WSO2 Identity Server error starting, cannot find admin

0
votes

Starting WSO2 Identity Server for the first time gives me this error:

"Caused by: org.wso2.carbon.user.core.UserStoreException: Admin user can not be created in primary user store. User store is read only. Please pick a user name which is exist in the primary user store as Admin user"

<UserManager>
<Realm>
    <Configuration>
        <AddAdmin>false</AddAdmin>
        <AdminRole>admins</AdminRole>
        <AdminUser>
            <UserName>cn=Directory Manager</UserName>
            <Password>xxxxxxxx</Password>
        </AdminUser>
        <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
        <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
    </Configuration>


    <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
        <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
        <Property name="ConnectionURL">ldap://localhost:389</Property>
        <Property name="ConnectionName">cn=Directory Manager</Property>
        <Property name="ReadOnly">true</Property>
        <Property name="ConnectionPassword">oursecretpassword</Property>
        <Property name="passwordHashMethod">PLAIN_TEXT</Property>
        <Property name="UserNameListFilter">(objectClass=person)</Property>
        <Property name="UserEntryObjectClass">pccperson</Property>
        <Property name="UserSearchBase">ou=People,dc=pcc.edu,dc=cp</Property>
        <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
        <Property name="UserNameAttribute">uid</Property>
        <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
        <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
        <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
        <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
        <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
        <Property name="ReadGroups">true</Property>
        <Property name="WriteGroups">false</Property>
        <Property name="EmptyRolesAllowed">true</Property>
        <Property name="GroupSearchBase">ou=Groups,dc=pcc,dc=edu</Property>
        <Property name="GroupNameListFilter">(objectClass=groupofuniquenames)</Property>
        <Property name="GroupEntryObjectClass">groupofuniquenames</Property>
        <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupofuniquenames)(cn=?))</Property>
        <Property name="GroupNameAttribute">cn</Property>
        <Property name="MembershipAttribute">uniqueMember</Property>
        <Property name="UserRolesCacheEnabled">true</Property>
        <Property name="MaxRoleNameListLength">100</Property>
        <Property name="MaxUserNameListLength">100</Property>
        <Property name="SCIMEnabled">false</Property>
    </UserStoreManager>

TID: [0] [IS] [2015-05-22 11:35:10,888] INFO {org.wso2.carbon.user.core.common.DefaultRealmService} - Database already exists. Not creating a new database. {org.wso2.carbon.user.core.common.DefaultRealmService} TID: [0] [IS] [2015-05-22 11:35:11,233] INFO {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - LDAP connection created successfully in read-only mode {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} TID: [0] [IS] [2015-05-22 11:35:11,841] ERROR {org.wso2.carbon.user.core.common.DefaultRealm} - Cannot create org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager {org.wso2.carbon.user.core.common.DefaultRealm} java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:329) at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:195) at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:104) at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:223) at org.wso2.carbon.user.core.common.DefaultRealmService.(DefaultRealmService.java:101) at org.wso2.carbon.user.core.common.DefaultRealmService.(DefaultRealmService.java:114) at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:69) at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61) at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711) at java.security.AccessController.doPrivileged(Native Method) at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702) at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683) at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381) at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:390) at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1176) at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559) at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544) at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457) at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243) at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438) at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1) at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230) at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340) Caused by: org.wso2.carbon.user.core.UserStoreException: Admin user can not be created in primary user store. User store is read only. Please pick a user name which is exist in the primary user store as Admin user at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addInitialAdminData(AbstractUserStoreManager.java:3206) at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.(ReadOnlyLDAPUserStoreManager.java:166) at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.(ReadOnlyLDAPUserStoreManager.java:97) ... 27 more TID: [0] [IS] [2015-05-22 11:35:11,844] ERROR {org.wso2.carbon.user.core.common.DefaultRealmService} - Cannot initialize the realm. {org.wso2.carbon.user.core.common.DefaultRealmService} org.wso2.carbon.user.core.UserStoreException: nullType class java.lang.reflect.InvocationTargetException at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:370) at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:195) at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:104) at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:223) at org.wso2.carbon.user.core.common.DefaultRealmService.(DefaultRealmService.java:101) at org.wso2.carbon.user.core.common.DefaultRealmService.(DefaultRealmService.java:114) at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:69) at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61) at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711) at java.security.AccessController.doPrivileged(Native Method) at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702) at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683) at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381) at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:390) at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1176) at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559) at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544) at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457) at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243) at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438) at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1) at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230) at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340) Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:329) ... 22 more Caused by: org.wso2.carbon.user.core.UserStoreException: Admin user can not be created in primary user store. User store is read only. Please pick a user name which is exist in the primary user store as Admin user at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addInitialAdminData(AbstractUserStoreManager.java:3206) at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.(ReadOnlyLDAPUserStoreManager.java:166) at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.(ReadOnlyLDAPUserStoreManager.java:97) ... 27 more TID: [0] [IS] [2015-05-22 11:35:11,845] ERROR {org.wso2.carbon.user.core.internal.Activator} - Cannot start User Manager Core bundle {org.wso2.carbon.user.core.internal.Activator} org.wso2.carbon.user.core.UserStoreException: Cannot initialize the realm. at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:231) at org.wso2.carbon.user.core.common.DefaultRealmService.(DefaultRealmService.java:101) at org.wso2.carbon.user.core.common.DefaultRealmService.(DefaultRealmService.java:114) at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:69) at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61) at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711) at java.security.AccessController.doPrivileged(Native Method) at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702) at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683) at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381) at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:390) at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1176) at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559) at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544) at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457) at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243) at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438) at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1) at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230) at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340) Caused by: org.wso2.carbon.user.core.UserStoreException: nullType class java.lang.reflect.InvocationTargetException at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:370) at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:195) at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:104) at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:223) ... 19 more Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:329) ... 22 more Caused by: org.wso2.carbon.user.core.UserStoreException: Admin user can not be created in primary user store. User store is read only. Please pick a user name which is exist in the primary user store as Admin user at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addInitialAdminData(AbstractUserStoreManager.java:3206) at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.(ReadOnlyLDAPUserStoreManager.java:166) at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.(ReadOnlyLDAPUserStoreManager.java:97) ... 27 more

