Every WSO2 product comes with an embedded, internal user store, which is configured in <PRODUCT_HOME>/repository/conf/user-mgt.xml. In WSO2 Identity Server, the embedded user store is LDAP, and in other products it is JDBC. Because the domain name (unique identifier) of this default user store is set to PRIMARY by default, it is called the primary user store.
...
Comment out the following user store which is enabled by default. This is the user store which is uncommented by default in the
user-mgt.xmlfile.<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">Given below are samples for LDAP and Active Directory user stores in the
<PRODUCT_HOME>/repository/conf/user-mgt.xmlfile. Note that these configurations already exist in theuser-mgt.xmlfile so you only need to uncomment them and make the appropriate adjustments. Also ensure that you comment out the configurations for other user stores which you are not using.Localtabgroup Localtab active true title LDAP User Store LDAP user store sample:
Code Block language html/xml <UserManager> <Realm> ... <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property> <Property name="ReadOnly">true</Property> <Property name="Disabled">false</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="ConnectionURL">ldap://localhost:10389</Property> <Property name="ConnectionName">uid=admin,ou=system</Property> <Property name="ConnectionPassword">admin</Property> <Property name="passwordHashMethod">PLAIN_TEXT</Property> <Property name="UserSearchBase">ou=system</Property> <Property name="UserNameListFilter">(objectClass=person)</Property> <Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property> <Property name="UserNameAttribute">uid</Property> <Property name="ReadGroups">true</Property> <Property name="GroupSearchBase">ou=system</Property> <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> <Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="SharedGroupNameAttribute">cn</Property> <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property> <Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property> <Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property> <Property name="SharedTenantNameAttribute">ou</Property> <Property name="SharedTenantObjectClass">organizationalUnit</Property> <Property name="MembershipAttribute">member</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property> <Property name="MaxRoleNameListLength">100</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="SCIMEnabled">false</Property> </UserStoreManager> </Realm> </UserManager>Localtab title Active Directory User Store Active directory user store sample:
Code Block language html/xml <UserManager> <Realm> ... <!-- Active directory configuration follows --> <UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager"> <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property> <Property name="defaultRealmName">WSO2.ORG</Property> <Property name="Disabled">false</Property> <Property name="kdcEnabled">false</Property> <Property name="ConnectionURL">ldaps://10.100.1.100:636</Property> <Property name="ConnectionName">CN=admin,CN=Users,DC=WSO2,DC=Com</Property> <Property name="ConnectionPassword">A1b2c3d4</Property> <Property name="passwordHashMethod">PLAIN_TEXT</Property> <Property name="UserSearchBase">CN=Users,DC=WSO2,DC=Com</Property> <Property name="UserEntryObjectClass">user</Property> <Property name="UserNameAttribute">cn</Property> <Property name="isADLDSRole">false</Property> <Property name="userAccountControl">512</Property> <Property name="UserNameListFilter">(objectClass=user)</Property> <Property name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property> <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property> <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property> <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property> <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> <Property