OpenLDAP 作为 Wso2is 5.8.0 的主要外部用户存储设置的问题：添加新用户时获取与 createTimestamp 属性相关的“错误 21”

Question

I have almost the same problem discuss in the question below, but I get error at the claim configuration step :

Unable to setup OpenLDAP as primary user store for wso2is 5.6.0: LDAP Error 65 when adding a new user in management console

I want to setup Wso2is-5.8.0 with OpenLDAP as Primary user store and I use a Docker-Compose file for the deployment.

The connection step between Identity Server and Openldap ended successfuly, I have got all my LDAP user in IS and the admin user has been added to LDAP. Now I'm configuring the claim parameters.

I defined :

urn:ietf:params:scim:schemas:core:2.0:meta.resourceType = http://wso2.org/claims/userType

I get "err=17 text=userType: attribute type undefined" So I defined userType as below:

http://wso2.org/claims/userType = Users (related to the "ou" value in OpenLDAP)

Then I get "err=17 text=createdDate: attribute type undefined" So I defined createdDate as below:

http://wso2.org/claims/created = createTimestamp (as attribute name in OpenLDAP)

And now I get :

5d14d9a9 conn=1168 op=2 ADD dn="uid=usertest,ou=Users,dc=example,dc=org"
5d15dd6e conn=1340 op=2 RESULT tag=105 err=21 text=createTimestamp: value #0 invalid per syntax

I try checking Read only in "Created Time" claim configuration but same error.

Does anyone have a way to solve this problem?

I attached below my user-mgt.xml file.

Thank you in advance

<UserManager>
  <Realm>
    <Configuration>
    <AddAdmin>true</AddAdmin>
    <AdminRole>admin</AdminRole>
    <AdminUser>
        <UserName>admin</UserName>
        <Password>admin</Password>
    </AdminUser>
    <EveryOneRoleName>everyone</EveryOneRoleName>
    <!-- By default users in this role sees the registry root -->
    <!-- Enable username claim retrieve from the UM_USER_NAME in JDBC datasources-->
        <OverrideUsernameClaimFromInternalUsername>true</OverrideUsernameClaimFromInternalUsername>
    <Property name="isCascadeDeleteEnabled">true</Property>
    <Property name="initializeNewClaimManager">true</Property>
    <Property name="dataSource">jdbc/WSO2IdentityDS</Property>
    </Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
      <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
      <Property name="ConnectionURL">ldap://192.168.1.10:389</Property>
      <Property name="ConnectionName">cn=admin,dc=example,dc=org</Property>
      <Property name="ConnectionPassword">admin</Property>
      <Property name="AnonymousBind">false</Property>
      <Property name="UserSearchBase">ou=Users,dc=example,dc=org</Property>
      <Property name="UserEntryObjectClass">inetOrgPerson</Property>
      <Property name="UserNameAttribute">uid</Property>
      <Property name="UserNameSearchFilter">(&amp;(objectClass=inetOrgPerson)(uid=?))</Property>
      <Property name="UserNameListFilter">(objectClass=inetOrgPerson)</Property>
      <Property name="DisplayNameAttribute"/>
      <Property name="ReadGroups">true</Property>
      <Property name="WriteGroups">true</Property>
      <Property name="GroupSearchBase">ou=Groups,dc=example,dc=org</Property>
      <Property name="GroupEntryObjectClass">posixGroup</Property>
      <Property name="GroupNameAttribute">cn</Property>
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=posixGroup)(=?))</Property>
      <Property name="GroupNameListFilter">(objectClass=posixGroup)</Property>
      <Property name="MembershipAttribute">memberUid</Property>
      <Property name="BackLinksEnabled">false</Property>
      <Property name="UsernameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
      <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
      <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
      <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
      <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
      <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
      <Property name="RolenameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
      <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
      <Property name="SCIMEnabled">true</Property>
      <Property name="IsBulkImportSupported">false</Property>
      <Property name="EmptyRolesAllowed">true</Property>
      <Property name="PasswordHashMethod">PLAIN_TEXT</Property>
      <Property name="MultiAttributeSeparator">,</Property>
      <Property name="MaxUserNameListLength">100</Property>
      <Property name="MaxRoleNameListLength">100</Property>
      <Property name="kdcEnabled">false</Property>
      <Property name="defaultRealmName">WSO2.ORG</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <Property name="ConnectionPoolingEnabled">false</Property>
      <Property name="LDAPConnectionTimeout">5000</Property>
      <Property name="ReadTimeout"/>
      <Property name="RetryAttempts"/>
      <Property name="StartTLSEnabled">false</Property>
    </UserStoreManager>
    <AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
      <Property name="AdminRoleManagementPermissions">/permission</Property>
      <Property name="AuthorizationCacheEnabled">true</Property>
      <Property name="GetAllRolesOfUserEnabled">false</Property>
    </AuthorizationManager>
    <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
      <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
      <Property name="dataSource">jdbc/WSO2UM_DB</Property>
      <Property name="ReadOnly">false</Property>
      <Property name="ReadGroups">true</Property>
      <Property name="WriteGroups">true</Property>
      <Property name="UsernameJavaRegEx">^[\S]{3,30}$</Property>
      <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
      <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
      <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
      <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
      <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
      <Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property>
      <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
      <Property name="CaseInsensitiveUsername">false</Property>
      <Property name="SCIMEnabled">false</Property>
      <Property name="IsBulkImportSupported">false</Property>
      <Property name="PasswordDigest">SHA-256</Property>
      <Property name="StoreSaltedPassword">true</Property>
      <Property name="MultiAttributeSeparator">,</Property>
      <Property name="MaxUserNameListLength">100</Property>
      <Property name="MaxRoleNameListLength">100</Property>
      <Property name="UserRolesCacheEnabled">true</Property>
      <Property name="UserNameUniqueAcrossTenants">false</Property>
      <Property name="LeadingOrTrailingSpaceAllowedInUserName">false</Property>
    </UserStoreManager>
  </Realm>
</UserManager>

