问题
I am unable to setup WSO2 Identity Server v5.6.0 with OpenLDAP as primary, external user store. The Identity Server is starting as expected (no errors in the console) and the admin user account has been created automatically, too. But if I try to add A new User per management console, the Identity Server throws the following error:
Could not add user PRIMARY/johndoe@gmail.com. Error: Cannot access the directory context or user already exists in the system for user :johndoe@gmail.com
In the LDAP Console you can see that wso2is is trying to add the user with a ref-attribute:
5b7589c9 conn=1022 op=2 ADD dn="mail=johndoe@gmail.com,ou=Users,dc=wso2,dc=org" 5b7589c9 conn=1022 op=2 RESULT tag=105 err=65 text=attribute "ref" only allowed in the referral
I don't know why exactly wso2is is doing that. The Referral-Option is disabled & The WSO2 specific ldif files has been imported. How can is solve this issue?
Below, my user-mgt.xml configuration:
<UserManager>
<Realm>
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin@wso2.com</UserName>
<Password>admin</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="isCascadeDeleteEnabled">true</Property>
<Property name="initializeNewClaimManager">true</Property>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://ldap:389</Property>
<Property name="ConnectionName">cn=admin,dc=wso2,dc=org</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="AnonymousBind">false</Property>
<Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
<Property name="UserEntryObjectClass">identityPerson</Property>
<Property name="UserNameAttribute">mail</Property>
<Property name="UserNameSearchFilter">(&(objectClass=identityPerson)(mail=?))</Property>
<Property name="UserNameListFilter">(&(objectClass=identityPerson)(mail=*))</Property>
<Property name="UserDNPattern">mail={0},ou=Users,dc=wso2,dc=org</Property>
<Property name="DisplayNameAttribute"/>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="RoleDNPattern">cn={0},ou=Groups,dc=wso2,dc=org</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="BackLinksEnabled">false</Property>
<Property name="UsernameJavaRegEx">^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$</Property>
<Property name="UsernameJavaScriptRegEx">^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$</Property>
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._\-|//]{3,40}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,40}$</Property>
<Property name="SCIMEnabled">true</Property>
<Property name="IsBulkImportSupported">false</Property>
<Property name="EmptyRolesAllowed">false</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="kdcEnabled">false</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
</UserStoreManager>
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">false</Property>
</AuthorizationManager>
</Realm>
</UserManager>
回答1:
The reason for the above error is, in WSO2 IS for representing the resourceType we have mapped a ldap attribute called "ref", but it seems "ref" is a attribute that's reserved in OpenLdap for referrals. Hence we are seeing the above error.
To get around this you could follow the instructions below,
- After starting the Identity server go to Home -> Identity -> Claims -> List.
- Select "urn:ietf:params:scim:schemas:core:2.0" and then click edit on "urn:ietf:params:scim:schemas:core:2.0:meta.resourceType".
- For "Mapped Local Claim" select a appropriate claim you would like to map to this. For e.g : http://wso2.org/claims/userType and click update.
- Now try creating a user through management console.
来源:https://stackoverflow.com/questions/51879953/unable-to-setup-openldap-as-primary-user-store-for-wso2is-5-6-0-ldap-error-65-w