name="ReadGroups">true</Property> <Property name="WriteGroups">false</Property> <Property name="EmptyRolesAllowed">true</Property> <Property name="GroupSearchBase">CN=Users,DC=WSO2,DC=Com</Property> <Property name="GroupEntryObjectClass">group</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="SharedGroupNameAttribute">cn</Property> <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property> <Property name="SharedGroupEntryObjectClass">groups</Property> <Property name="SharedTenantNameListFilter">(object=organizationalUnit)</Property> <Property name="SharedTenantNameAttribute">ou</Property> <Property name="SharedTenantObjectClass">organizationalUnit</Property> <Property name="MembershipAttribute">member</Property> <Property name="GroupNameListFilter">(objectcategory=group)</Property> <Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="Referral">follow</Property> <Property name="BackLinksEnabled">true</Property> <Property name="MaxRoleNameListLength">100</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="SCIMEnabled">false</Property> </UserStoreManager> </Realm> </UserManager>Info If you create the
user-mgt.xmlfile yourself, be sure to save it in the<PRODUCT_HOME>/repository/confdirectory. Creating this file from scratch requires you to copy the above configuration directly into the XML file along with other<Realm>configurations.Note See Working with Properties of Primary User Stores for detailed information on the properties available in the
user-mgt.xmlfile.The
classattribute of theUserStoreManagertag indicates whether it is an Active Directory or LDAP user store. Ensure that the correct configuration is uncommented.Active Directory:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">Read-only LDAP:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
Update the connection details to match your user store. For example:
Code Block language html/xml <Property name="ConnectionURL">ldap://localhost:10389</Property>
Obtain a user who has permission to read all users/attributes and perform searches on the user store from your LDAP/Active Directory administrator. For example, if the privileged user is "AdminLDAP" and the password is "2010#Avrudu", update the following sections of the realm configuration as follows:
Code Block language html/xml <Property name="ConnectionName">uid=AdminLDAP,ou=system</Property> <Property name="ConnectionPassword">2010#Avrudu</Property>
Update
<Property name="UserSearchBase">with the directory name where the users are stored. When LDAP searches for users, it will start from this location of the directory.Code Block language html/xml <Property name="UserSearchBase">ou=system</Property>
Set the attribute to use as the username, typically either
cnoruidfor LDAP. Ideally,<Property name="UserNameAttribute">and<Property name="UserNameSearchFilter">should refer to the same attribute. If you are not sure what attribute is available in your user store, check with your LDAP/Active Directory administrator.For example:
Read-only LDAP:
<Property name="UserNameAttribute">uid</Property>Active Directory:
<Property name="UserNameAttribute">sAMAccountName</Property>
- Optionally, configure the realm to read roles from the user store by reading the user/role mapping based on a membership (user list) or backlink attribute, as follows:
The following code snippet represents reading roles based on a membership attribute. This is used by the
ApacheDirectoryserver andOpenLDAP.Code Block language html/xml <Property name="ReadLDAPGroups">false</Property> <Property name="GroupSearchBase">ou=system</Property> <Property name="GroupSearchFilter">(objectClass=groupOfNames)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MembershipAttribute">member</Property>
