Adding a Secondary LDAP Uerstore for WSO2 Products

In this article I will be describing how to add a secondary LDAP userstore to WSO2 Identity Server 5.0, Apache Directory Studio 2.0. Download and extract both the products to a desired location.

Create a Userstore in Apache DS

First we need to create a LDAP Userstore in Apache DS. For that Start Apache DS and create a New LDAP Connection, which will prompts the following wondow.

Give localhost  to Hostname and 389  for Port (this is the default), and a desired name for the Connection. Click Next once done.

In the next wondow, select loging credential for the LDAP connection. Here I will be giving "cn=admin,dc=supun,dc=com" as "Bind DN or user"  and "supun" as the Bind password. Click finish once done.

Then in the LDAP browser, create a user(s) in the following structure.

Adding the Secondary Userstore to WSO2 IS

Start WSO2 IS server by navigating to <IS_HOME>/bin and executing ./ (in ubuntu). Login to the carbon console with super-user credentials.

Navigate to Configure > User Store Management, and click on "Add Secondary User Store"

In the next window, give the the following configurations, which are according to the userstore we created earlier using Apache DS.  

Domain Name: any desired value

Connection Name: This is should be the exact value we gave to "Bind DN or user" in Apache DS. (i.e. in this case it chould be "cn=admin,dc=supun,dc=com" )

Connection URL: This should be "ldap://localhost:389" where localhost and 389 refers to the hostane and the port we set in Apache DS.

Connection Password: The value we set to "Bind password" when creating the LDAP connection is Apache DS. (in our case it is "supun").

User Search Based: This should be the DN of the context under which user entries are stored in LDAP in Apache DS. According to the structure we created earlier our user (supun) is listed under ou=users of user group ou=userGroup, which is again listed under dc=supun,dc=com. Therefore, value for this should be "ou=users,ou=userGroup,dc=supun,dc=com".

User Object Class: (objectClass=person)

Username Attribute: uid

User Search Filter: (&(objectClass=person)(uid=?))

Group Search Base: ou=users,ou=userGroup,dc=supun,dc=com

Group Name Attribute: ou

Group Object Class: (objectClass=groupOfNames)

Group Search Filter: (&(objectClass=groupOfNames)(ou=?))

And in the "optional" tab (can found right after the above properties), set the User DN Pattern pattern to DN where the users are listed. (Or a DN that matches to a top level in the hierachy where the users are listed). In this case, it should be set to "ou=userGroup,dc=supun,dc=com".

Leave the rest of the options as it is. Click add once everything is complete. Refresh the page after a couple of seconds and you should see the newly created userstore being listed in the same page.

Then navigate to Configure > Users and Roles > Users. If everything went well, you should see the user we created in the LDAP is being listed down here. (SECONDARY.STORE/supun)

Modify the Claim Mappings

Eventhough our user is listed as above, if you try to view and update the user profile, you might encounter with server errors saying certain attributes are not being supported by the underlying LDAP. This occurs because of the user claims have not being properly mapped with the attributes of the user in out LDAP. For this, we need to update the user-claims. To that go to Claim management and click on

Then you would see the list of claims that are available (see below). Then click on any of the claims which you want to modifiy, and click edit.