Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

The WSO2 User Manager authenticates users from different types of user stores and currently has the capability to easily plug-in to LDAP, Active Directory and JDBC to perform authentication.

...

Code Block
languagehtml/xml
linenumberstrue
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
   <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
   <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
   <Property name="ConnectionName">uid=admin,ou=system</Property>
   <Property name="ConnectionPassword">admin</Property>
   <Property name="passwordHashMethod">SHA</Property>
   <Property name="UserNameListFilter">(objectClass=person)</Property>
   <Property name="UserEntryObjectClass">wso2Person</Property>
   <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
   <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
   <Property name="UserNameAttribute">uid</Property>
   <Property name="PasswordJavaScriptRegEx">[\\S]{5,30}</Property>
   <Property name="UsernameJavaScriptRegEx">[\\S]{3,30}</Property>
   <Property name="UsernameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
   <Property name="RolenameJavaScriptRegEx">[\\S]{3,30}</Property>
   <Property name="RolenameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
   <Property name="ReadLDAPGroups">true</Property>
   <Property name="WriteLDAPGroups">true</Property>
   <Property name="EmptyRolesAllowed">true</Property>
   <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
   <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
   <Property name="GroupEntryObjectClass">groupOfNames</Property>
   <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
   <Property name="GroupNameAttribute">cn</Property>
   <Property name="MembershipAttribute">member</Property>
   <Property name="UserRolesCacheEnabled">true</Property>
   <Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
</UserStoreManager>

Main elements of the configuration can be explained as follows. 

Property NameDescription
ConnectionURL

Connection URL to the ldap server. In the case of default LDAP in carbon, port is mentioned in carbon.xml and a reference to that port is mentioned in the above configuration.

ConnectionName

This should be the DN (Distinguish Name) of the admin user in LDAP.

ConnectionPasswordPassword of the admin user.
passwordHashMethodPassword Hash method when storing user entries in LDAP.
UserNameListFilterFiltering criteria for listing all the user entries in LDAP.
UserEntryObjectClassObject Class used to construct user entries. In the case of default LDAP in carbon, it is a custom object class defined with the name-'wso2Person'
UserSearchBaseDN of the context under which user entries are stored in LDAP.
UserNameSearchFilterFiltering criteria for searching a particular user entry.
UserNameAttributeAttribute used for uniquely identifying a user entry. Users can be authenticated using their email address, uid and etc.

PasswordJavaScriptRegEx

Policy that defines the password format.
UsernameJavaScriptRegExThe regular expression used by the font-end components for username validation.
UsernameJavaRegExA regular expression to validate usernames. By default, strings having length 5 to 30 non-empty characters are allowed.
RolenameJavaScriptRegExThe regular expression used by the font-end components for rolename validation.
RolenameJavaRegExA regular expression to validate rolenames. By default, strings having length 5 to 30 non-empty characters are allowed.
ReadLDAPGroupsSpecifies whether groups should be read from LDAP.
WriteLDAPGroupsSpecifies whether groups should be written to LDAP.
EmptyRolesAllowedSpecifies whether underlying LDAP user store allows empty groups to be created. In the case of ldap in carbon, the schema is modified such that empty groups are allowed to be created. Usually LDAP servers do not allow to create empty groups.
GroupSearchBaseDN of the context under which user entries are stored in LDAP.
GroupNameListFilterFiltering criteria for listing all the group entries in LDAP.
GroupEntryObjectClassObject Class used to construct user entries.
GroupNameSearchFilterFiltering criteria for searching a particular group entry.
GroupNameAttributeAttribute used for uniquely identifying a user entry.
MembershipAttributeAttribute used to define members of LDAP groups.
UserRolesCacheEnabledThis is to indicate whether to cache the role list of a user. By default it is 'true'. Set it to 'falese' if user-roles are changed by external means and those changes should be instantly reflected in the carbon instance.
UserDNPatternThe patten for user's DN. It can be defined to improve the LDAP search. When there are many user entries in the LADP, defining a "UserDNPattern" provides more impact on performances as the LDAP does not have to travel through the entire tree to find users.

...

Info
iconfalse

LDAP is one of many standards supported by the WSO2 Governance Registry. Read more on Supported APIs and Standards for a complete list of standards supported by WSO2 Governance Registry.

...