In a user store, each user has different attributes such as uid, cn, email and so on. Some of the attributes can be unique. As an example, normally uid and mail can be unique attributes for user.
Once you connect your LDAP with an application, the application can use one of the unique attributes in LDAP to authenticate the user (as the user name of the user in that application). Considering our example, it can be the uid or mail attribute. Additionally, in some cases, the application can use both attributes. So end users can be authenticated in the application using both their uid or mail.
WSO2 Identity Server can be deployed with any LDAP based server and it can expose authentication via a Web Service API, SAML, OAuth, OpenID, etc. By default, Identity Server is configured to authenticate with only one user attribute in the LDAP. This topic provides instructions on how the Identity Server can be extended to authenticate users using more than one attribute.
For the purposes of this example, we assume that users need to be authenticated using both their uid and mail attributes in the LDAP.
- Configure the LDAP user store related configurations using the user-mgt.xml file found in the
<IS_HOME>/repository/confdirectory. See here for more information on configuring user stores.
UserNameSearchFilterthat helps to search for the user object in the LDAP using both mail and uid attributes.
UserDNPatternproperty, if it is currently enabled.
- The mail attribute has requirements that are unique. If you are using the mail attribute, you need to open the carbon.xml file found in the
<IS_HOME>/repository/confdirectory and uncomment the following. See here for more information on email authentication.
If you want to work with multiple attributes (basically to retrieve internal roles with multiple attributes), you must add following property in the
<IS_HOME>/repository/conf/user-mgt.xmlfile. This can be done only once you have installed the WSO2 Identity Server 5.0.0 along with the Service Pack.
- To test this, restart the Identity Server and try to log in to the management console by providing both the mail and uid with the same password.