Skip to content

Configure a Read-write Active Directory User store

Tip

For Read-only Active Directory user store manager configuration, use read-only LDAP user store manager configuration properties.

Refer Properties for a read-write Active Directory user store to find the properties which are supported for read-write Active Directory user stores. Below is a sample with minimum configurations and properties to change the primary user store to a read-write Active Directory user store.

[user_store]
type = "active_directory_unique_id"
base_dn = "dc=wso2,dc=org"
connection_url = "ldaps://10.100.1.102:639"
connection_name = "cn=admin,ou=system"
connection_password = "admin"

Note

It is recommended to use the whenCreated and whenChanged operational attributes for created and modified attributes. Therefore, add the following to the deployment.toml file. 

[user_store]
timestamp_attributes = "whenCreated,whenChanged"
immutable_attributes = "objectGuid,whenCreated,whenChanged"

Warning

If there are more immutable attributes, you need to add them to the immutable_attributes property.

In addition to the above, please make sure that you import the Active Directory user store public certificate to the WSO2 Identity Server’s client trust store. To perform this, you need to navigate to the <IS_HOME>/repository/resources/security directory and execute the following command to import the certificate to client-truststore of WSO2 Identity Server.

keytool -import -alias certalias -file <certificate>.pem -keystore client-truststore.p12 -storetype PKCS12 -storepass wso2carbon

Note

wso2carbon is the keystore password of the default client-truststore.p12 file of WSO2 Identity Server.

Furthermore, please make sure to follow the steps mentioned in Configure Active Directory User stores for SCIM 2.0 based Inbound Provisioning since SCIM is enabled by default from the WSO2 Identity Server 5.10.0 onwards.

Initial configuration for new servers

If you are configuring a server that has not been started yet, you need to update the claim mappings in <carbon_home>/repository/conf/claim-config.xml.

Note

Following are some of the mandatory claims that you need to map with the user store attributes.

  • http://wso2.org/claims/username
  • http://wso2.org/claims/userid
  • http://wso2.org/claims/created

  • http://wso2.org/claims/modified

  • http://wso2.org/claims/emailAddresses

  • http://wso2.org/claims/verifiedAddresses
  • http://wso2.org/claims/mobileNumbers
  • http://wso2.org/claims/verifiedMobileNumbers

For created and modified claims, it is recommended to use the whenCreated and whenChanged operational attributes.

For username and userid claims, the Username Attribute and User ID Attribute properties configured in the User Store configuration should be used to ensure proper user authentication.

Updating configuration for existing servers

Warning

Changing the primary user store of a production server can have a significant impact on the users and the applications that are using the system. Therefore, it is recommended to have a scheduled maintenance window to perform this task.

Before you change deployment.toml with above configurations, you need to change the attributes mappings for the PRIMARY user store by navigating to the User Attributes & Stores > Attributes section of the console. After updating the mappings, shutdown the server, update the deployment.toml file and restart the server to apply the configurations.

Note

Following are some of the mandatory claims that you need to map with the user store attributes.

  • http://wso2.org/claims/username
  • http://wso2.org/claims/userid
  • http://wso2.org/claims/created

  • http://wso2.org/claims/modified

  • http://wso2.org/claims/emailAddresses

  • http://wso2.org/claims/verifiedAddresses
  • http://wso2.org/claims/mobileNumbers
  • http://wso2.org/claims/verifiedMobileNumbers

Refer to the Update Attributes to learn more on updating attribute mappings. For created and modified claims, it is recommended to use the whenCreated and whenChanged operational attributes.

For username and userid claims, the Username Attribute and User ID Attribute properties configured in the User Store configuration should be used to ensure proper user authentication.

Ensure that multiple email addresses and mobile numbers attributes are properly configured by following the instructions in the Assign multiple email addresses and mobile numbers to a user section.

Warning

If you have more than one tenant, you need to change the claim mappings for each tenant before adding the new configurations to the deployment.toml file.

If are planning to create new tenants in the future, you need to update the claim mappings in <carbon_home>/repository/conf/claim-config.xml.

Configure tenant manager

Configure the tenant manager to user CommonHybridLDAPTenantManager. Make sure to configure RootPartition property as it determines the root of the LDAP tree.

[tenant_manager.ldap]
enabled=true
class="org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager"
[tenant_manager.ldap.properties]
RootPartition="dc=example,dc=org"