WSO2(IdM)无法在Active Directory中添加用户作为主要用户存储 [英] WSO2 (IdM) cannot add user in Active Directory as primary user store
本文介绍了WSO2(IdM)无法在Active Directory中添加用户作为主要用户存储的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
环境:
- 在上安装了
- wso2 5.3.0
- Windows 7 sp1
- jdk_1.8.0_151 和外部主要用户存储在 上
- AD(Windows Server 2016 Active Directory)
- wso2 5.3.0 installed on
- Windows 7 sp1
- jdk_1.8.0_151 with external primary user store on
- AD (Windows server 2016 Active Directory)
动作:
- wso2正常启动
- wsoadmin用户在AD中可用
- wso2通过 ldaps 绑定到AD
- 以管理员身份登录Win 7客户端上的wso2管理菜单
- 所有现有的AD用户都显示在wso2用户列表视图中(仅那些具有电子邮件地址的用户)
如果我要添加新用户"wsotest",则会引发错误:
If I want to add a new user "wsotest" an error is thrown:
ERROR {org.wso2.carbon.user.mgt.ui.UserAdminClient} -
Error while adding the user to the Active Directory for user :
wsotest
[...]
Caused by: javax.naming.directory.NoSuchAttributeException:
[LDAP: error code 16 - 00000057: LdapErr: DSID-0C091027, comment:
Error in attribute conversion operation, data 0, v3839 ];
remaining name 'cn=wsotest'
user-mgt.xml:
user-mgt.xml:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>False</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>wsoadmin</UserName><!-- already be available in user store, here: AD -->
<Password>admin</Password><!-- keep default; real pw is already set in AD -->
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">wso.ad.org</Property>
<Property name="Disabled">false</Property>
<Property name="kdcEnabled">true</Property>
<Property name="ConnectionURL">ldaps://dc.wso.ad.org:636</Property>
<Property name="ConnectionName">CN=wsoadmin,OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
<Property name="ConnectionPassword">*******</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
<Property name="UserEntryObjectClass">user</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UserNameSearchFilter">(&(objectClass=user)(sAMAccountName=?))</Property>
<Property name="UserNameListFilter">(&(objectClass=user)(sAMAccountName=*))</Property>
<!-- -->
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">false</Property>
<Property name="GroupSearchBase">CN=Users,DC=wso,DC=ad,DC=org</Property>
<Property name="GroupEntryObjectClass">group</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute">memberOf</Property>
<Property name="BackLinksEnabled">true</Property>
<Property name="Referral">follow</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<!-- -->
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="IsBulkImportSupported">false</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="isADLDSRole">false</Property>
<Property name="userAccountControl">512</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="UserRolesCacheEnabled">false</Property><!-- default true -->
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">false</Property>
</AuthorizationManager>
</Realm>
</UserManager>
embedded-ldap.xml
embedded-ldap.xml
<EmbeddedLDAP>
<Property name="enable">false</Property>
有什么建议吗?
推荐答案
找到了解决方案:
将此属性添加到user-mgt.xml中的UserStoreManager
add this property to the UserStoreManager within user-mgt.xml
<Property name="UserDNPattern">cn={0},ou=AllUsers,dc=wso,dc=ad,dc=com</Property>
因此CN将被正确构建.显然,您必须根据您的AD LDAP修改此DN字符串的结构和内容.
thus the CN will be properly constructed. Obviously you have to adapt the structure and content of this DN string according to your AD LDAP.
花了我相当多的时间找到它,因为 WSO2的手册对于UserDNPattern有点误导:
Took me quite a time to find this, for WSO2's manual is a bit misleading re UserDNPattern:
用户DN的模式.可以定义它来改善LDAP搜索.当LADP中有许多用户条目时,由于LDAP不必遍历整个树来查找用户,因此定义"UserDNPattern"会对性能产生更大的影响.
The patten for user's DN. It can be defined to improve the LDAP search. When there are many user entries in the LADP, defining a "UserDNPattern" provides more impact on performances as the LDAP does not have to travel through the entire tree to find users.
听起来像一个选择,但似乎是必需的.
Sounds like an option, but seems to be neccessary.
这篇关于WSO2(IdM)无法在Active Directory中添加用户作为主要用户存储的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
