的影响,因为 LDAP 不必遍历整个树来查找用户.
The patten for user's DN. It can be defined to improve the LDAP search. When there are many user entries in the LADP, defining a "UserDNPattern" provides more impact on performances as the LDAP does not have to travel through the entire tree to find users.
听起来像是一种选择,但似乎是必要的.
Sounds like an option, but seems to be neccessary.
这篇关于WSO2 (IdM) 无法将 Active Directory 中的用户添加为主用户存储的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