The following code snippet represents reading roles based on a backlink attribute. This is used by the Active Directory.
Code Block language html/xml <Property name="ReadLDAPGroups">true</Property> <Property name="GroupSearchBase">cn=users,dc=wso2,dc=lk</Property> <Property name="GroupSearchFilter">(objectcategory=group)</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MemberOfAttribute">memberOf</Property>
Start your server and try to log in as the admin user you specified. The password is the admin user's password in the LDAP/Active Directory server.
...
Uncomment the following section in
<PRODUCT_HOME>/repository/conf/user-mgmt.xml:Code Block language html/xml <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
The following are samples for the internal and external JDBC user store configuration:
Localtabgroup Localtab active true title Internal JDBC User Store Internal JDBC user store configuration sample:
Code Block language html/xml <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager"> <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property> <Property name="ReadOnly">false</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="IsEmailUserName">false</Property> <Property name="DomainCalculation">default</Property> <Property name="PasswordDigest">SHA-256</Property> <Property name="StoreSaltedPassword">true</Property> <Property name="UserNameUniqueAcrossTenants">false</Property> <Property name="PasswordJavaRegEx">[\S]{5,30}$</Property> <Property name="PasswordJavaScriptRegEx">[\\S]{5,30}</Property> <Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property> <Property name="UsernameJavaScriptRegEx">[\\S]{3,30}</Property> <Property name="RolenameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property> <Property name="RolenameJavaScriptRegEx">[\\S]{3,30}</Property> <Property name="UserRolesCacheEnabled">true</Property> </UserStoreManager>Localtab title External JDBC User Store External JDBC user store configuration sample:
Code Block language html/xml <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager"> <Property name="driverName">com.mysql.jdbc.Driver</Property> <Property name="url">jdbc://localhost:3306/test</Property> <Property name="userName">admin</Property> <Property name="password">admin</Property> <Property name="Disabled">false</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="MaxRoleNameListLength">100</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="PasswordDigest">SHA-256</Property> <Property name="ReadGroups">true</Property> <Property name="ReadOnly">false</Property> <Property name="IsEmailUserName">false</Property> <Property name="DomainCalculation">default</Property> <Property name="StoreSaltedPassword">true</Property> <Property name="WriteGroups">false</Property> <Property name="UserNameUniqueAcrossTenants">false</Property> <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property> <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property> <Property name="UsernameJavaRegEx">^[\S]{5,30}$</Property> <Property name="UsernameJavaScriptRegEx">^[\S]{5,30}$</Property> <Property name="RolenameJavaRegEx">^[\S]{5,30}$</Property> <Property name="RolenameJavaScriptRegEx">^[\S]{5,30}$</Property> <Property name="SCIMEnabled">false</Property> <Property name="SelectUserSQL">SELECT * FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?</Property> <Property name="GetRoleListSQL">SELECT UM_ROLE_NAME, UM_TENANT_ID, UM_SHARED_ROLE FROM UM_ROLE WHERE UM_ROLE_NAME LIKE ? AND UM_TENANT_ID=? AND UM_SHARED_ROLE ='0' ORDER BY UM_ROLE_NAME</Property> <Property name="GetSharedRoleListSQL">SELECT UM_ROLE_NAME, UM_TENANT_ID, UM_SHARED_ROLE FROM UM_ROLE WHERE UM_ROLE_NAME LIKE ? AND UM_SHARED_ROLE ='1' ORDER BY UM_ROLE_NAME</Property> <Property name="UserFilterSQL">SELECT UM_USER_NAME FROM UM_USER WHERE UM_USER_NAME LIKE ? AND UM_TENANT_ID=? ORDER BY UM_USER_NAME</Property> <Property name="UserRoleSQL">SELECT UM_ROLE_NAME FROM UM_USER_ROLE, UM_ROLE, UM_USER WHERE UM_USER.UM_USER_NAME=? AND UM_USER.UM_ID=UM_USER_ROLE.UM_USER_ID AND UM_ROLE.UM_ID=UM_USER_ROLE.UM_ROLE_ID AND UM_USER_ROLE.UM_TENANT_ID=? AND UM_ROLE.UM_TENANT_ID=? AND UM_USER.UM_TENANT_ID=?</Property> <Property name="UserSharedRoleSQL">SELECT UM_ROLE_NAME, UM_ROLE.UM_TENANT_ID, UM_SHARED_ROLE FROM UM_SHARED_USER_ROLE INNER JOIN UM_USER ON UM_SHARED_USER_ROLE.UM_USER_ID = UM_USER.UM_ID INNER JOIN UM_ROLE ON UM_SHARED_USER_ROLE.UM_ROLE_ID = UM_ROLE.UM_ID WHERE UM_USER.UM_USER_NAME = ? AND UM_SHARED_USER_ROLE.UM_USER_TENANT_ID = UM_USER.UM_TENANT_ID AND UM_SHARED_USER_ROLE.UM_ROLE_TENANT_ID = UM_ROLE.UM_TENANT_ID AND UM_SHARED_USER_ROLE.UM_USER_TENANT_ID = ?</Property> <Property name="IsRoleExistingSQL">SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?</Property> <Property name="GetUserListOfRoleSQL">SELECT UM_USER_NAME FROM UM_USER_ROLE, UM_ROLE, UM_USER WHERE UM_ROLE.UM_ROLE_NAME=? AND UM_USER.UM_ID=UM_USER_ROLE.UM_USER_ID AND UM_ROLE.UM_ID=UM_USER_ROLE.UM_ROLE_ID AND UM_USER_ROLE.UM_TENANT_ID=? AND UM_ROLE.UM_TENANT_ID=? AND UM_USER.UM_TENANT_ID=?</Property> <Property name="GetUserListOfSharedRoleSQL">SELECT UM_USER_NAME FROM UM_SHARED_USER_ROLE INNER JOIN UM_USER ON UM_SHARED_USER_ROLE.UM_USER_ID = UM_USER.UM_ID INNER JOIN UM_ROLE ON UM_SHARED_USER_ROLE.UM_ROLE_ID = UM_ROLE.UM_ID WHERE UM_ROLE.UM_ROLE_NAME= ? AND UM_SHARED_USER_ROLE.UM_USER_TENANT_ID = UM_USER.UM_TENANT_ID AND UM_SHARED_USER_ROLE.UM_ROLE_TENANT_ID = UM_ROLE.UM_TENANT_ID</Property> <Property name="IsUserExistingSQL">SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?</Property> <Property name="GetUserPropertiesForProfileSQL">SELECT UM_ATTR_NAME, UM_ATTR_VALUE FROM UM_USER_ATTRIBUTE, UM_USER WHERE UM_USER.UM_ID = UM_USER_ATTRIBUTE.UM_USER_ID AND UM_USER.UM_USER_NAME=? AND UM_PROFILE_ID=? AND UM_USER_ATTRIBUTE.UM_TENANT_ID=? AND UM_USER.UM_TENANT_ID=?</Property> <Property name="GetUserPropertyForProfileSQL">SELECT UM_ATTR_VALUE FROM UM_USER_ATTRIBUTE, UM_USER WHERE UM_USER.UM_ID = UM_USER_ATTRIBUTE.UM_USER_ID AND UM_USER.UM_USER_NAME=? AND UM_ATTR_NAME=? AND UM_PROFILE_ID=? AND UM_USER_ATTRIBUTE.UM_TENANT_ID=? AND UM_USER.UM_TENANT_ID=?</Property> <Property name="GetUserLisForPropertySQL">SELECT UM_USER_NAME FROM UM_USER, UM_USER_ATTRIBUTE WHERE UM_USER_ATTRIBUTE.UM_USER_ID = UM_USER.UM_ID AND UM_USER_ATTRIBUTE.UM_ATTR_NAME =? AND UM_USER_ATTRIBUTE.UM_ATTR_VALUE =? AND UM_USER_ATTRIBUTE.UM_PROFILE_ID=? AND UM_USER_ATTRIBUTE.UM_TENANT_ID=? AND UM_USER.UM_TENANT_ID=?</Property> <Property name="GetProfileNamesSQL">SELECT DISTINCT UM_PROFILE_ID FROM UM_USER_ATTRIBUTE WHERE UM_TENANT_ID=?</Property> <Property name="GetUserProfileNamesSQL">SELECT DISTINCT UM_PROFILE_ID FROM UM_USER_ATTRIBUTE WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?</Property> <Property name="GetUserIDFromUserNameSQL">SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?</Property> <Property name="GetUserNameFromTenantIDSQL">SELECT UM_USER_NAME FROM UM_USER WHERE UM_TENANT_ID=?</Property> <Property name="GetTenantIDFromUserNameSQL">SELECT UM_TENANT_ID FROM UM_USER WHERE UM_USER_NAME=?</Property> <Property name="AddUserSQL">INSERT INTO UM_USER (UM_USER_NAME, UM_USER_PASSWORD, UM_SALT_VALUE, UM_REQUIRE_CHANGE, UM_CHANGED_TIME, UM_TENANT_ID) VALUES (?, ?, ?, ?, ?, ?)</Property> <Property name="AddUserToRoleSQL">INSERT INTO UM_USER_ROLE (UM_USER_ID, UM_ROLE_ID, UM_TENANT_ID) VALUES ((SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?),(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?), ?)