From Carbon 3.2.0 onwards we have an embeded LDAP user store which is accessible via port 10389 in default settings. The server also configurable to use LDAP to connect to an external user store. If we need this user store to be secured and confidential it need to be configured to connect via LDAPS.
In this post I will be demonstrating how to connect WSO2 G-REg 4.0.0 to an external user store which will be accessed via secured transport (where the tracffic is transmitted via secured transport).
As pre-requisites we will need WSO2 G-REG 4.0.0 installation which you can download from here. Also we need Apache Directory Server which, we will be using as the LDAP server. You should also have JDK 1.5 or above installed.
With pre-requisites ready, we simply have to follow the steps given below.
Step 1:
Firstly you need to install WSO2 G-Reg 4.0.0 which can be downloaded from here. Extract the .zip file to a location of your preference.
Step 2:
As I mentioned earlier also WSO2 G-Reg is already configured with an internal LDAP user store. In order to connect to an external user store we need to disconnet the existing connection. To achieve this we need to uncomment settings from usermgmt.xml and embedded-ldap.xml. These files reside in GREG_HOME/repository/conf folder.
Lets do these changes like this.
in usermgt.xml comment the default user store manager configuration which is given like below.
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ApacheDSUserStoreManager">
<Property name="ReadOnly">false</Property>
<Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">wso2Person</Property>
<Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="PasswordJavaScriptRegEx">[\\S]{5,30}</Property>
<Property name="UsernameJavaScriptRegEx">[\\S]{3,30}</Property>
<Property name="UsernameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">[\\S]{3,30}</Property>
<Property name="RolenameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>]{3,30}$</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="WriteLDAPGroups">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
</UserStoreManager>
In embedded-ldap.xml you need to set "enabled" property in "EmbeddedLDAP" to false.
<Property name="enable">true</Property>
Step 3:
Now we need to enable configurations for the externanal LDAP server. But lets wait until we configure our user store as we still don't have those details with us.
Step 4:
Now we need to install Apache Directry Studio. You can download the .zip ditribution, unzip and use it. The other choice is to use the binary installer. In my case I used the binary installer. I was taken through an installation wizard which prompted me to set locations for the inatalltion, instances and where to keep the startup, who is the default user etc.
Step 5:
Lets enable SSL in ADS. you need to navigate to ADS_INSTANCE_HOME/default/conf/ and open server.xml. Here search for 'tcpTransport address' and check if SSL is enabled. It is enabled by default. If not you need to update with this.
Step 6:
In this setup I am going to use a signed certificate to use in our LDAPS communitcation. I will be using keytool to generate the required keystore and certificates.
Since am going have my LDAP server setup with an SSL server certificate, I must obtain a signed certificate for the server. To achieve this I will be using java keytool and create a self signed certificate (a public/private key pair).
keytool -genkey -alias carbon_server -keyalg RSA -keystore carbon_server.jks -storepass xxxxxx -validity 730
What is your first and last name?
[Unknown]: Yumani Ranaweera
What is the name of your organizational unit?
[Unknown]: QA
What is the name of your organization?
[Unknown]: WSO2
What is the name of your City or Locality?
[Unknown]: Colombo
What is the name of your State or Province?
[Unknown]: Western
What is the two-letter country code for this unit?
[Unknown]: SL
Is CN=Yumani Ranaweera, OU=QA, O=WSO2, L=Colombo, ST=Western, C=SL correct?
[no]: yes
Enter key password for <carbon_server>
(RETURN if same as keystore password):
Re-enter new password:
Step 7:
After this we need to update the LDAP server (apacheDS) configuration to use our keystore files. to do this navigate to ADS_INSTANCE_HOME/default/conf/ and open server.xml. Update "keystoreFile" in following segment;
<ldapServer id="ldapServer"
allowAnonymousAccess="false"
saslHost="ldap.example.com"
saslPrincipal="ldap/ldap.example.com@EXAMPLE.COM"
searchBaseDn="ou=users,ou=system"
maxTimeLimit="15000"
maxSizeLimit="1000"
keystoreFile="/home/yumani/software/LDAP/apacheds-1.5.7_new/external_keystore/carbon_server.jks"
certificatePassword="secret">
After this restart Apache DS server. In my case will restart it via /etc/init.d (/etc/init.d/ldap restart;)
After the restart we can verify the connections using an LDAP browser. Lets use ApacheDirectoryStudio-linux-x86_64-1.5.2.v20091211.
Step 8:
WSO2 Carbon based products use Java Secure Socket Extension (JSSE) for SSL support. So we need to upgrade JAVA_HOME/jre/lib/security with JSSE provider.
To ensure G-Reg trusts the certificate used by the LDAP server we must install them in G-REGs trust store. So lets export the certificate using keystore.
keytool -export -keystore carbon_server.jks -alias carbon_server -file carbon_server.cer
Enter keystore password:
Certificate stored in file <carbon_server.cer>
Then lets import this certificate to G-Reg's trust store like this:
keytool -import -file carbon_server.cer -alias carbon_server -keystore /home/yumani/Documents/support/320/JPMDEVSPRT-31/wso2greg-4.0.0/repository/resources/security/client-truststore.jks -storepass wso2carbon
Owner: CN=yumani, OU=qa, O=wso2, L=col, ST=western, C=sl
Issuer: CN=yumani, OU=qa, O=wso2, L=col, ST=western, C=sl
Serial number: 4eba06d3
Valid from: Wed Nov 09 10:21:31 IST 2011 until: Tue Feb 07 10:21:31 IST 2012
Certificate fingerprints:
MD5: EB:23:58:74:3B:6A:1B:CC:26:D8:84:AE:D3:A5:AC:4D
SHA1: 7F:73:3C:5B:BA:0B:B8:47:69:1E:12:5C:47:EB:D0:E9:C3:08:2E:AB
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
Step 9:
Now that we have configured the LDAP server we need to setup and add user entries to the directory server. The guide (http://fusesource.com/docs/broker/5.3/security/LDAP-AddUserEntries.html) will show you how to complete this task.
Step 10:
Once the user store is setup we need to configure user manager in WSO2 G-Reg to connnect to it. This is how you do that:
Enable following block in G-REG_HOME/repository/conf/usermgt.xml.
<!--UserStoreManager class="org.wso2.carbon.user.core.ldap.ApacheDSUserStoreManager">
<Property name="ReadOnly">false</Property>
<Property name="ConnectionURL">ldap://localhost:10389</Property>
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">secret</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">inetOrgPerson</Property>
<Property name="UserSearchBase">ou=system</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="PasswordJavaScriptRegEx">[\\S]{5,30}</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="WriteLDAPGroups">true</Property>
<Property name="EmptyRolesAllowed">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
</UserStoreManager-->
If you had user store configured as [1] you will need to update "UserSearchBase" property to include ou=users as well:
<Property name="UserSearchBase">ou=users,ou=system</Property>
Final step:
Alright we have everything set, lets start WSO2 G-Reg server and acces the user store.
Start carbon server as below;
wso2server.sh -Djavax.net.ssl.trustStore=/path/to/carbon/repository/resources/security/client-truststore.jks -Djavax.net.ssl.trustStorePassword=wso2carbon
Access G-Reg admin console from https://localhost:9443/
Login to the server using admin credentials (admin/admin) as specified in usermgmt.xml
You may navigate to Configure > Users and Roles > Users and see that the user store is connected!!!