We are trying to add new attributes to the default LDAP user store in wso2 is.
But we don't have access to this store, the only way that we have is to reinstall user store with edited schemas.
Is there a way to reinstall the default LDAP server with new schemas?
Related
I am using wso2 apimanager and I am creating new user claims via the carbon interface.
The claims are added on the database api manager IDN tables but not on the user management database.
I have 2 different key manager only one of them is able to recuperate claims from the AM database.
The 2 key manager have same user-mgt configuration and master datasource configuration.
My question is why one is able to recuperate claims and not the other and also why claims are stored on the api management database and not the user management database.
We are using WSO2 IS 5.2.0
We have integrated it with AD/LDAP (using LDAPUserStoreManager). We had userA from AD as our super administrator. Using this user we have registered all our apps under “Service Providers”.
Now because of some organisation changes we have to connect to different LDAP server for user authentication. We have changed the LDAP configuration manually in the user-mgt.xml file to point to new AD/LDAP server and userB from new LDAP is our new super admin.
Problem: We are not able to see the list of APPs that we had registered under “Service Providers” when we login as “userB”.
Question how can we transfer the list of apps (ownership) to new administrator?
We tried to update SP_APP table from backend but it is still not solving the problem.
(e.g. update SP_APP set username='userB' where APP_NAME='TestApp';)
Can someone please help us to know how can we transfer the list of apps under service provider so that it will be visible to new administrator?
When you create a Service Provider (SP), a role is created with it. If the name of the SP is "SomeName", a role is created is "Application/SomeName". Users with this particular role can see (and do any operation) that particular application.
So you need to assign these roles to the new admin user (or any other user that need to see the application) to make the applications visible to the new admin user.
See more information about creating service providers in WSO2 Identity Server in https://docs.wso2.com/display/IS541/Adding+and+Configuring+a+Service+Provider#AddingandConfiguringaServiceProvider-Addingaserviceprovider
I have wso2 IS 5.3.0 with several user stores. I want to connect my app to the embebed ldap and access the user in the secondary user stores, but I only see the users in the primary user store.
How I can see the user in the secondary user stores con connect an application to the WSO2 IS ldap?
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
Please follow this documentation[1] to configure multiple secondary user stores with WSO2 IS 5.3.0. Yes you can add multiple user stores to Identity Server and let the applications from outside see those as a single user store through Identity Server.
[1] https://docs.wso2.com/display/IS530/Configuring+Secondary+User+Stores
May I use some specific configuration to connect to the ldap to can see the whole set of users?
Multiple user stores are completely separate, their own users, realm name, etc. In theory - your application you could use WSOIS API to access user information (with the realm prefix, such as usenr identity is userstore_realm\username
But as it is already mentioned in the comments, you don't see multiple LDAP stores as a single LDAP
The aim is to have serveral user stored merged in just one, the IS ldap, and connect legacy applications to that merged LDAP. Is this approach wrong?
What could you do is "inbound" user provisioning. Effectively when a user is authenticated (using an external IS, secondary userstore, ...), the user could be provisionined ( imported ) to the primary userstore
Though it is possible, I won't recommend this approach as you will have duplicates out of control (e.g. when reseting the password)
I need to add new user in Wso2 CEP (3.1.0) and I know that is possible by "clicking" few steps in console (example from documentation). I wonder if it possible to add new user without login into console, but connect to H2 database and insert user there?
I know that new user is save into "UM_USER" table.
Maybe someone knows what class write user into H2, how passowrd is enrcypted and what is "UM_SALT_VALUE" and why I need it?
If all you want is to manage users programmatically, a better way rather than trying to modify H2 DB is to do it through the relevant admin service. This way you don't have to bother about the underlying user-store or the salt values used for hashing passwords etc.
In Carbon-based products, most of the configurations done through the web console can be done programmatically by calling the relevant admin web service, such as user management, adding/managing deployment artifacts etc.
So for you use case, you can use the User Management admin service at:
https://localhost:9443/services/UserAdmin?wsdl
Note that in order to access this wsdl, you should make these admin service wsdl's visible by editing <CEP>/repository/conf/carbon.xml and restart the server.
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
We would like to move the users from a one Identity system to WSO2 IS. Both userstores reside on a SQL DB. We would use SELECT INTO (INSERT INTO SELECT) at the database level to move the users from the old Identity Store to WSO2 IS. Will this cause any issues with the data integrity? Or should we just use the WSO2 IS APIs instead?
You have your users in separate user DB (say foo user store) and you need to move all users in to WSO2IS user store schema..? It mostly depends on the how user's password has been stored in the foo user store.
If password is stored as plain text (or encrypted as it can be decrypted), you can WSO2IS APIs to add users which is mostly the best option. You can write some tool to read from foo DB and call the API of WSO2IS. User Mgt API can be used for it. More details from here
If password is stored as hashed, then we can not use the APIs and we need to use some database level migration. You can move to username and user's password in to UM_USER table and user's attributes in UM_ATTRIBUTE tables.
But, please note, if your foo DB has used some different password hashing schema which is not supported by WSO2IS, above migration also would not be success out of the box. By default WSO2IS supports for SHA-1, SHA-2 hashing methods only. If it is not, you may need to do some customization.
However, why you are trying migrate it to WSO2IS schema? Can't you write a custom user store manager implementation for your foo DB and connect WSO2IS in to your existing user store ? I guess, it is more convenient than migrating.