I'd like to know if somebody has successfully got ESB connecting to a BAM that uses LDAP for authentication, and how. In other words: what're the necessary permissions to publish events in a BAM server?
We've installed ESB 4.6.0 and BAM 2.2.0, and both of them are configured to use LDAP (it's an Active Directory) for user management.
We've followed as much as possible this documentation (has some outdated/wrong instructions though) http://docs.wso2.org/wiki/display/ESB450/Configuring+External+User+Stores
Since ESB sends events to BAM, there is a BAM Profile created, that needs a valid user and password to connect to BAM Server. Therefore we've created specific users for that. Those users where configured to belong to the admin group by adding them to the default admin role (the one specified in the user-mgt.xml file shown below) but the connection between ESB and BAM fails with:
TID: [0] [BAM] [2013-05-07 12:50:58,802] INFO {org.wso2.carbon.databridge.core.DataBridge} - wso2_dev_server connected {org.wso2.carbon.databridge.core.DataBridge}
TID: [0] [BAM] [2013-05-07 12:50:58,847] ERROR {org.wso2.carbon.databridge.core.internal.authentication.Authenticator} - wrong userName or password {org.wso2.carbon.databridge.core.internal.authentication.Authenticator}
while direct login into the Management Console (same credentials) works:
TID: [0] [BAM] [2013-05-07 14:10:48,570] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'wso2_dev_server@carbon.super [-1234]' logged in at [2013-05-07 14:10:48,570+1200] from IP address 172.26.34.38 {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
To make it even funnier, communication between ESB and BAM works if I use MY credentials instead.
Thanks in advance.
This is our user-mgt.xml file:
<UserManager>
<Realm>
<Configuration>
<AdminRole>wso2_admin</AdminRole>
<AdminUser>
<UserName>gherrera</UserName>
<Password></Password>
</AdminUser>
<EveryOneRoleName></EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
<Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="ReadOnly">true</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="ConnectionURL">ldap://activedirectoryserver:389</Property>
<Property name="ConnectionName">CN=someadminuser,OU=Service Accounts,OU=mycompany Users,DC=mycompany,DC=co,DC=nz</Property>
<Property name="ConnectionPassword">someadminuserpassword</Property>
<Property name="passwordHashMethod">PLAIN_TEXT</Property>
<Property name="UserSearchBase">DC=mycompany,DC=co,DC=nz</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="GroupSearchBase">OU=mycompany Groups,DC=mycompany,DC=co,DC=nz</Property>
<Property name="GroupNameListFilter">(objectClass=group)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="maxFailedLoginAttempt">3</Property>
</UserStoreManager>
<AuthorizationManager
class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
</AuthorizationManager>
</Realm>
</UserManager>
