This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Every WSO2 product comes with an embedded, internal user store, which is configured in <PRODUCT_HOME>/repository/conf/user-mgt.xml. In WSO2 Identity Server, the embedded user store is LDAP, and in other products it is JDBC. This user store is called a "primary user store" because the domain name (unique identifier) of this default user store is set to PRIMARY by default. 

This is the main user store in the system and shared among all the tenants in the system. Only one user store should be configured as the primary user store. This documentation explains the process of setting up a primary user store. If you need more information on WSO2 Carbon user stores see Configuring User Stores.

By default, the embedded H2 database (JDBC) that is shipped with WSO2 products is configured as the primary user store, except for WSO2 Identity Server, which has an embedded LDAP as its primary user store. Its recommended to change this default configuration in the production system. Instead of using the embedded user store that comes with the product, you can set your own user store as the primary user store

Tip: You must disable the embedded user store that comes with the product. This ensures that it does not start up with the product.

Since the user store you want to connect to might have different schemas from the ones available in the embedded user store, it needs to go through an adaptation process. WSO2 products provide the following adapters to enable you to authenticate users from different types of user stores and plug into LDAP, Active Directory, and JDBC user stores to perform authentication.

User store manager classDescription
org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager

Use ReadOnlyLDAPUserStoreManager to do read-only operations for external LDAP user stores.

org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager

Use ReadWriteLDAPUserStoreManager for external LDAP user stores to do both read and write operations. This is the user store manager configuration that is uncommented in the code in the user-mgt.xml file and considered the default in the Identity Server.

org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager

Use ActiveDirectoryUserStoreManager to configure an Active Directory Domain Service (AD DS) or Active Directory Lightweight Directory Service (AD LDS). This can be used only for read/write operations. If you need to use AD as read-only you must use org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.

org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager

Use JDBCUserStoreManager for both internal and external JDBC user stores. This is the default user store manager configuration for all WSO2 products excluding WSO2 Identity Server.

The user-mgt.xml file already has sample configurations for all of the above user stores. To enable these configurations, you must uncomment them in the code and comment out the ones that you do not need.

Setting up a primary user store

Primary user store is configured in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file within the <UserStoreManager> section.

The following steps guides you on how to set up a primary user store.

  1. Select the User store manager that suites your User store.

    See User store manager section in Configuring User Stores for more information. You can also configure your own custom user store manager.

  2. Configure user store manager properties.In the following document you can find the information of the properties that you need to configure in user store manager types. It provides the additional steps and recommendations specific to each user store manager.

If you are using LDAPS (secure) to connect to the Active Directory, you need to import its public certificate to the client-truststore.jks of the WSO2 product you are configuring.

See Working with Properties of User Stores for a comprehensive understanding on the configuration details.

  • No labels