WSO2 APIM | External LDAP Integration
I am writing this article to share my experience while working with a secondary user store requirement in WSO2 API Manager. So, WSO2 provides an in-built user store for user management capabilities and facilitates integration with a secondary user store as well. A Secondary user store could be an LDAP, Microsoft Active Directory, or even an RDBMS user store as well. In this article, I'll cover LDAP user store integration with WSO2 API Manager and you can follow the path if you have a similar kind of business requirement.
4. Finally Click on Update button available in the bottom of the form.
Business Requirement
So, my business requirement was to provide token-based API access and to proceed with password grant type for token API while the user base remains in an external user store.
Technical Feasibility in WSO2 APIM
The requirement is technically feasible as an OOTB capability provided by WSO2 with some configurations via the carbon console. This article assumes you have existing LDAP server running. So I have to procure the following details from LDAP server for integration purposes-
- LDAP Server IP & Port
- Protocol- ldap or ldaps
- Procure the SSL Certificate in case of ldaps
- Base DN & Password
- User Search Base
- Group Search Base
Implementation
To proceed with the implementation, we have to follow the below steps-
1. Login to the carbon console (http://host:port/carbon)
2. Navigate to User Stores from left navigation menu and click on + Add option
3. Fill all the details as per your environment, I have provided some sample values as per my environment-
- Choose ReadWriteLDAPUserStoreManager
- Domain name : external-ldap (you can use any logical name)
- Description : external ldap for user authentication
- Connection URL: ldaps://192.16.0.9:10389 (must import the certificate inside $APIM_HOME/repository/resources/security in case of ldaps)
- Connection Name: cn=admin,ou=sa,o=system
- Connection Password: **********
- User Search Base: ou=users,o=data
- Group Search Base: ou=groups,o=data
4. Finally Click on Update button available in the bottom of the form.
5. It takes few seconds depending upon network latency to refresh the user store in listing and it looks like below-
6. This means, our ldap has been configured. Now let's verify the users are being listed via users via path Home > Identity > Users and Roles > List
So, the users are now being shown with respective domain in the users list. This means our LDAP integration is successful.
Just to note that, if the user stores list shows the newly created user store name but the users are not visible in the users listing, we must check for wso2carbon logs for any error.
Reference: https://apim.docs.wso2.com/en/3.2.0/administer/managing-users-and-roles/managing-user-stores/configure-primary-user-store/configuring-a-read-write-ldap-user-store/
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete