WSO2 -> Active Directory -> user - role mapping - wso2

I use WSO2 5.0.0 as IdP and the user store is an Active Directory (AD). User and Roles are listed in WSO2 Management console and I'am also being able to login in WSO2 with User/PW stored in AD.
Therefore everything works fine.
The only problem I have is that if I request roles of users (e.g. over RemoteUserStoreManagement- WebService with method getUserClaimValues) than I get the WSO2 roles and not the Active Directory Roles assigned to the users in the AD. Also only the WSO2- Roles are mapped to users in WSO2.
Actually I have only basic knowledge in AD (I haven't adjust the current connection between WSO2 and AD) - therefore I have no idea where I should have a look at in order to resolve this problem.
Has anybody a hint concerning this issue (user-mgt.xml or WSO2 console or ...)
Thanks a lot for help!

So, you need to retrieve the roles of the user? According what you have mentioned, Please do following to resolve this issue.
Please add following attributes under user store manager configuration in user-mgt.xml file, if there are not with the configuration.
<Property name="BackLinksEnabled">true</Property>
<Property name="MemberOfAttribute">memberOf</Property>
Please restart the server and verify.
Please enable the debug logs in the user kernel and verify where is the issue has been generated.
To enable logs,
Locate log4j.properties file which can be found at /repository/conf directory.
Add following entry in to the file
log4j.logger.org.wso2.carbon.identity.sso.saml=DEBUG
Restart the server and try to invoke the server. You would see LDAP related logs where it would help to identify the issue.

Related

Adding a Password Recovery option to WSO2 sign-in

I was wondering if there is an option for users who want to use the store but have forgotten their password
Currently the WSO2 sign-in page looks like this:
I have set the following in < APIM_HOME >/repository/conf/identity/identity­-mgt.properties:
Identity.Listener.Enable=true
Notification.Sending.Enable=true
Notification.Expire.Time=3
Notification.Sending.Internally.Managed=true
UserAccount.Recovery.Enable=true
Captcha.Verification.Internally.Managed=true
I'm assuming the email settings for the same are in < APIM_HOME >/repository/conf/email/email-admin-config.xml
Anyhow, after applying the above settings and restarting the server, the sign-in page remained the same.
Is there some configuration to enable an option on the sign-in page (eg. Forgot password/Reset password)?
Also, are there any additional settings that need to be configured for it to work as expected?
API Manager Store/Publisher UIs do not support this out-of-the-box. But you can achieve this with WSO2 Identity server. (You can use the same identity server, as key manager node of the APIM setup)
Please refer to IS docs. A sample webapp also available here.

WSO2 MB an exception after admin psw change

I tried to make a production set up (WSO2 MB 3.1.0 and WSO2 ESB 4.9.0) on the same VM.
in order to secure my production environment I changed the default admin psw for the admin user to more secure one. At the same time I created a new MB user (ESB) which I used as "a technical user" in ESB jndi.properties
when I restarted my server I started receiving the following exception in the ESB which tried to connect to the MB:
[2016-10-07 16:47:31,427] ERROR - AMQStateManager Notifying Waiters([org.wso2.andes.client.state.StateWaiter#654a6148]) for error:not allowed
[2016-10-07 16:47:31,427] INFO - AMQConnection Unable to connect to broker at tcp://localhost:5673
org.wso2.andes.client.AMQAuthenticationException: not allowed [error code 530: not allowed]
at org.wso2.andes.client.handler.ConnectionCloseMethodHandler.methodReceived(ConnectionCloseMethodHandler.java:79)
at org.wso2.andes.client.handler.ClientMethodDispatcherImpl.dispatchConnectionClose(ClientMethodDispatcherImpl.java:192)
at org.wso2.andes.framing.amqp_0_91.ConnectionCloseBodyImpl.execute(ConnectionCloseBodyImpl.java:140)
at org.wso2.andes.client.state.AMQStateManager.methodReceived(AMQStateManager.java:111)
at org.wso2.andes.client.protocol.AMQProtocolHandler.methodBodyReceived(AMQProtocolHandler.java:517)
I back-traced the problem to the change of the ADMIN psw. When I set it back to the default ADMIN:ADMIN all is working again fine.
any idea why? apparently the psw is not changed on all the places
I followed this article https://docs.wso2.com/display/MB220/Changing+User+Passwords
my configuration xmls does not contain the admin psw however.
thank you very much in advance.
AFAIU, Following are the steps you have followed.
Changed MB default username/password.
Created new user("a technical user") in MB and add these username/password in ESB "jndi.properties" file.
Restarted servers and ESB start throwing auth exceptions.
Things would have gone wrong(at least what I can think of) is as follows :
Somehow you have entered spaces in middle of the username "a technical user"(even it's validated in MB management console)
Solution : Don't use spaces in of usernames.
Even you have created a new user in MB(and added it correctly in jndi.properties file in ESB) you haven't assigned a role which have permission to subscribe to a topic/queue. (This is what most likely you have messed up :))
If you haven't assigned a role which has subscribe permissions to queues/topics ESB won't be able to subscribe with given credentials during transport startup which leads to authentication exceptions.
MB has a role based permission model and if you haven't assigned a user to a role with sufficient permissions user won't be able to authenticate to MB. To verify this theory you can assign "admin" role to newly created user from MB management console under("
Home > Configure > Accounts & Credentials > Users and Roles > Users") and restart ESB server.
Please go through following documentations[1] carefully for more permission/users/user roles related information.
[1]
https://docs.wso2.com/display/MB310/Managing+Queues
https://docs.wso2.com/display/MB310/Configuring+Users
https://docs.wso2.com/display/MB310/Role-Based+Permissions

