Configure Active Directory as the Primary Userstore in Super Tenant Mode in WSO2 Identity Server 6.0.0 — Part 3
In the previous article of this series, I configured the Active Directory as a Secondary Userstore in Super Tenant and Tenant Mode in WSO2 Identity Server 6.0.0. In this 3rd article of the series, I’ll be configuring Active Directory as a Primary Userstore in Super Tenant Mode in WSO2 Identity Server 6.0.0 (WSO2 IS).
First you need to download the WSO2 Identity Server 6.0.0 from https://wso2.com/identity-server/.
In this previous article, We imported the certificate of the Active Directory into WSO2 IS. Refer to the previous article to import the Active Directory certificate.
Once you have completed the above step, execute the following steps to configure Active Directory as a primary userstore in super tenant mode.
- Open deployment.toml file in the IS_HOME/repository/conf directory. Comment the current [user_store] configurations and add the following.
Note: Claim values will depend on the active directory version.
[user_store]
type = "active_directory_unique_id"
connection_url = "ldaps://hostname:636"
#Example -- ldaps://ad-instance-iam.wso2.local:636
connection_name = "CN=Administrator,CN=Users,DC=wso2,DC=local"
connection_password = "wso2!23"
base_dn = "CN=Users,DC=wso2,DC=local"
user_entry_object_class = "user"
user_name_attribute = "sAMAccountName"
user_id_attribute = "objectGuid"
user_name_search_filter = "(&(objectClass=user)(sAMAccountName=?))"
user_name_list_filter = "(objectClass=person)"
immutable_attributes = "objectGuid,whenCreated,whenChanged"
timestamp_attributes = "whenChanged,whenCreated"Note Default value for base_dn will append a container path as cn=Groups. Therefore create a container inside dc=wso2,dc=local path as cn=Groups if it’s not there already.
- Start the WSO2 IS.
Note: Before starting the server You may need to either change the password policy in the Active Directory or change the default admin password of the identity server in deployment.toml file. Sample default password to set in deployment.toml file is Test@1234. Refer to the last part of this blog to configure the password policy of the Active directory.
- Login to Management Console as the super tenant admin. Go to Identity and then click on Claims. Select http://wso2.org/claims from the list.
- Add following claim mappings by editing each claim.
Note: Claim values will depend on the active directory version. Refer to the Active Directory schema https://docs.microsoft.com/en-us/windows/win32/adschema
Created Time: whenCreated
Last Modified Time: whenChanged
Resource Type: division
User ID: objectGuid
Username: sAMAccountName
Display Name: classDisplayName
Full Name: cn
Email: mail
First name: givenName
Last Name: sn
Organization: company
Country: c
Telephone: telephoneNumber
Mobile: mobile
IM: ipPhone
URL: wWWHomePage
Department: department
Group: groupPolicy- When adding claim mappings click on (+)Add Attribute Mapping. Select Primary as the domain and change the current claim value. Then click on Update.
Now you have configured the Active Directory as the primary userstore in WSO2 Identity Server 6.0.0.
Change the password policy in the Active Directory
- Go to Server Manager, click on Tools, open Group Policy Management.
- Expand Domains → you_domain under Forest: your_domain. Further expand Group Policy Objects
- Right-click on Default Domain Policy click on Edit. This will open the Group Policy Management Editor.
- Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy.
- You can edit the password policy of the Active Directory here.
References
WSO2 Identity Server: https://wso2.com/identity-server/
Active Directory Schema: https://docs.microsoft.com/en-us/windows/win32/adschema
