search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 728 forks source link

Different group Ids in wso2 server and ldap user store #7390

Closed aaujayasena closed 4 years ago

aaujayasena commented 4 years ago

User store: read_only_ldap_unique_id

Steps: To Create and configure unique Id read only ldap (Step 01 to 04)

  1. Download and unzip two wso2is servers.
  2. Change one wso2is server offset to one and start the server (server 1)
  3. Add roles and users in server 1
  4. For the other server add unique id read only ldap configuration. (server 2) Deployment.toml configuration for user store
[user_store]
type = "read_only_ldap_unique_id"
connection_url = "ldap://localhost:10390"
connection_name = "uid=admin,ou=system"
connection_password = "admin"
base_dn = "dc=wso2,dc=org"

[user_store.properties]
CaseInsensitiveUsername = false
SCIMEnabled=true
IsBulkImportSupported=false
EnableMaxUserLimitForSCIM=true

Here we user the server 1, read and write unique id ldap as server2 read only unique id ldap.

  1. Start server 2 with the unique id read only ldap user store. (User and role created in server1 should display in server2, user store as well. But they are read only)

Server 2

image

  1. Request group list from server 1

Request:

curl -v -k --user admin:admin https://localhost:9444/scim2/Groups/?attributes=displayName

Response:

{"totalResults":4,"startIndex":1,"itemsPerPage":4,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"displayName":"Application/User Portal","id":"ff4617fb-7eb7-4258-a3e7-060bab171073"},{"displayName":"isTestUserRole","id":"5c4d8bd6-a818-4bad-9eea-7a1ed7b3d898"},{"displayName":"Internal/system","id":"70db7029-b355-41ad-8387-9dc5874cc11b"},{"displayName":"admin","id":"275b9e61-4caa-470d-910c-2c60c996602a"}]}a

  1. Request group list from server 2

Request:

curl -v -k --user admin:admin https://localhost:9443/scim2/Groups/?attributes=displayName Response:

{"totalResults":5,"startIndex":1,"itemsPerPage":5,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"displayName":"role1","id":"84612342-c35f-44ba-b4a2-d547e7d6b9be"},{"displayName":"Application/User Portal","id":"34f3ece4-4390-4ce5-b5e6-f71ddba5ed44"},{"displayName":"role2","id":"b227cc5e-38cc-457b-8303-a0c5bea82f4f"},{"displayName":"Internal/system","id":"2dc6007c-b2ee-4563-a991-278aac185050"},{"displayName":"admin","id":"3db930e7-5657-46ff-916b-d275c3635088"}]}

Here we have configured the sever 1 user store to the server 2 user store. even though the groups are same in both IDs are are different.

tharindu-b-hewage commented 4 years ago

This is the expected behavior as currently SCIM group information is kept in the Identity database. Therefore even though the two IS instances are pointed to the same userstore, both instances uses separate identity databases in their own H2 database.

PS: There is an ongoing feature to get the group information to the user store itself. Please refer to the corresponding GitHub issue: https://github.com/wso2/product-is/issues/7365