Skip to content

User Store Properties

The following table provides descriptions of the key properties you use to configure primary userstores.

Property Id

Primary userstore Property

Description

MaxUserName
ListLength
max_user_name
_list_length
This controls the number of users listed in the userstore of WSO2 Identity Server. This is useful when you have a large number of users and don't want to list them all. Setting this property to 0 displays all users.
Connection
URL
connection
_url

This is the connection URL to the user store server.

Connection
Name
connection
_name

This is the username used to connect to the database and perform various operations. This user does not have to be an administrator in the userstore or have an administrator role in WSO2 Identity Server, but this user needs to have permissions to read the user list and users' attributes, and to perform search operations on the userstore. The value you specify is used as the DN (Distinguish Name) attribute of the user. This property is mandatory.

Connection
Password
connection_
password
Password for the ConnectionName user
Display
NameAttribute
display_
name_attribute
This is an optional property. The Display Name Attribute is the name by which users will be listed when you search for users in the management console (Go to Configuration -> Users tab).
Password
HashMethod
password_
hash_method
The password hash method used when storing user entries in the userstore
UserName
ListFilter
user_name_
list_filter

This is the filtering criteria for listing all the user entries in the userstore. This query or filter is used when doing search operations on users. In this case, the search operation only provides the objects created from the specified class. This query is the same as listing out all the available users in the management console.

UserEntry
ObjectClass
user_entry_
object_class
This is the object class used to construct user entries. By default, it is a custom object class defined with the name wso2Person .
User
SearchBase
user_
search_base

This is the DN of the context or object under which the user entries are stored in the userstore. In this case, it is the "users" container. When the userstore searches for users, it will start from this location of the directory.

Different databases have different search bases.

UserName
SearchFilter
user_name_
search_filter
Filtering criteria used to search for a particular user entry
UserName
Attribute
user_name
_attribute

This is the attribute used for uniquely identifying a user entry. Users can be authenticated using their email address, UID, etc.

The name of the attribute is considered as the username.

For information on using email address to authenticate users, click here .

PasswordJava
ScriptRegEx

password_java_
script_regex
Policy that defines the password format
UsernameJava
ScriptRegEx
username_java_
script_regex
The regular expression used by the front-end components for username validation
Username
JavaRegEx
username_
java_regex

This is a regular expression used to validate usernames. By default, strings have a length of 5 to 30. Only non-empty characters are allowed. You can provide ranges of alphabets, numbers, and ASCII values in the RegEx properties.

ReadGroups read_groups This specifies whether groups should be read from the userstore. If this is disabled by setting it to false , none of the groups in the userstore can be read, and the following group configurations are not mandatory: GroupSearchBase , GroupNameListFilter , or GroupNameAttribute .
WriteGroups write_groups Specifies whether groups should be written to the userstore
Group
SearchBase
group_
search_base
DN of the context under which user entries are stored in the userstore
GroupName
ListFilter
group_name_
list_filter
This is the filtering criteria for listing all the group entries in the userstore. Groups are created in LDAP using the groupOfName class. The group search operation only returns objects created from this class.
GroupEntry
ObjectClass
group_entry_
object_class
Object class used to construct group entries
GroupName
SearchFilter
group_name_
search_filter
Filtering criteria used to search for a particular group entry
GroupName
Attribute
group_name_
attribute
This is the attribute used for uniquely identifying a user entry. This attribute is to be treated as the group name.
Membership
Attribute
membership
_attribute
Attribute used to define members of groups
Membership
AttributeRange
membership_
attribute_range
This is the attribute used by Active Directories that need to limit membership attributes. The default value for this is 1500.
UserRoles
CacheEnabled
user_roles_
cache_enabled
This is to indicate whether to cache the role list of a user. By default, this is set to true . Set it to false if the user roles are changed by external means and those changes should instantly reflect in the Carbon instance.
UserDNPattern user_dn_pattern This is the LDAP patten for the user's DN which can be defined to improve the search. When there are many user entries in the LDAP userstore, defining a UserDNPattern provides more impact on performances as the LDAP does not have to travel through the entire tree to find users.
ReplaceEscape
Characters
AtUserLogin
replace_escape_
characters_at_user_login
(LDAP) If the user name has special characters, it replaces it to validate the user logging in. Only " \ " and " \\ " are identified as escape characters.

Password
JavaRegEx

password_
java_regex

This is a regular expression in JDBC and LDAP to validate passwords. By default, strings having a length between 5 to 30 with non-empty characters are allowed.

PasswordJava
ScriptRegEx

password_java
_script_regex
The regular expression used by the front-end components for password validation

Username
JavaRegEx

username_
java_regex
This is a regular expression to validate usernames. By default, strings having a length between 5 to 30 with non-empty characters are allowed.
Username
JavaScript
RegEx
username_java_
script_regex
The regular expression used by the front-end components for username validation

Rolename
JavaRegEx

rolename_
java_regex
This is a regular expression used to validate role names. By default, strings having a length between 5 to 30 with non-empty characters are allowed.
MultiTenant
Realm
ConfigBuilder
config
_builder
This is the tenant manager-specific realm config parameter. It can be used to build different types of realms for the tenant.

LDAPConnection
Timeout

ldap_connection
_timeout
If the connection to an LDAP is inactive for the length of time (in milliseconds) specified by this property, the connection will be terminated.

Following pages contain the user store properties available for each user store manager type.

Note

In the tables given, the Primary user store Property column has the PRIMARY user store properties that can be configured in the deployment.toml file. The Secondary use rstore Property column has the properties that can be configured for a secondary user store through the WSO2 Identity Server Console.