Configuring a Secondary User Store with WSO2 API Manager
WSO2 API Manager allows you to plugin one or more secondary user stores to it. With that, users from different stores can log in and perform operations depending on their roles and permissions.
Now let’s see how we can configure a secondary user store with WSO2 API Manager.
I will be using the inbuilt LDAP user store in WSO2 Identity Server as the secondary user store.
Step 1
- Download WSO2 API Manager (APIM) and WSO2 Identity Server(IS).
- I will be using WSO2 API Manager 2.0.0 and WSO2 Identity server 5.2.0 in this guide. You can use any version you need.
Step 2
- Open <IS_HOME>/repository/conf/carbon.xml and change the port offset to 1. This is to prevent any port conflicts with API Manager because the default port of the product is 0.
<Offset>1</Offset>
Step 3
- Now start both the APIM and IS servers using the following command from the bin directory.
./wso2server.sh
Step 4
- Login to the Management Console of APIM (https://<host>:<port>/carbon) as admin. (admin:admin credentials) You can do the same for a tenant admin as well.
- Go to Main -> User Stores -> Add.
- Fill up the attributes with the configurations provided in <IS_HOME>/repository/conf/user-mgt.xml. The embedded user store in Identity Server is of type ReadWriteLDAPUserStoreManager.
- Check the image below when adding the user store.
- Note the Connection URL port will be 10390, 1 more than the default 10389 because we have set the port offset of Identity Server to 1 in Step 2 above.
- Change the other attributes accordingly.
- You need to take note of the “User Search Filter” and the “Group Search Filter”. The configuration given in the user-mgt.xml of IS includes an “amp;” after the ‘&’ sign. You should remove it when adding the user store from the Management Console. You can see it in the image above.
- Click on Add. If the user store is added correctly, you will see the following message.
Step 5
- After few seconds, when you refresh the page you will see the user store added by going to Main -> User Stores -> List.
- Add a new user to the secondary user store by going to Main -> Users and Roles -> Add -> Add New User.
- You should select the secondary user store domain(xyz.com) from the drop down.
- Click Next>
- Select the XYZ.COM/admin role and click Finish.
- Now we can see the newly added users in the User list.
- For this user created in the secondary user store, we need to provide necessary permissions so that he can carryout at least the basic functions in API Manager. These permissions should be assigned to a role of the user. Let’s assign Login, API Create, Publish and Subscribe permissions to XYZ.COM/admin role assigned to user1.
- Click on View Roles of the user. Then click on Permissions for the XYZ.COM/admin role. Select the required permissions as shown below and click Update.
Now you can successfully login to Publisher and Store applications and perform different functions in WSO2 API Manager with a user in a secondary user store.
NOTE : If you need to configure multiple secondary user stores, you can simply add another user store from Main -> User Stores -> Add.
The user store configuration of the secondary user stores are stored in <APIM_HOME>/repository/deployment/server/userstores folder as an xml file. You can manually make changes in this file if required.
Cheers!
