Import WSO2 Identity Server default schemas into OpenLDAP

1
votes

I'm trying to set up the WSO2 Identity server with OpenLDAP as primary user store. I would like to add the Idp embedded ApacheDS schemas': wso2Person, identityPerson and scimPerson to the OpenLDAP but I am not able to import neither the schema nor the wso2Person, identityPerson and scimPerson ldif files.

Can you provide an example regarding how to achive this goal?

I am trying to import the files into a new OpenLDAP on Ubuntu Server 16 LTS using ApacheDS Studio or other LDAP clients but every time that I try to import the files an error is thrown.

I.E.: launching 

sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f ou\=schema.ldif

the server responds:

Server in unwilling to perform (53) no global superior knowledge

Or, trying to import the wso2Person.ldif

ldapadd -D ldap:/// -D "cn=admin,dc=example,dc=org" -x -W -f wso2Person.ldif

the following error is thrown:

Invalid syntax (21) additional info: attributeTypes: value #0 invalid per syntax

2
wso2openldapapacheds

2 Answers

0
votes

It is not necessary to use wso2Person schema. You can use any of the schemas supported by the external ldap (for ex: inetOrgPerson). Only thing you have to do the claim mapping for attributes with existing attributes in the openldap schema. You can find this claims in configure->claim management tab under "http://wso2.org/claims". You can edit the claim mapping[1] for each attribute with existing attributes from ldap server. For ex: The first name is mapped to attribute "givenName" in primary user store. Openldap also support the "givenName" attribute type. So you do not have to change those attributes. But few attributes like "Last Name" which is mapped to "sn" in primary user store , is not in the default openldap if the correct object class is not added to the user group. For example I have used "displayName" as the mapped attribute for secondary user store. You can see how to edit claims in attached image claims.png (where NEWTEST is the scondary user store name) in order to add the claim mapping. So like this you will have to map those attributes to existing attributes in openldap schema.

[1] - https://docs.wso2.com/display/IS500/Editing+Claim+Dialects

0
votes

First: if you are using default OpenLdap configuration on Ubuntu 16.04, you must use local tool from servers root account. For example:

root@OpenLdap1:ldapadd -Y EXTERNAL -H ldapi:/// -f identityPerson.ldif

You can see that access list for cn=config is:

# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

Second: you have to modify ldif files, given by wso2. In OpenLdap schemas are represented as separate LDAP object, so instead of object modification you have to create a new entry. Also there is one difference in syntax - you should replace attributeTypes by olcAttributeTypes and objectClasses by olcobjectClasses. Your wso2Person.ldif shold look like:

dn: cn=wso2Person,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: wso2Person
olcAttributeTypes: ( 1.3.6.1.4.1.37505.1.2
    NAME 'gender'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
....
olcAttributeTypes: ( 1.3.6.1.4.1.37505.1.13
    NAME 'prefferedLanguage'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
olcobjectClasses: ( 1.3.6.1.4.1.37505.1.1
    NAME 'wso2Person'
    DESC 'wso2Person'
    SUP inetOrgPerson
    STRUCTURAL
    MAY  ( gender $ country $ nickName $ timeZone $ dateOfBirth $ role $ im $ url $ otherPhone $ privatePersonalIdentifier $ profileconfiguration $ prefferedLanguage) 
)

Also wso2 classes has structural dependencies, so the order they are added matters:

ldapadd -Y EXTERNAL -H ldapi:/// -f wso2Person.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f scimPerson.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f identityPerson.ldif