wso2wso2-enterprise-integratorwso2-micro-integrator

Inject system variable LDAP wso2 MI 4.1.0

Can I inject $SYSTEM:VAR or something similir in a Secondary User Store LDAP?

Is that possible? How can I secured that LDAP? We are trying to use a environment variable.

I have the next LDAP:

<?xml version="1.0" encoding="UTF-8"?>
<UserStoreManager class="org.wso2.micro.integrator.security.user.core.ldap.ReadOnlyLDAPUserStoreManager">
   <Property name="ConnectionURL">ldap://XXXX:389/</Property>
   <Property name="ConnectionName">XXXXXX</Property>
   <Property name="ConnectionPassword">XXXX</Property>
   <Property name="UserNameAttribute">uid</Property>
   <Property name="DomainName">ldapDes</Property>
   <Property name="UserSearchBase">o=XXXX,c=es</Property>
   <Property name="UserNameListFilter">(objectClass=*)</Property>
   <Property name="UserNameSearchFilter">(&amp;(uid=?))</Property>
   <Property name="Disabled">false</Property>
   <Property name="MaxUserNameListLength">100</Property>
   <Property name="MaxRoleNameListLength">100</Property>
   <Property name="UserRolesCacheEnabled">true</Property>
   <Property name="SCIMEnabled">false</Property>
   <Property name="ReadGroups">false</Property>
   <Property name="GroupSearchBase">ou=system</Property>
   <Property name="GroupNameAttribute">cn</Property>
   <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
   <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
   <Property name="MembershipAttribute">member</Property>
   <Property name="MemberOfAttribute"/>
   <Property name="PasswordHashMethod">PLAIN_TEXT</Property>
   <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
   <Property name="Description"/>
 
</UserStoreManager>

I have seen the oficial doc [1] and [2]

[1] https://apim.docs.wso2.com/en/4.1.0/administer/managing-users-and-roles/managing-user-stores/configuring-secondary-user-stores-mi/

[2] https://apim.docs.wso2.com/en/4.1.0/integrate/develop/injecting-parameters/

Solution

  • In MI, we don't have a first-class support to create or edit secondary user stores. It's just supporting the user stores getting migrated from EI versions.

    When we create a secondary user store in EI management console it encrypts the password automatically. Ex:

    <Property name="ConnectionURL">ldap://localhost:10389</Property>
   <Property name="ConnectionName">uid=,ou=</Property>
   <Property encrypted="true" name="ConnectionPassword">eyJjIjoiaWxWSlNVZitha2RvaUtpVXpCdFhZVUhsTkJqbWUrYm9ETkgzNWlVZ3p4TnRIRU9Jd0lTRDltOVRFMEVBcFVmY3lUa0hHU2FWcU05ZXJJZW42REtLTmx5SU04TE9BSE5GK3FOdlQ1Yk1sNlF1SmZtZTh0SVRBYzA0ZGMxRjFVYnlsOUV2aUNtdEZwb3liY1FBckRkeXV1Z3VuVStKOUViMzVDYWJJUzNRQTZvTW96NkpvMTdWV0RiRWFoTnk2N3BzOGNLdmhQQ3FrTXRpNWpJR1Bmdks0WDBXYlF5RlVTUVJ4RERMREdNemUzcTRNTDFGRXliZFBUbGJnR2s3ejl4ZjZCUDI2bDEzTFpVbGFYN0NqYzRCUk1qV01TSkhveGRTLzJ5TWp3ekVQSGlpT0dnbEVIKzZib09UaitNZXBuS1dzbHZ3NUdBd3A3NnRubzkyeXRiWHpRXHUwMDNkXHUwMDNkIiwidCI6IlJTQS9FQ0IvT0FFUHdpdGhTSEExYW5kTUdGMVBhZGRpbmciLCJ0cCI6IjU3RkYzOEQ5NzY2NEM3OTJGRjg4MDExNzFGMDQxOTFERUQ4ODc3OEQiLCJ0cGQiOiJTSEEtMSJ9</Property>
   <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>

    In MI, you can try this manually by running cipher-tool, get the encrypted value and by changing the xml tag manually. Remember to add encrypted="true"