[Dev] Need info in WSO2 IS UserStoreManager configuration

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Dev] Need info in WSO2 IS UserStoreManager configuration

Udara Liyanage
Hi,

<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>

Above are two parameters we specify for a userStoremanager in usr-mgt.xml of a carbon product.  If I understood correctly, UserNameAttribute is the attribute which is used as the username when users are logged in to the servers. UserNameSearchFilter will be used to search users (ie. authenticating users )

In both parameters we used the value "cn". But what will happen if we specify different values for two parameters as below.

<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>

Though sAMAccountName is specified as the login name, the cn attribute is still used when authenticating users. Users have to log in using the cn values. However UserNameAttribute was not considered when authenticating users. I copied and pasted a part of the code (in WSO2 IS 4.5)  that executes when authenticating users below.

String userSearchFilter = realmConfig.getUserStoreProperty(LDAPConstants.USER_NAME_SEARCH_FILTER);
        userSearchFilter = userSearchFilter.replace("?", userName);

This won't be a problem if the same attribute(cn/sAMAccountName) is used in both parameters. Is it the expected way of configuring? If so, wouldn't it be better if there is a way to specify the attribute only in one place to reduce misconfiguration posibilities.
Is there any use case in specifying different attributes in above parameters?


--
Udara Liyanage
Software Engineer
WSO2, Inc.: http://wso2.com
lean. enterprise. middleware

phone: +94 71 443 6897

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: [Dev] Need info in WSO2 IS UserStoreManager configuration

venura
Hi,

Note: In this main if I refer to UserNameSearchFilter, it should point to the below section of the the UserNameSearchFilter.
<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>


UserNameAttribute is used to create a user in LDAP. For example consider the below example.

<Property name="UserNameAttribute">displayName</Property>
<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>

In LDAP user store, user entry will be created as displayName=udara.
But for the AD user will be created as cn=udara. This happens since user creation is specially treated in AD.

But at the time of user login, user will be searched with the UserNameSearchFilter. Therefore a created user to be able to login in LDAP, either both UserNameAttribute and UserNameSearchFilter should be same or UserNameSearchFilter should contain a attribute which is automatically added to the user entry.

But for a read only user store (LDAP/AD), these two can be configured as two attributes. For example consider the below DN of a user

DN: uid=venura,ou=Users,dc=WSO2,dc=ORG

If there exists an attribute within the user entry as displayName with a different value than the uid and if the UserNameAttribute is configured as the displayName, then the client will be able to search users using the UserNameAttribute, in this case its displayName.

Regards,

Venura


On Thu, Oct 24, 2013 at 10:14 PM, Udara Liyanage <[hidden email]> wrote:
Hi,

<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>

Above are two parameters we specify for a userStoremanager in usr-mgt.xml of a carbon product.  If I understood correctly, UserNameAttribute is the attribute which is used as the username when users are logged in to the servers. UserNameSearchFilter will be used to search users (ie. authenticating users )

In both parameters we used the value "cn". But what will happen if we specify different values for two parameters as below.

<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>

Though sAMAccountName is specified as the login name, the cn attribute is still used when authenticating users. Users have to log in using the cn values. However UserNameAttribute was not considered when authenticating users. I copied and pasted a part of the code (in WSO2 IS 4.5)  that executes when authenticating users below.

String userSearchFilter = realmConfig.getUserStoreProperty(LDAPConstants.USER_NAME_SEARCH_FILTER);
        userSearchFilter = userSearchFilter.replace("?", userName);

This won't be a problem if the same attribute(cn/sAMAccountName) is used in both parameters. Is it the expected way of configuring? If so, wouldn't it be better if there is a way to specify the attribute only in one place to reduce misconfiguration posibilities.
Is there any use case in specifying different attributes in above parameters?


--
Udara Liyanage
Software Engineer
WSO2, Inc.: http://wso2.com
lean. enterprise. middleware

phone: +94 71 443 6897



--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: [Dev] Need info in WSO2 IS UserStoreManager configuration

venura
Hi,

Please look in to the link [1] for more clarifications.

[1] http://venurakahawala.blogspot.com/2013/10/usernameattribute-and.html

Regards,
Venura


On Fri, Oct 25, 2013 at 12:02 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

Note: In this main if I refer to UserNameSearchFilter, it should point to the below section of the the UserNameSearchFilter.

<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>


UserNameAttribute is used to create a user in LDAP. For example consider the below example.

<Property name="UserNameAttribute">displayName</Property>

<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>

In LDAP user store, user entry will be created as displayName=udara.
But for the AD user will be created as cn=udara. This happens since user creation is specially treated in AD.

But at the time of user login, user will be searched with the UserNameSearchFilter. Therefore a created user to be able to login in LDAP, either both UserNameAttribute and UserNameSearchFilter should be same or UserNameSearchFilter should contain a attribute which is automatically added to the user entry.

But for a read only user store (LDAP/AD), these two can be configured as two attributes. For example consider the below DN of a user

DN: uid=venura,ou=Users,dc=WSO2,dc=ORG

If there exists an attribute within the user entry as displayName with a different value than the uid and if the UserNameAttribute is configured as the displayName, then the client will be able to search users using the UserNameAttribute, in this case its displayName.

Regards,

Venura


On Thu, Oct 24, 2013 at 10:14 PM, Udara Liyanage <[hidden email]> wrote:
Hi,

<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>

Above are two parameters we specify for a userStoremanager in usr-mgt.xml of a carbon product.  If I understood correctly, UserNameAttribute is the attribute which is used as the username when users are logged in to the servers. UserNameSearchFilter will be used to search users (ie. authenticating users )

In both parameters we used the value "cn". But what will happen if we specify different values for two parameters as below.

<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>

Though sAMAccountName is specified as the login name, the cn attribute is still used when authenticating users. Users have to log in using the cn values. However UserNameAttribute was not considered when authenticating users. I copied and pasted a part of the code (in WSO2 IS 4.5)  that executes when authenticating users below.

String userSearchFilter = realmConfig.getUserStoreProperty(LDAPConstants.USER_NAME_SEARCH_FILTER);
        userSearchFilter = userSearchFilter.replace("?", userName);

This won't be a problem if the same attribute(cn/sAMAccountName) is used in both parameters. Is it the expected way of configuring? If so, wouldn't it be better if there is a way to specify the attribute only in one place to reduce misconfiguration posibilities.
Is there any use case in specifying different attributes in above parameters?


--
Udara Liyanage
Software Engineer
WSO2, Inc.: http://wso2.com
lean. enterprise. middleware

phone: +94 71 443 6897



--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev