User Store Properties¶
The following table provides descriptions of the key properties you use to configure primary userstores.
Property Id |
Primary userstore Property |
Description |
---|---|---|
MaxUserName |
max_user_name |
This controls the number of users listed in the userstore of WSO2 Identity Server. This is useful when you have a large number of users and don't want to list them all. Setting this property to 0 displays all users. |
Connection |
connection |
This is the connection URL to the user store server. |
Connection |
connection |
This is the username used to connect to the database and perform various operations. This user does not have to be an administrator in the userstore or have an administrator role in WSO2 Identity Server, but this user needs to have permissions to read the user list and users' attributes, and to perform search operations on the userstore. The value you specify is used as the DN (Distinguish Name) attribute of the user. This property is mandatory. |
Connection |
connection_ |
Password for the ConnectionName user |
Display |
display_ |
This is an optional property. The Display Name Attribute is the name by which users will be listed when you search for users in the management console (Go to Configuration -> Users tab). |
Password |
password_ |
The password hash method used when storing user entries in the userstore |
UserName |
user_name_ |
This is the filtering criteria for listing all the user entries in the userstore. This query or filter is used when doing search operations on users. In this case, the search operation only provides the objects created from the specified class. This query is the same as listing out all the available users in the management console. |
UserEntry |
user_entry_ |
This is the object class used to construct user entries. By default, it is a custom object class defined with the name wso2Person . |
User |
user_ |
This is the DN of the context or object under which the user entries are stored in the userstore. In this case, it is the "users" container. When the userstore searches for users, it will start from this location of the directory. Different databases have different search bases. |
UserName |
user_name_ |
Filtering criteria used to search for a particular user entry |
UserName |
user_name |
This is the attribute used for uniquely identifying a user entry. Users can be authenticated using their email address, UID, etc. The name of the attribute is considered as the username. For information on using email address to authenticate users, click here . |
|
password_java_ |
Policy that defines the password format |
UsernameJava |
username_java_ |
The regular expression used by the front-end components for username validation |
Username |
username_ |
This is a regular expression used to validate usernames. By default, strings have a length of 5 to 30. Only non-empty characters are allowed. You can provide ranges of alphabets, numbers, and ASCII values in the RegEx properties. |
ReadGroups |
read_groups |
This specifies whether groups should be read from the userstore. If this is disabled by setting it to false , none of the groups in the userstore can be read, and the following group configurations are not mandatory: GroupSearchBase , GroupNameListFilter , or GroupNameAttribute . |
WriteGroups |
write_groups |
Specifies whether groups should be written to the userstore |
Group |
group_ |
DN of the context under which user entries are stored in the userstore |
GroupName |
group_name_ |
This is the filtering criteria for listing all the group entries in the userstore. Groups are created in LDAP using the groupOfName class. The group search operation only returns objects created from this class. |
GroupEntry |
group_entry_ |
Object class used to construct group entries |
GroupName |
group_name_ |
Filtering criteria used to search for a particular group entry |
GroupName |
group_name_ |
This is the attribute used for uniquely identifying a user entry. This attribute is to be treated as the group name. |
Membership |
membership |
Attribute used to define members of groups |
Membership |
membership_ |
This is the attribute used by Active Directories that need to limit membership attributes. The default value for this is 1500. |
UserRoles |
user_roles_ |
This is to indicate whether to cache the role list of a user. By default, this is set to true . Set it to false if the user roles are changed by external means and those changes should instantly reflect in the Carbon instance. |
UserDNPattern |
user_dn_pattern |
This is the LDAP patten for the user's DN which can be defined to improve the search. When there are many user entries in the LDAP userstore, defining a UserDNPattern provides more impact on performances as the LDAP does not have to travel through the entire tree to find users. |
ReplaceEscape |
replace_escape_ |
(LDAP) If the user name has special characters, it replaces it to validate the user logging in. Only " \ " and " \\ " are identified as escape characters. |
|
password_ |
This is a regular expression in JDBC and LDAP to validate passwords. By default, strings having a length between 5 to 30 with non-empty characters are allowed. |
|
password_java |
The regular expression used by the front-end components for password validation |
|
username_ |
This is a regular expression to validate usernames. By default, strings having a length between 5 to 30 with non-empty characters are allowed. |
Username |
username_java_ |
The regular expression used by the front-end components for username validation |
|
rolename_ |
This is a regular expression used to validate role names. By default, strings having a length between 5 to 30 with non-empty characters are allowed. |
MultiTenant |
config |
This is the tenant manager-specific realm config parameter. It can be used to build different types of realms for the tenant. |
|
ldap_connection |
If the connection to an LDAP is inactive for the length of time (in milliseconds) specified by this property, the connection will be terminated. |
Following pages contain the user store properties available for each user store manager type.
- Configure a JDBC user store
- Configure a read-only LDAP user store
- Configure a read-Write Active Directory user store
- Configure a read-write LDAP user store
Note
In the tables given, the Primary user store Property
column has the PRIMARY
user store properties that can be configured in the deployment.toml
file. The Secondary use rstore Property
column has the properties that can be configured for a secondary user store through the WSO2 Identity Server Console.