wso2 governance registry 4.6 LDAP cannot login with users

Question

I've changed the user-mgt.xml to connect with the active directory of my company.

If I enter with the admin user, I can login and see the users of the active directory. But when I try with another user, the registry always said wrong uername or password (and I know both are right).

With a sniffer like wireshark I can see that the active directory is returning the complete name of the user and more data, so I don´t understand why the registry doesn't let me login.

Authentication failure. Wrong username or password is provided {org.wso2.carbon.user.core.common.AbstractUserStoreManager}

<AddAdmin>true</AddAdmin>
<AdminRole>wso2admin</AdminRole>
<AdminUser>
 <UserName>XXXXX</UserName>
 <Password>XXXXX</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName>
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>

<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
 <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
 <Property name="defaultRealmName">WSO2.ORG</Property>
 <Property name="Disabled">false</Property>                                   
 <Property name="kdcEnabled">false</Property>
 <Property name="ConnectionURL">ldap://XXXXXXXX:389</Property> 
 <Property name="ConnectionName">cn=XXXXX,CN=Users,DC=itlab,DC=bk</Property>
 <Property name="ConnectionPassword">XXXXXX</Property>
 <Property name="passwordHashMethod">PLAIN_TEXT</Property>
 <Property name="UserSearchBase">CN=Users,DC=itlab,DC=bk</Property>
 <Property name="UserEntryObjectClass">user</Property>
 <Property name="UserNameAttribute">cn</Property>
 <Property name="isADLDSRole">false</Property>
 <Property name="userAccountControl">512</Property>
 <Property name="UserNameListFilter">(objectClass=user)</Property>
 <Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>
 <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
 <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
 <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
 <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
 <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
 <Property name="ReadGroups">true</Property>
 <Property name="WriteGroups">false</Property>
 <Property name="EmptyRolesAllowed">true</Property>
 <Property name="GroupSearchBase">ou=Grupos,DC=itlab,DC=bk  </Property>
 <Property name="GroupEntryObjectClass">group</Property>
 <Property name="GroupNameAttribute">cn</Property>
 <Property name="SharedGroupNameAttribute">cn</Property>
 <Property name="MembershipAttribute">member</Property>
 <Property name="GroupNameListFilter">(objectcategory=group)</Property>
 <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
 <Property name="UserRolesCacheEnabled">true</Property>
 <Property name="Referral">follow</Property>
 <Property name="BackLinksEnabled">true</Property>
 <Property name="MaxRoleNameListLength">100</Property>
 <Property name="MaxUserNameListLength">100</Property>
 <Property name="SCIMEnabled">false</Property>
</UserStoreManager>

Thanks!

Answer 1

You mean, that you can not login to Governance registry using AD users except admin user in the user-mgt.xml file ? Normally, to login to management console of the Governance registry,

1. User needs to authenticate with the AD properly
2. User must have login permission to access management console.

According to the your comment, it seems to be that authentication is fine. Then user has been failed due to reason 2

Please login as admin and go to user role management page. Here you can see a role called "everyone". Please provide "login" permission for that role.

"everyone" is a role that has been mapped with all the users in the AD. Therefore if we provide permission to "everyone" role, It means all the users in AD can login...

If it is also not success, please enable debug logs for org.wso2.carbon.use.core package using log4j.properties file which can be found at conf directory.