stackoom
  简体   繁体   中英

WSO2 - ACCESS DIRECTORY SERVICE ERROR & ACTIVE DIRECTORY USERNAMES

 原文  2015-02-18 22:00:04       active-directory/ wso2/ windows2012

Question

I've been setting up WSO2 IS 5.0.0 . I created an external read/write ldap secondary user store to my windows server 2012 active directory which is our PDC. We also have a Windows Server 2003 server running active directory. We've recently update and the users and groups on the 2003 server have been copied over to the 2012 server.

The problem I've noticed with WSO2 is that any user accounts that were created in the 2003 AD server in the past can not change their passwords when they log in to the wso2 carbon site ( https://ip address:9443/carbon). When they try to change the password they get this error: "CAN NOT ACCESS THE DIRECTORY SERVICE". Accounts created in 2012 AD though (in a specific way - see below for explanation) are able to log in and change their passwords successfully.

Additional information - in our AD servers, a user is displayed Lastname, Firstname (comma included). An individuals username is the same in each AD server - first initial + last name.

If I create a user in 2012 and have the name displayed Firstname Lastname (no comma), with the typical username - first initial + last name, the user is able to log into WSO2 Carbon site and change his password without issue. Any user that has a display name Last Name, First Name can log in but they CAN NOT change their password.

Has anybody experienced this issue before? Is there a specific setting I'm missing in the userstore or in AD?

2 answers

solution1
 0  2015-04-29 21:15:43

When using external userstores that contain Active Directory user accounts, two things that you mainly need to be concerned with:

  • Make sure in your user-mgt.xml file to specify the Class for the userstore that ends in "ActiveDirectoryUserStoreManager" -- NOT the "ReadWriteLDAPUserStoreManager"

  • The default value for the UserNameAttribute property is recommended to be set to either "uid" or "cn". However, in Active Directory there is no "uid" attribute. There IS a "cn" attribute, and the user name will populate this attribute as a combination of first name, a space, then the last. (This sounds like what you are seeing). This can also contain the lastname, a comma, and the first name depending on settings in the Active Directory Users and Computers utility.

You want the Identity Server to perform an LDAP search regardless using the user's userid (because this doesn't change regardless of the format of the cn attribute).

In an Active Directory entry, the attribute that contains the userid value is called the "sAMAccountName". The value that you want to use for the UserNameAttribute property for an Active Directory userstore therefore is the attribute "sAMAccountName".

Note: You will want to use this value in the UserNameSearchFilter property also: 

<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(sAMAccountName=?))</Property>

solution2
 -1  2015-03-15 09:15:47

必须启用LDAPS才能允许用户更改其密码。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WSO2 Identity Server and Active Directory with OUs WSO2 Intergrator 6.6.0 active directory login Error while adding the user to the Active Directory when starting WSO2 Identity Server Problems with Active Directory and WSO2 Identity Server Secondary User Store WSO2 Identity Server - Active Directory Integration - Change Password Issue Configure multiple Active Directory paths in WSO2 IS user store Wso2 identity server connection configuration with Microsoft active directory Wso2 integration with active directory on plain ldap port 389 WSO2 identity server cannot manage Active Directory users WSO2 Identity Server User Portal and Active Directory
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM