WSO2(IDM)不能在Active Directory作为初级用户存储添加用户(WSO2 (IdM

2019-10-30 07:07发布

站内文章 / 移动开发
46 0 0

环境:

  • WSO2 5.3.0安装
  • Windows 7的SP1
  • jdk_1.8.0_151与外部主用户存储
  • AD(视窗服务器2016的Active Directory)

行动:

  • WSO2正常启动
  • wsoadmin用户处于AD可用
  • WSO2经由LDAPS到AD结合
  • 登录到WSO2管理menue Win 7的客户端上以管理员身份确定
  • 所有现有的AD用户在WSO2的用户列表视图显示(只有那些电子邮件地址)

如果我想添加一个新用户“wsotest”抛出一个错误: 

ERROR {org.wso2.carbon.user.mgt.ui.UserAdminClient} -  
Error while adding the user to the Active Directory for user : 
wsotest
[...]
Caused by: javax.naming.directory.NoSuchAttributeException: 
[LDAP: error code 16 - 00000057: LdapErr: DSID-0C091027, comment: 
Error in attribute conversion operation, data 0, v3839 ]; 
remaining name 'cn=wsotest'

用户mgt.xml: 

<UserManager>
    <Realm>
        <Configuration>
        <AddAdmin>False</AddAdmin>
            <AdminRole>admin</AdminRole>
            <AdminUser>
                <UserName>wsoadmin</UserName><!-- already be available in user store, here: AD -->
                <Password>admin</Password><!-- keep default; real pw is already set in AD -->
            </AdminUser>
            <EveryOneRoleName>everyone</EveryOneRoleName>
            <Property name="isCascadeDeleteEnabled">true</Property>
            <Property name="initializeNewClaimManager">true</Property>
            <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
        </Configuration>

        <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
            <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
            <Property name="defaultRealmName">wso.ad.org</Property>
            <Property name="Disabled">false</Property>
            <Property name="kdcEnabled">true</Property>
            <Property name="ConnectionURL">ldaps://dc.wso.ad.org:636</Property> 
            <Property name="ConnectionName">CN=wsoadmin,OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
            <Property name="ConnectionPassword">*******</Property>
            <Property name="PasswordHashMethod">PLAIN_TEXT</Property>
            <Property name="AnonymousBind">false</Property>
            <Property name="UserSearchBase">OU=AllUsers,DC=wso,DC=ad,DC=org</Property>
            <Property name="UserEntryObjectClass">user</Property>
            <Property name="UserNameAttribute">sAMAccountName</Property>
            <Property name="UserNameSearchFilter">(&amp;(objectClass=user)(sAMAccountName=?))</Property>
            <Property name="UserNameListFilter">(&amp;(objectClass=user)(sAMAccountName=*))</Property>
            <!-- -->
            <Property name="ReadGroups">true</Property>
            <Property name="WriteGroups">false</Property>
            <Property name="GroupSearchBase">CN=Users,DC=wso,DC=ad,DC=org</Property>
            <Property name="GroupEntryObjectClass">group</Property>
            <Property name="GroupNameAttribute">cn</Property>
            <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
            <Property name="GroupNameListFilter">(objectcategory=group)</Property>
            <Property name="MembershipAttribute">member</Property>
            <Property name="MemberOfAttribute">memberOf</Property>
            <Property name="BackLinksEnabled">true</Property>
            <Property name="Referral">follow</Property>
            <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
            <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <!-- -->
            <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
            <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
            <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
            <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="SCIMEnabled">false</Property>
            <Property name="IsBulkImportSupported">false</Property>
            <Property name="EmptyRolesAllowed">true</Property>            
            <Property name="MultiAttributeSeparator">,</Property>
            <Property name="isADLDSRole">false</Property>
            <Property name="userAccountControl">512</Property>
            <Property name="MaxUserNameListLength">100</Property>     
            <Property name="MaxRoleNameListLength">100</Property>                     
            <Property name="UserRolesCacheEnabled">false</Property><!-- default true -->
            <Property name="ConnectionPoolingEnabled">false</Property>
            <Property name="LDAPConnectionTimeout">5000</Property>
            <Property name="ReadTimeout"/>
            <Property name="RetryAttempts"/>
        </UserStoreManager>

        <AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
            <Property name="AdminRoleManagementPermissions">/permission</Property>
            <Property name="AuthorizationCacheEnabled">true</Property>
            <Property name="GetAllRolesOfUserEnabled">false</Property>
        </AuthorizationManager>     

    </Realm>
</UserManager>

嵌入式ldap.xml 

<EmbeddedLDAP>
<Property name="enable">false</Property>

任何建议?

Answer 1:

找到了解决办法:

这个属性用户mgt.xml内添加到UserStoreManager 

<Property name="UserDNPattern">cn={0},ou=AllUsers,dc=wso,dc=ad,dc=com</Property>

因此CN将被适当地构造。 很明显,你必须根据你的AD LDAP适应这个DN字符串的结构和内容。

花了相当长一段时间来找到这一点, WSO2手册是有点误导重新UserDNPattern:

彭定康对用户的DN。 它可以被定义为提高LDAP搜索。 当有在LADP许多用户条目,确定了“UserDNPattern”提供了表演更具冲击力的LDAP没有通过整个树前往寻找用户。

听起来像一个选项,但似乎是neccessary。



文章来源: WSO2 (IdM) cannot add user in Active Directory as primary user store
标签: active-directory ldap wso2is
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~