</Property> <Property name="AddRoleSQL">INSERT INTO UM_ROLE (UM_ROLE_NAME, UM_TENANT_ID) VALUES (?, ?)</Property> <Property name="AddSharedRoleSQL">UPDATE UM_ROLE SET UM_SHARED_ROLE = ? WHERE UM_ROLE_NAME = ? AND UM_TENANT_ID = ?</Property> <Property name="AddRoleToUserSQL">INSERT INTO UM_USER_ROLE (UM_ROLE_ID, UM_USER_ID, UM_TENANT_ID) VALUES ((SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?),(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?), ?)</Property> <Property name="AddSharedRoleToUserSQL">INSERT INTO UM_SHARED_USER_ROLE (UM_ROLE_ID, UM_USER_ID, UM_USER_TENANT_ID, UM_ROLE_TENANT_ID) VALUES ((SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?),(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?), ?, ?)</Property> <Property name="RemoveUserFromSharedRoleSQL">DELETE FROM UM_SHARED_USER_ROLE WHERE UM_ROLE_ID=(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?) AND UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_USER_TENANT_ID=? AND UM_ROLE_TENANT_ID = ?</Property> <Property name="RemoveUserFromRoleSQL">DELETE FROM UM_USER_ROLE WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_ROLE_ID=(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?</Property> <Property name="RemoveRoleFromUserSQL">DELETE FROM UM_USER_ROLE WHERE UM_ROLE_ID=(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?) AND UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?</Property> <Property name="DeleteRoleSQL">DELETE FROM UM_ROLE WHERE UM_ROLE_NAME = ? AND UM_TENANT_ID=?</Property> <Property name="OnDeleteRoleRemoveUserRoleMappingSQL">DELETE FROM UM_USER_ROLE WHERE UM_ROLE_ID=(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?</Property> <Property name="DeleteUserSQL">DELETE FROM UM_USER WHERE UM_USER_NAME = ? AND UM_TENANT_ID=?</Property> <Property name="OnDeleteUserRemoveUserRoleMappingSQL">DELETE FROM UM_USER_ROLE WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?</Property> <Property name="OnDeleteUserRemoveUserAttributeSQL">DELETE FROM UM_USER_ATTRIBUTE WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_TENANT_ID=?</Property> <Property name="UpdateUserPasswordSQL">UPDATE UM_USER SET UM_USER_PASSWORD= ?, UM_SALT_VALUE=?, UM_REQUIRE_CHANGE=?, UM_CHANGED_TIME=? WHERE UM_USER_NAME= ? AND UM_TENANT_ID=?</Property> <Property name="UpdateRoleNameSQL">UPDATE UM_ROLE set UM_ROLE_NAME=? WHERE UM_ROLE_NAME = ? AND UM_TENANT_ID=?</Property> <Property name="AddUserPropertySQL">INSERT INTO UM_USER_ATTRIBUTE (UM_USER_ID, UM_ATTR_NAME, UM_ATTR_VALUE, UM_PROFILE_ID, UM_TENANT_ID) VALUES ((SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?), ?, ?, ?, ?)</Property> <Property name="UpdateUserPropertySQL">UPDATE UM_USER_ATTRIBUTE SET UM_ATTR_VALUE=? WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_ATTR_NAME=? AND UM_PROFILE_ID=? AND UM_TENANT_ID=?</Property> <Property name="DeleteUserPropertySQL">DELETE FROM UM_USER_ATTRIBUTE WHERE UM_USER_ID=(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?) AND UM_ATTR_NAME=? AND UM_PROFILE_ID=? AND UM_TENANT_ID=?</Property> <Property name="UserNameUniqueAcrossTenantsSQL">SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=?</Property> <Property name="IsDomainExistingSQL">SELECT UM_DOMAIN_ID FROM UM_DOMAIN WHERE UM_DOMAIN_NAME=? AND UM_TENANT_ID=?</Property> <Property name="AddDomainSQL">INSERT INTO UM_DOMAIN (UM_DOMAIN_NAME, UM_TENANT_ID) VALUES (?, ?)</Property> <Property name="AddUserToRoleSQL-mssql">INSERT INTO UM_USER_ROLE (UM_USER_ID, UM_ROLE_ID, UM_TENANT_ID) SELECT (SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?),(SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?),(?)