<CARBON_HOME>/repository/conf/user-mgt.xml file has a default configuration for the internal LDAP user store, which is embedded ApacheDS LDAP.
1. Enable <ApacheDSUserStoreManager> element in user-mgt.xml file. When it is enabled, the user manager reads/writes into the default LDAP user store of Carbon.
2. The default configuration for the internal LDAP user store in user-mgt.xml file is as follows. Change the values according to your requirement.
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">wso2Person</Property>
<Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="PasswordJavaScriptRegEx">[\\S]{5,30}</Property>
<Property name="UsernameJavaScriptRegEx">[\\S]{3,30}</Property>
<Property name="UsernameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">[\\S]{3,30}</Property>
<Property name="RolenameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="WriteLDAPGroups">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
</UserStoreManager>
Main elements of the configuration can be explained as follows.
| Property Name | Description |
|---|---|
ConnectionURL | Connection URL to the ldap server. In the case of default LDAP in carbon, port is mentioned in carbon.xml and a reference to that port is mentioned in the above configuration. |
ConnectionName | This should be the DN (Distinguish Name) of the admin user in LDAP. |
ConnectionPassword | Password of the admin user. |
passwordHashMethod | Password Hash method when storing user entries in LDAP. |
UserNameListFilter | Filtering criteria for listing all the user entries in LDAP. |
UserEntryObjectClass | Object Class used to construct user entries. In the case of default LDAP in carbon, it is a custom object class defined with the name-'wso2Person' |
UserSearchBase | DN of the context under which user entries are stored in LDAP. |
UserNameSearchFilter | Filtering criteria for searching a particular user entry. |
UserNameAttribute | Attribute used for uniquely identifying a user entry. Users can be authenticated using their email address, uid and etc ..... |
| Policy that defines the password format. |
| UsernameJavaScriptRegEx | The regular expression used by the font-end components for username validation. |
| UsernameJavaRegEx | A regular expression to validate usernames. By default, strings having length 5 to 30 non-empty characters are allowed. |
| RolenameJavaScriptRegEx | The regular expression used by the font-end components for rolename validation. |
| RolenameJavaRegEx | A regular expression to validate rolenames. By default, strings having length 5 to 30 non-empty characters are allowed. |
ReadLDAPGroups | Specifies whether groups should be read from LDAP. |
WriteLDAPGroups | Specifies whether groups should be written to LDAP. |
EmptyRolesAllowed | Specifies whether underlying LDAP user store allows empty groups to be created. In the case of ldap in carbon, the schema is modified such that empty groups are allowed to be created. Usually LDAP servers do not allow to create empty groups. |
GroupSearchBase | DN of the context under which user entries are stored in LDAP. |
GroupNameListFilter | Filtering criteria for listing all the group entries in LDAP. |
GroupEntryObjectClass | Object Class used to construct user entries. |
GroupNameSearchFilter | Filtering criteria for searching a particular group entry. |
GroupNameAttribute | Attribute used for uniquely identifying a user entry. |
MembershipAttribute | Attribute used to define members of LDAP groups. |
| UserRolesCacheEnabled | This is to indicate whether to cache the role list of a user. By default it is 'true'. Set it to 'falese' if user-roles are changed by external means and those changes should be instantly reflected in the carbon instance. |
| UserDNPattern | The patten for user's DN. It can be defined to improve the LDAP search. When there are many user entries in the LADP, defining a "UserDNPattern" provides more impact on performances as the LDAP does not have to travel through the entire tree to find users. |