I am having an requirement where I have integrated WSO2 Identity server(5.3) internal LDAP with WSO2 API Manager(2.1).
I have done the changes by un-commenting the LDAP configuration in wso2-api-2.1\repository\conf\user-mgt.xml by uncommenting the below code.
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
and commented the below.
<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
I followed all steps mentioned in the WSO2 documentation for Role-based Access control using XACML as below. https://docs.wso2.com/display/AM210/Enabling+Role-Based+Access+Control+Using+XACML
I created a role 'schooladmin' and a user 'testuser'. I assigned the role'schooladmin' to 'testuser' in Identity server along with all Permissions granted.
I am able to test the PDP in WSO2 Identity store and it works fine.
Issues:
As Identity Server and API Manager are connected via LDAP, I can't see PDP developed in Identity Server available in API Manager. Is this correct behaviour?
I created and deployed an REST API basis a business service and added Entitlement during configuration as mentioned in the WSO2 documentation.
<sequence xmlns="http://ws.apache.org/ns/synapse" name="newEntitlementMediator"> <entitlementService xmlns="http://ws.apache.org/ns/synapse" remoteServiceUrl="https://localhost:9443/services" remoteServiceUserName="admin" remoteServicePassword="admin" callbackClass="org.wso2.sample.handlers.entitlement.APIEntitlementCallbackHandler"/> </sequence>
When I am trying to newly developed REST API in Postman, I am always getting the below error.
<am:fault xmlns:am="http://wso2.org/apimanager">
<am:code>0</am:code>
<am:type>Status report</am:type>
<am:message>Runtime Error</am:message>
<am:description>User is not authorized to perform the action</am:description>
</am:fault>
For testing, I am creating new token with correct user 'testuser' using the below service provided - https://localhost:8244/token
Please suggest if there is any limitation or I missed any configuration.
I am adding the Policy created in WSO2 IS server for entitlement. Please review.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="iib_policy_entitlement" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" Version="1.0">
<Target/>
<Rule Effect="Permit" RuleId="iib_test_rule">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/login/v1</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">iib_role</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Condition>
</Rule>
</Policy>
Thanks, Abhishek
