Configure Active Directory as a Secondary Userstore in Super Tenant and Tenant Mode in WSO2 Identity Server 6.0.0 — Part 2
In the previous article of this series, I configured the Active Directory in Windows Server 2019. In this 2nd article of the series, I’ll be configuring Active Directory as a secondary userstore in both super tenant and tenanted mode in WSO2 Identity Server 6.0.0 (WSO2 IS).
First you need to download the WSO2 Identity Server 6.0.0 from https://wso2.com/identity-server/.
In this previous article, We exported the certificate of the Active Directory. Now we are going to import that certificate into keystore of the Identity Server.
- Copy the exported certificate of the AD to <IS_HOME>/repository/resources/security. Now execute the following command and import the certificate into client-truststore.jks file of the IS.
keytool -import -trustcacerts -alias ad-cert -file ad-cert.cer -keystore client-truststore.jks -storepass wso2carbon -noprompt- Start the WSO2 Identity Server. Login to Management Console (https://<server_host>:<server_port>/carbon) as the super tenant admin and from User Stores select Add.
- Under User Store Manager settings, select UniqueIDActiveDirectoryUserStoreManager as the User Store Manager Class and enter a Domain Name.
- Fill the Define Properties For section using configuration details of the Active Directory.
Connection URL: ldaps://ad-instance-iam.wso2.local:636Connection Name: CN=Administrator,CN=Users,DC=wso2,DC=localConnection Password: Enter Administrator passwordUser Search Base: CN=Users,DC=wso2,DC=localUser Entry Object Class: userUsername Attribute: sAMAccountNameUser Search Filter: (&(objectClass=user)(sAMAccountName=?))Group Id Attribute: objectGuidUser ID Attribute: objectGuid
Note: These values are case-sensitive.
- Next, under the Optional configurations, change the Group Search Base.
Group Search Base = CN=Users,DC=WSO2,DC=local- In Advanced configuration, Add whenChanged,whenCreated to Immutable Attributes and Timestamp Attributes.
- Finally click Update to add the user store. Then go to Identity and then click on Claims. Select http://wso2.org/claims from the list
- Add following claim mappings by editing each claim. When adding claim mappings click on (+)Add Attribute Mapping. Select the domain of the secondary user store and add the claim value. Then click on Update.
Note: Claim values will depend on the active directory version.
Created Time: whenCreated
Last Modified Time: whenChanged
Resource Type: division
User ID: objectGuid
Username: sAMAccountName
Display Name: classDisplayName
Full Name: cn
Email: mail
First name: givenName
Last Name: sn
Organization: company
Country: c
Telephone: telephoneNumber
Mobile: mobile
IM: ipPhone
URL: wWWHomePage
Department: department- Next, click Update. Now we have successfully configure Active Directory as a secondary userstore in the WSO2 Identity Server.
To configure Active Directory in Tenant mode in the WSO2 Identity Server, create a new tenant in WSO2 IS.
After creating the tenant, login as the tenant admin and follow the same steps we executed to add the Active directory as a userstore in super tenant mode. Then we need to import the certificate of the Active Directory into keystore of the tenant. To do that follow the below steps.
- Login to Management Console (https://localhost:9443/carbon) as the tenant admin.
- Go to Manage and click on List under Keystores.
- Click on the Import Cert.
- Click on Choose File and browse the certificate of the Active Directory. Click on Import.
Now the certificate of the Active Directory will be successfully imported into the keystore of the tenant.
After the configurations validate the functionality by adding a new user from the management console for the registered secondary userstore.
References
WSO2 Identity Server: https://wso2.com/identity-server/
Active Directory Schema: https://docs.microsoft.com/en-us/windows/win32/adschema
WSO2 IS Tenant Management: https://is.docs.wso2.com/en/latest/guides/tenants/tenant-mgt/