WSO2 4.5 Identity Management Server - Can't write users to external LDAP

We have an issue with WSO2 Identity Server Version 4.5.0 where we have swapped out the default embedded Apache DS and replaced it with OID (Oracle Internet Directory).
We have updated the user-mgt.xml and other configuration files the way we think they should be.
However, we cannot write users/roles back to LDAP from WSO2.
We can write create users/roles directly in LDAP when logged in through Directory Studio.
We can view users/roles in WSO2.
We can also delete a user in WSO2.
We have gone through the user docs on configuring the user store: https://docs.wso2.org/display/IS450/Configuring+Primary+User+Stores#ConfiguringPrimaryUserStores(Carbon4.2.0v2)-ConfiguringanexternalLDAPorActiveDirectoryuserstore
It is only the writing to LDAP through WSO2 that is not working so it must be a WSO2 configuration issue. I have the UserStoreManager configured to ReadWriteLDAPUserStoreManager
Again - reading, and deleting works fine through WSO2.
Does anyone have any ideas/suggestions on where to look to solve this problem?
We discovered the problem. We switched out the default LDAP for an external LDAP but the schema definitions were off a bit and we had SCIM enabled in user-mgt.xml.
There's a good explanation here:
http://sureshatt.blogspot.com/2013/06/scim-user-provisioning-with-wso2.html

WSO2 IS - Active Directory Login - Not working correctly

I have attached my Active Directory as a secondary user store and can see the list of users when i select "Users" however when accessing an APP through tomcat that is linked to SAML SSO i cannot login using an AD Account
can anyone suggest what i am missing?
the error in the system logs is
TID[-1234] [IS] [2014-02-13 13:49:02,321] DEBUG {org.wso2.carbon.identity.application.authenticator.basicauth.BasicAuthenticator} - user authentication failed due to invalid credentials.
however my login credentials are correct...
Because i was using email address as a login that was causing the issue!
the steps i took are as follows:
IS_HOME/repository/conf/carbon.xml file.
Open carbon.xml
Locate EnableEmailUserName element and uncomment it.
Finally, it should be similar to the following
true
Now, restart IS
You should be able to login using your user name
Could you check whether you can login to WSO2 management console using above credentials. If you can not, please go to Management Console -> Configure -> Users and Roles -> Roles and you can see the internal\everyone role. And configure "login" permission for everyone role. Then please try to login...
Also, if you enable the debug logs in org.wso2.carbon.user.core, you can see more debug logs about authentication failure.
I think your configuration is not ok.same login issue already solved here.cannot login to wso2 Identity server with the ldap credentials.
Make sure UserDNPattern property is correct

Configuring Single Sign-On Across Stratos

I have a situation where I need to setup a standalone version of wso2 Identity Server and have that act as the SSO provider into all of the products in Stratos.
Currently I have Stratos Identity Server configured so that I can login via the standalone Identity Server, using admin.
However, if I use another user I either
get a "Authorization Failure"
or cannot login.
First Question
1) I have the same user created in both Identity Server (that is not admin). Why would I get the "Authorization Failure" ?
Second Question
2) Why is it I can not even get to the "Authorization Failure" problem if I have a user created with username in format of user#domain.com ?
UPDATE:
I figured out that if I remove the property tags in user-mgt.xml that reference the usernames with regular expressions I am able to create usernames in the format of name#domain.com. But I am still unable to use that username to login, the error log says that the account has not been activated.
I also created two instances of wso2 identity server and configured them in such a way to test being able to use one to login to the other. I was able to do this by making sure that the same username and password was in both servers list of users. This way I do not get the "Authorization Failure"
The answers I came up with.
1. I need to have the same username and password in each Identity Server.
2. I cannot have format name#domain.com unless I have Multi-tenancy configured. Otherwise wso2 will try to find the ACTIVATE field in the Tenant table and not find it.
UPDATE: I got this installed and configured and it turned out that I now get another error about
Issuer details are not valid. Issuer details should be registered in advance
So my answer turned out not to to be valid.
I wonder why I get this new login failure?
UPDATE RESOLVED!!:
I resolved this problem by downloading just the wso2 stratos IS 1.5.2 package. I installed it. Configured with same configuration I was using before. Now I can login without problems across domains.