Sunday, July 3, 2011

Setting up cloud manager of Stratos with an external LDAP

Cloud manager is the service in WSO2 Stratos which provides the core functionalities of tenant management like creating new tenants by the super admin and self registration of tenants.

Stratos 1.5 is going to be released with in next couple of weeks. Then you will be able to download the distribution from wso2.org.
For now you need to check out the source from https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/ and build the stratos manager in products/manager/  location.

You can setup stratos on your machine using the setup script (stratos-setup.pl) which is available here.
In order to run that script, you need to: 
  • have perl installed in your machine. In Linux, you can install "liblist-moreutils-perl".
  • Have my-sql installed in the machine and have username and password root/root.
  • set the following environment variables in the system.
export CARBON_DIR=/home/hasini/WSO2/branch_3.2.0/carbon
export STRATOS_DIR=/home/hasini/WSO2/stratos testing/1.5.0/setup/unpacks
export STRATOS_VERSION=1.5.0
export SSO_ENABLED=false
export CREATE_DB=true
export STARTUP_DELAY=30 
export PACKS_DIR=/home/hasini/WSO2/stratos testing/1.5.0/setup/packs
export PRODUCT_LIST="manager"

Following is an explanation on each of the above environment variable:
CARBON_DIR - root directory of your carbon check out. You need this if you build the stratos service distributions from source.
STRATOS_DIR - this is the directory to where the distributions zip files should be unpacked by the script.
STRATOS_VERSION - current stratos version
SSO_ENABLED - whether single sign on should be enabled across the different stratos services. In this case, we do not need it.
CREATE_DB - whether stratos related databased in my-sql should be created (if exists and this value is true, tables will be dropped and recreated)
STARTUP_DELAY - if several stratos services are going to be started, the delay between two startups
PACKS_DIR - if you are settting up stratos with downloaded packs, this is the folder where those packs are located.
PRODUCT_LIST - the list of stratos services that should be set up from this script.

Now all set, lets follow the following steps to start the cloud manager with an external ApacheDS LDAP server.
  1. Create a new partition in ApacheDS LDAP where the separate user,group bases for each tenant will be created, when creating tenants through cloud manager. You may refer to my previous blog post for creating a new partition in ApacheDS. You may also create separate user base and group base for super tenant space. (i.e ou=Users,dc=wso2,dc=org & ou=groups,dc=wso2,dc=org)
  2. Go to the above mentioned STRATOS_DIR where stratos manager has been unpacked, and change the following configuration files found in [carbon_home]/repository/conf
    • tenant-mgt.xml: There you may notice that default tenant manager is JDBCTenantManager, but we now support tenant management with LDAP as well which we are going to demonstrate here. (if you didn't find this file in the above location, create a file named tenant-mgt.xml and copy the content shown below.)
      • comment out the JDBCTenantManager and uncomment the CommonHybridLDAPTenantManager. 
      • set the "RootPartition" as the partition name that we created in step 1 above.
      • Following is the tenant-mgt.xml in our case:

    dc=wso2,dc=com
    organizationalUnit
    ou
    organizationalUnit
    ou

      • user-mgt.xml:
        • locate the property "MultiTenantRealmConfigBuilder". This is the class which is responsible for cloning the bootstrap user-mgt.xml and creating tenant-specific user-mgt.xml which contains the specific user and group bases of each tenant. Set it as follows: 
        • org.wso2.carbon.user.core.config.multitenancy.CommonLDAPRealmConfigBuilder
          
        • Comment out the JDBCUserStoreManager which comes by default and uncomment the ApacheDSUserStoreManager for an external LDAP in read/write mode.
        • In ApacheDSUserStoreManager configuration element, set ConnectionURL, ConnectionName, ConnectionPassword, UserSearchBase and GroupSearchBase for WSO2 user manager to connect to your external LDAP server.
    
                false
                ldap://localhost:10389
                uid=admin,ou=system
                secret
                SHA
                (objectClass=person)
                inetOrgPerson
                ou=Users,dc=wso2,dc=com
                (&(objectClass=person)(uid=?))
                uid
                [\\S]{5,30}
                true
                true
                false
                ou=Groups,dc=wso2,dc=com
                (objectClass=groupOfNames)
                groupOfNames
                (&(objectClass=groupOfNames)(cn=?))
                cn
                member
            
    
      • embedded-ldap.xml:
        • Disable the embedded-ldap server by setting "enable" property to false.
           3. Start the external ApacheDS server.
           4. Start the WSO2 Stratos Manager by running wso2server.sh/.bat scripts in  [stratos_manager_home] /bin directory.
           5. Access management console through https://localhost:9443/carbon.
           6. Login as super tenant with username: admin, password: secret (note that these are the credentials of admin user that you specified in user-mgt.xml)
           7.  Add a new tenant by providing tenant details as follows:
        8. After the tenant is successfully registered, you need to activate the tenant by checking the "activate" check box.
        9. Then log out from the super admin account.
       10. Login as the tenant admin of newly created tenant, by providing the above given credentials. For an example, in the above case, user name should be hasini@willpower.org.
    You can create new users, new groups and assign users to those groups under your tenant.
    If you look at the multi-tenanted LDAP structure from ApacheDirectory Studio, you will observer that there is a separate organizational unit is created for the tenant wso2.org and inside that, separate user base and a group base is created as shown in the following diagram.

    That's it... You can create more tenants and experience the tenant management with a multi-tenanted LDAP.

    3 comments:

    1. In tenant xml you use wso2.com

      In user mgt xml you use wso2.org

      Is this correct?

      I would think that you would need to have either .com or .org the same in both files?

      ReplyDelete
    2. Hi Thimothy,

      Yes, it should be one domain name that should be appear in both configuration files and it should be the DN of the root of your LDAP.

      I corrected the post accordingly. Thanks for pointing it out.

      Thanks,
      Hasini

      ReplyDelete
    3. Hi Hasini,

      thanks a lot for your posts! They give a clearer picture on the power of IS and the wso2-products!

      I don't understand why in this post the example of the Apache DS Studio shows the new Tenant as a organizational unit and in your other post: http://hasini-gunasinghe.blogspot.mx/2011/01/tenant-management-in-wso2-carbon-with.html the tenant looks like a ldap-partition.
      What is the reason for that? Is there a technical reason or a strategical reason like configuration/organization?

      With the current version of IS 4.1 I was able to achieve the ldap hierarchy like in the current post. Then I configured my ESB using the ldap-User Store. But the problem is I cannot log in to the ESB because I am giving a wrong user/domain combination.
      You know what I am doing wrong here?

      Thanks a lot in advance!

      Best regards,
      Johannes

      ReplyDelete

    Note: Only a member of this blog may post a comment.