Answer 1

Please try like this after restarting,

1. After starting the Identity server go to Home -> Identity -> Claims -> List.

2. Select “urn:ietf:params:scim:schemas:core:2.0” and then click edit on “urn:ietf:params:scim:schemas:core:2.0:meta.resourceType”.

3. For “Mapped Local Claim” select a appropriate claim you would like to map to this. For eg : http://wso2.org/claims/userType and click update.

You can read more on configuring OpenLDAP with WSO2 IS in https://medium.com/@gdrdabarera/how-to-configure-open-ldap-with-wso2-identity-server-5-4-0-3a76bf240001

Answer 2

This resourceType claim is introduced in IS-5.4.0. From this onwards, In WSO2 IS for representing the resourceType we have mapped an LDAP attribute called "ref", but it seems "ref" is an attribute that's reserved in OpenLDAP for referrals. As a workaround for this issue “urn:ietf:params:scim:schemas:core:2.0:meta.resourceType” was mapped to userType claim in this question Unable to setup OpenLDAP as primary user store for wso2is 5.6.0: LDAP Error 65 when adding a new user in management console . This question was asked based on IS 5.6.0 and We were able to observe this issue from IS 5.4.0 onwards.

But this issue was fixed in latest released Identity Server 5.8.0 as a fix for this issue https://github.com/wso2/product-is/issues/4807 . In the latest version, http://wso2.org/claims/resourceType claim is mapped to "resourceType" attribute. You can check this in claim-config.xml file located in the directory /repository/conf/. So you don't need to map the "urn:ietf:params:scim:schemas:core:2.0:meta.resourceType" to any local claims such as " http://wso2.org/claims/userType " claim. Hence no need to change the mapped attribute of resourceType claim.