I've tried setting AdminRole to 'admins' and 'cn=admins'. Same error either way.

I don't have a ton of experience setting up LDAP servers from scratch, but I think I installed 389-DS correctly.

See my group entry:

ldapsearch -b "cn=Admins,ou=Groups,dc=pcc,dc=edu" -D "cn=Directory Manager" -W cn=* Enter LDAP Password:

dn: cn=admins,ou=Groups,dc=pcc,dc=edu objectClass: top objectClass: groupofuniquenames uniqueMember: uid=jwhitene,ou=People,dc=pcc,dc=edu cn: admins

3
ldapwso2wso2is

3 Answers

0
votes

I am not sure if you are interested in connecting to a ReadOnly LDAP or a read write.

However please make sure the configs are correctly done, and you've followed the steps in the document

[1]https://docs.wso2.com/display/IS500/Configuring+a+Read-only+LDAP+User+Store - for Read Only LDAP user store

[2] https://docs.wso2.com/display/IS500/Configuring+a+Read-write+LDAP+User+Store- for Read/Write LDAP user store

If you have followed these steps correctly, the please post the configuration of your user-mgt.xml with the full configuration of the user store, mention which user store in which mode you would want to connect, and please also copy the server error message you get from the wso2carbon.log file you find at repository/logs or the server console.

Regards, Shani

0
votes

As per your ldapsearch command result, admin username as jwhitene would solve the startup error.

For example : 

    <AdminUser>
        <UserName>jwhitene</UserName>
        <Password>xxxxxxxx</Password>
    </AdminUser>

Explanation :

If you are connecting to read only userstore, Admin user should be available in the userstore\ldap.

    <AdminUser>
        <UserName>cn=Directory Manager</UserName>
        <Password>xxxxxxxx</Password>
    </AdminUser>

    <Property name="UserSearchBase">ou=People,dc=pcc.edu,dc=cp</Property>
    <Property name="UserNameAttribute">uid</Property>

As per your ldap configurations quoted above, Identity server will looks for an user under ou=People,dc=pcc.edu,dc=cp directory which have property uid set as value cn=Directory Manager

Basically if there a such user, it would like this,

uid=cn\=Directory Manager,ou=People,dc=pcc.edu,dc=cp

Since you don't have such user, the server complains with that error log and set hold the start up flow.

The user that shown in the ldapsearch command result (uid=jwhitene,ou=People,dc=pcc,dc=edu) will match with above search pattern. Hence putting jwhitene as the admin user will resolve the issue

0
votes

With help from techs at Ellucian, I just got my system working. Cause:I had an old version of OpenLDAP that used a different schema that did not match the defaults in the user-mgt.xml file.

Instead of ObjectClass=groupofuniquenames I configured my user-mgt.xml file using ObjectClass=posixGroup (which matches my OpenLDAP schema). I had to change the ObjectClass in a number of places. After that, my instance started up without any more problems.