Monday, November 12, 2012

Multiple user store manager feature with WSO2 Identity Server 4.0.0

This is powerful feature which is shipped with WSO2 Identity Server 4.0.0 release. With that feature, you are able to configure more than one user store with WSO2 Identity Server. User stores can be LDAP, JDBC or AD or combination of different user stores. Also it can be configured both read/write and read only modes.

I am going to use this feature to configure  LDAP with multiple OU (Organization Units) Where each OU is treated as different user store. There are some scenario where we want to treat OU as a separate user store by WSO2 Identity Server. As an example,  we want to connect different OUs, to WSO2 Identity Server with read-write mode and user must be created in a defined OU. 

First let assume our exiting LDAP structure as following....  where we have  three OU under the "" domain (i.e dc=pathberiya, dc=com).  Each OU contains users and these users are assign to roles, i.e under the "" domain.  Also there are users who are under the "" domain. 

Step1.  Identify different OUs that must be connected with WSO2 Identity Server.  in above sample,  it would be 


Step2.  Creating user store configurations for each OU.  As each OU is treated as a user store,  So we need to create separate user store manager configurations and configure them in the user-mgt.xml file which can be found at <IS_HOME>/repository/conf directory.

(i) WSO2 Identity server identify each user store using a domain name. lets assign domain names for each OU. (any name what you prefer)

dc=pathberiya,dc=com,ou=system        ========== >
ou=users,ou=it,dc=pathberiya,dc=com,ou=system              ======= >
ou=users,ou=sales,dc=pathberiya,dc=com,ou=system         ======= >
ou=users,ou=marketing,dc=pathberiya,dc=com,ou=system  ======= > 

Please note in  "" domain,  all users in the four OUs can be seen.

(ii) We need to identify one user store as the primary user store.  Primary user store must be configured as the first user store configuration in the user-mgt.xml file. Let see what are the functions of primary user store.
  • If domain name is not defined for user,  then user is 1st authenticated with primary user store, If it is not successful,  then user is authenticated with other user store according to the order that has been configured in user-mgt.xml file.
  • User Management UI of the WSO2 Identity server is loaded from this user store. Basically User Management UI does not show users of other user store.
So as all users are defined for  "" domain,  we set this domain as primary user store.

(iii) Then lets identify role search based for WSO2 Identity Server's roles.


(iv) Then we need to identify the admin user and role for WSO2 Identity Server from above user stores (OUs)

let select  user called "adminUser" in primary user store as the admin user for WSO2 Identity Server. And  "admin" role in  ou=roles,dc=pathberiya,dc=com,ou=system as admin role  for WSO2 Identity Server.

lets see our final configuration of the user-mgt.xml file.  Please fine here 

Basically you can create one user store configuration as following and you can create others user store configurations for each OUs  easily by changing  the "UserSearchBase" , "UserDNPattern" and "DomainName" attributes. 

Step3. Start WSO2 Identity Server by running wso2server script file from  <IS_HOME>/bin directory

Step4. Try  authentication and user management function with sample client. (or Soapui ).  Here is the sample code to run user management functions.

Here when authenticating the users,  if the user  (say user called "user1") is in the domain (IT OU), then you need to pass the user name as

When creating user in sales domain (Sales OU), you need to create the user by providing user name as ""

1 comment:

  1. Hi Asela,

    Do you have Any Scinario with wso2Is with Ldap as Delegate Admin like Once Master Ldap UerStore will Control Different UserStore at same time independently