Following is the default configuration found in <CARBON_HOME>/repository/conf/user-mgt.xml file for the internal LDAP user store, which is embedded ApacheDS LDAP. If ApacheDSUserStoreManager is enabled in the user-mgt.xml file with the following configuration, the user manager reads/writes into the default LDAP user store of Carbon.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ApacheDSUserStoreManagerReadWriteLDAPUserStoreManager"> <Property name="ReadOnly">false</Property> <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property> <Property name="ConnectionName">uid=admin,ou=system</Property> <Property name="ConnectionPassword">admin</Property> <Property name="passwordHashMethod">SHA</Property> <Property name="UserNameListFilter">(objectClass=person)</Property> <Property name="UserEntryObjectClass">wso2Person</Property> <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property> <Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property> <Property name="UserNameAttribute">uid</Property> <Property name="PasswordJavaScriptRegEx">[\\S]{5,30}</Property> <Property name="UsernameJavaScriptRegEx">[\\S]{3,30}</Property> <Property name="UsernameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property> <Property name="RolenameJavaScriptRegEx">[\\S]{3,30}</Property> <Property name="RolenameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property> <Property name="ReadLDAPGroups">true</Property> <Property name="WriteLDAPGroups">true</Property> <Property name="EmptyRolesAllowed">true</Property> <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property> <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> <Property name="GroupEntryObjectClass">groupOfNames</Property> <Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property> <Property name="GroupNameAttribute">cn</Property> <Property name="MembershipAttribute">member</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property> </UserStoreManager> |
...
The code block can be described as follows:
| Property Name | Description | | Indicates whether the user store of this realm operates in the user read-only mode. ||||
|---|---|---|---|---|---|---|
ConnectionURL | Connection URL to the | LDAP ldap server. In the case of default LDAP in | Carboncarbon, | the port is | named mentioned in carbon.xml and a reference to that port is | included mentioned in the above configuration. |
ConnectionName | This should be the DN (Distinguish Name) of the admin user in LDAP. | |||||
ConnectionPassword | Password of the admin user. | |||||
passwordHashMethod | Password Hash method when storing user entries in LDAP. | |||||
UserNameListFilter | Filtering criteria for listing all the user entries in LDAP. | |||||
UserEntryObjectClass | Object Class used to construct user entries. In the case of default LDAP in carbon, it is a custom object class defined with the name-'wso2Person | .' | ||||
UserSearchBase | DN of the context under which user entries are stored in LDAP. | |||||
UserNameSearchFilter | Filtering criteria for searching a particular user entry. | |||||
UserNameAttribute | Attribute used for uniquely identifying a user entry. Users can be authenticated using their email address, | UID, etc.uid and etc ..... | ||||
| Policy that defines the password format. | |||||
| UsernameJavaScriptRegEx | The regular expression used by the font-end components for username validation. | |||||
| UsernameJavaRegEx | A regular expression to validate usernames. By default, strings having length 5 to 30 non-empty characters are allowed. | |||||
| RolenameJavaScriptRegEx | The regular expression used by the font-end components for rolename validation. | |||||
| RolenameJavaRegEx | A regular expression to validate rolenames. By default, strings having length 5 to 30 non-empty characters are allowed. | |||||
ReadLDAPGroups | Specifies whether groups should be read from LDAP. | |||||
WriteLDAPGroups | Specifies whether groups should be written to LDAP. | |||||
EmptyRolesAllowed | Specifies whether underlying LDAP user store allows empty groups to be created. In the case of | LDAPldap in | Carboncarbon, the schema is modified such that empty groups are allowed to be created. Usually | ,LDAP servers do not allow | youto create empty groups. | |
GroupSearchBase | DN of the context under which user entries are stored in LDAP. | |||||
GroupNameListFilter | Filtering criteria for listing all the group entries in LDAP. | |||||
GroupEntryObjectClass | Object Class used to construct user entries. | |||||
GroupNameSearchFilter | Filtering criteria for searching a particular group entry. | |||||
GroupNameAttribute | Attribute used for uniquely identifying a user entry. | |||||
MembershipAttribute | Attribute used to define members of LDAP groups. | |||||
| UserRolesCacheEnabled | This is to indicate whether to cache the role list of a user. By default it is 'true'. Set it to 'falese' if user-roles are changed by external means and those changes should be instantly reflected in the carbon instance. | |||||
| UserDNPattern | The patten for user's DN. It can be defined to improve the LDAP search. When there are many user entries in the LADP, defining a "UserDNPattern" provides more impact on performances as the LDAP does not have to travel through the entire tree to find users. |
| Excerpt | ||
|---|---|---|
|
...
Default LDAP user store configuration in WSO2 Carbon products. |