User Store Properties

The following table provides descriptions of the key properties you use to configure primary userstores.

Property Id	Primary userstore Property	Description
MaxUserName ListLength	max_user_name _list_length	This controls the number of users listed in the userstore of WSO2 Identity Server. This is useful when you have a large number of users and don't want to list them all. Setting this property to 0 displays all users.
Connection URL	connection _url	This is the connection URL to the user store server.
Connection Name	connection _name	This is the username used to connect to the database and perform various operations. This user does not have to be an administrator in the userstore or have an administrator role in WSO2 Identity Server, but this user needs to have permissions to read the user list and users' attributes, and to perform search operations on the userstore. The value you specify is used as the DN (Distinguish Name) attribute of the user. This property is mandatory.
Connection Password	connection_ password	Password for the ConnectionName user
Display NameAttribute	display_ name_attribute	This is an optional property. The Display Name Attribute is the name by which users will be listed when you search for users in the management console (Go to Configuration -> Users tab).
Password HashMethod	password_ hash_method	The password hash method used when storing user entries in the userstore
UserName ListFilter	user_name_ list_filter	This is the filtering criteria for listing all the user entries in the userstore. This query or filter is used when doing search operations on users. In this case, the search operation only provides the objects created from the specified class. This query is the same as listing out all the available users in the management console.
UserEntry ObjectClass	user_entry_ object_class	This is the object class used to construct user entries. By default, it is a custom object class defined with the name wso2Person .
User SearchBase	user_ search_base	This is the DN of the context or object under which the user entries are stored in the userstore. In this case, it is the "users" container. When the userstore searches for users, it will start from this location of the directory. Different databases have different search bases.
UserName SearchFilter	user_name_ search_filter	Filtering criteria used to search for a particular user entry
UserName Attribute	user_name _attribute	This is the attribute used for uniquely identifying a user entry. Users can be authenticated using their email address, UID, etc. The name of the attribute is considered as the username. For information on using email address to authenticate users, click here .
PasswordJava ScriptRegEx	password_java_ script_regex	Policy that defines the password format
UsernameJava ScriptRegEx	username_java_ script_regex	The regular expression used by the front-end components for username validation
Username JavaRegEx	username_ java_regex	This is a regular expression used to validate usernames. By default, strings have a length of 5 to 30. Only non-empty characters are allowed. You can provide ranges of alphabets, numbers, and ASCII values in the RegEx properties. <Property name="UsernameJavaRegEx">[a-zA-Z0-9._\-|/]{3,30}$</Property>
ReadGroups	read_groups	This specifies whether groups should be read from the userstore. If this is disabled by setting it to false , none of the groups in the userstore can be read, and the following group configurations are not mandatory: GroupSearchBase , GroupNameListFilter , or GroupNameAttribute .
WriteGroups	write_groups	Specifies whether groups should be written to the userstore
Group SearchBase	group_ search_base	DN of the context under which user entries are stored in the userstore
GroupName ListFilter	group_name_ list_filter	This is the filtering criteria for listing all the group entries in the userstore. Groups are created in LDAP using the groupOfName class. The group search operation only returns objects created from this class.
GroupEntry ObjectClass	group_entry_ object_class	Object class used to construct group entries
GroupName SearchFilter	group_name_ search_filter	Filtering criteria used to search for a particular group entry
GroupName Attribute	group_name_ attribute	This is the attribute used for uniquely identifying a user entry. This attribute is to be treated as the group name.
Membership Attribute	membership _attribute	Attribute used to define members of groups
Membership AttributeRange	membership_ attribute_range	This is the attribute used by Active Directories that need to limit membership attributes. The default value for this is 1500.
UserRoles CacheEnabled	user_roles_ cache_enabled	This is to indicate whether to cache the role list of a user. By default, this is set to true . Set it to false if the user roles are changed by external means and those changes should instantly reflect in the Carbon instance.
UserDNPattern	user_dn_pattern	This is the LDAP patten for the user's DN which can be defined to improve the search. When there are many user entries in the LDAP userstore, defining a UserDNPattern provides more impact on performances as the LDAP does not have to travel through the entire tree to find users.
ReplaceEscape Characters AtUserLogin	replace_escape_ characters_at_user_login	(LDAP) If the user name has special characters, it replaces it to validate the user logging in. Only " \ " and " \\ " are identified as escape characters.
Password JavaRegEx	password_ java_regex	This is a regular expression in JDBC and LDAP to validate passwords. By default, strings having a length between 5 to 30 with non-empty characters are allowed.
PasswordJava ScriptRegEx	password_java _script_regex	The regular expression used by the front-end components for password validation
Username JavaRegEx	username_ java_regex	This is a regular expression to validate usernames. By default, strings having a length between 5 to 30 with non-empty characters are allowed.
Username JavaScript RegEx	username_java_ script_regex	The regular expression used by the front-end components for username validation
Rolename JavaRegEx	rolename_ java_regex	This is a regular expression used to validate role names. By default, strings having a length between 5 to 30 with non-empty characters are allowed.
MultiTenant Realm ConfigBuilder	config _builder	This is the tenant manager-specific realm config parameter. It can be used to build different types of realms for the tenant.
LDAPConnection Timeout	ldap_connection _timeout	If the connection to an LDAP is inactive for the length of time (in milliseconds) specified by this property, the connection will be terminated.

Following pages contain the user store properties available for each user store manager type.

• Configure a JDBC user store
• Configure a read-only LDAP user store
• Configure a read-Write Active Directory user store
• Configure a read-write LDAP user store

Note

In the tables given, the Primary user store Property column has the PRIMARY user store properties that can be configured in the deployment.toml file. The Secondary use rstore Property column has the properties that can be configured for a secondary user store through the WSO2 Identity Server Console.