</Property> <Property name="AddRoleToUserSQL-mssql">INSERT INTO UM_USER_ROLE (UM_ROLE_ID, UM_USER_ID, UM_TENANT_ID) SELECT (SELECT UM_ID FROM UM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?),(SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?), (?)</Property> <Property name="AddUserPropertySQL-mssql">INSERT INTO UM_USER_ATTRIBUTE (UM_USER_ID, UM_ATTR_NAME, UM_ATTR_VALUE, UM_PROFILE_ID, UM_TENANT_ID) SELECT (SELECT UM_ID FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?), (?), (?), (?), (?)</Property> <Property name="AddUserToRoleSQL-openedge">INSERT INTO UM_USER_ROLE (UM_USER_ID, UM_ROLE_ID, UM_TENANT_ID) SELECT UU.UM_ID, UR.UM_ID, ? FROM UM_USER UU, UM_ROLE UR WHERE UU.UM_USER_NAME=? AND UU.UM_TENANT_ID=? AND UR.UM_ROLE_NAME=? AND UR.UM_TENANT_ID=?</Property> <Property name="AddRoleToUserSQL-openedge">INSERT INTO UM_USER_ROLE (UM_ROLE_ID, UM_USER_ID, UM_TENANT_ID) SELECT UR.UM_ID, UU.UM_ID, ? FROM UM_ROLE UR, UM_USER UU WHERE UR.UM_ROLE_NAME=? AND UR.UM_TENANT_ID=? AND UU.UM_USER_NAME=? AND UU.UM_TENANT_ID=?</Property> <Property name="AddUserPropertySQL-openedge">INSERT INTO UM_USER_ATTRIBUTE (UM_USER_ID, UM_ATTR_NAME, UM_ATTR_VALUE, UM_PROFILE_ID, UM_TENANT_ID) SELECT UM_ID, ?, ?, ?, ? FROM UM_USER WHERE UM_USER_NAME=? AND UM_TENANT_ID=?</Property> <Property name="DomainName">wso2.org</Property> <Property name="Description"/> </UserStoreManager>Info The sample for the external JDBC user store consists of properties pertaining to various SQL statements. This is because the schema may be different for an external user store, and these adjustments need to be made in order to streamline the configurations with WSO2 products.
Info You can define a data source in
<PRODUCT_HOME>/repository/conf/datasources/master-datasources.xmland refer to it from theuser-mgt.xmlfile. This takes the properties defined in themaster-datasources.xmlfile and reuses them in theuser-mgt.xmlfile. To do this, you need to define the following property:<Propertyname="dataSource">jdbc/WSO2CarbonDB</Property>Find a valid user that resides in the RDBMS. For example, say a valid username is
AdminSOA. Update the Admin user section of your configuration as follows. You do not have to update the password element; leave it as is.Code Block language html/xml <AdminUser> <UserName>AdminSOA</UserName> <Password>XXXXXX</Password> </AdminUser>
Add the
passwordHashMethodproperty to the UserStoreManager configuration forJDBCUserStoreManager. For example:Code Block language html/xml <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager"> <Property name="passwordHashMethod">SHA</Property> ... </UserStoreManager>The
passwordHashMethodproperty specifies how the password should be stored. It usually has the following values:SHA- Uses SHA digest method.MD5- Uses MD 5 digest method.PLAIN_TEXT- Plain text passwords.
In addition, it also supports all digest methods in http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html.
- Update the connection details found within the
<UserStoreManager>class based on your preferences. In the realm configuration section, set the value of the
MultiTenantRealmConfigBuilderproperty toorg.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder. For example:Code Block language html/xml <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
- Add the JDBC driver to the classpath by copying its JAR file into the
<PRODUCT_HOME>/repository/components/libdirectory. - Edit the SQLs in the
user-mgt.xmlfile according to your requirements, and then start the server.
Testing the connection to the user store
If server completes the start up steps and finally prints the following, it should be considered as working.
'INFO - StartupFinalizerServiceComponent WSO2 Carbon started in **** sec'
Related Links
Working with Properties of Primary User Stores - For a comprehensive understanding on the configuration details.