无法在wso2 API管理器中的Active Directory中使用用户登录

Question

I've configured the wso2 api manager with external LDAP ie Microsoft Active Directory. Connectivity is set up and I'm able to see all the users in WSO2 apim user store which are present in AD. I have 4 following users in AD

Users : WSo2 Admin, WSO2 User1, WSO2 User2

But I'm able to login with just one user which I'm assigning the admin role in configuration file like below snippet.

<AdminUser> <UserName>Wso2 Admin</UserName> <Password>abcdef@01</Password> </AdminUser>

Now I'll be only able to login with WSo2 Admin only, same happens for other users if I assign admin role in config file I'll be able to login.

But i want to login with every user which are present in AD ie WSo2 Admin, WSO2 User1, WSO2 User2

Here is my configuration file:

<?xml version="1.0" encoding="UTF-8"?>
<UserManager>
    <Realm>
        <Configuration>
            <AddAdmin>false</AddAdmin>
            <AdminRole>admin</AdminRole>
            <AdminUser>
                <UserName>Wso2 Admin</UserName>
                <Password>abcdef@01</Password>
            </AdminUser>
            <EveryOneRoleName>everyone</EveryOneRoleName>
            <!-- By default users in this role sees the registry root -->
            <Property name="isCascadeDeleteEnabled">true</Property>
            <Property name="initializeNewClaimManager">true</Property>
            <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
        <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
            <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
            <Property name="ConnectionURL">ldap://test.xxxx.com:389</Property> 
            <Property name="ConnectionName">CN=Wso2 Admin,OU=wso2test,DC=test,DC=xxxx,DC=com</Property>
            <Property name="ConnectionPassword">abcdef@01</Property>
            <Property name="AnonymousBind">false</Property>
            <Property name="UserSearchBase">OU=wso2test,DC=test,DC=xxxx,DC=com</Property>
            <Property name="UserEntryObjectClass">user</Property>
            <Property name="UserNameAttribute">cn</Property>
            <Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>
            <Property name="UserNameListFilter">(objectClass=user)</Property>
            <Property name="DisplayNameAttribute"/>
            <Property name="ReadGroups">true</Property>
            <Property name="WriteGroups">true</Property>
            <Property name="GroupSearchBase">OU=wso2test,DC=test,DC=xxxx,DC=com</Property>
            <Property name="GroupEntryObjectClass">group</Property>
            <Property name="GroupNameAttribute">cn</Property>
            <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
            <Property name="GroupNameListFilter">(objectcategory=group)</Property>
            <Property name="MembershipAttribute">member</Property>
            <Property name="MemberOfAttribute">memberOf</Property>
            <Property name="BackLinksEnabled">true</Property>
            <Property name="Referral">follow</Property>
            <Property name="UsernameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
            <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
            <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
            <Property name="RolenameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
            <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="SCIMEnabled">false</Property>
            <Property name="IsBulkImportSupported">true</Property>
            <Property name="EmptyRolesAllowed">true</Property>
            <Property name="PasswordHashMethod">PLAIN_TEXT</Property>
            <Property name="MultiAttributeSeparator">,</Property>
            <Property name="isADLDSRole">false</Property>
            <Property name="userAccountControl">512</Property>
            <Property name="MaxUserNameListLength">100</Property>     
            <Property name="MaxRoleNameListLength">100</Property>                     
            <Property name="MembershipAttributeRange">1500</Property>
            <Property name="kdcEnabled">false</Property>
            <Property name="defaultRealmName">WSO2.ORG</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
            <Property name="ConnectionPoolingEnabled">false</Property>
            <Property name="LDAPConnectionTimeout">5000</Property>
            <Property name="ReadTimeout"/>
            <Property name="RetryAttempts"/>
        </UserStoreManager>

        <AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
            <Property name="AdminRoleManagementPermissions">/permission</Property>
            <Property name="AuthorizationCacheEnabled">true</Property>
            <Property name="GetAllRolesOfUserEnabled">true</Property>
        </AuthorizationManager>
    </Realm>
</UserManager>

Answer 1

To the administrative console only admins (members of the admin group) are allowed to log in.

If you want any user to log in, you may try to find role Internal/everyone and add a permission Login to the role.

However the users by default will be able only to change their password (even that's not true until you use ldaps connection instead of ldap)