This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Identity management is about authenticating and authorizing users so they can access a system or application. user store is the database where information about the users and user roles is stored, including log-in name, password, first name, last name, and e-mail address. The user stores of all WSO2 Carbon-based products are embedded H2 databases except for WSO2 Identity Server, which has an embedded LDAP as its user store. Therefore, user stores play an important role when it comes to identity management.

WSO2 products allow to configure configuring multiple user stores to your system that are used to store users and their roles (Groups). Out of the box WSO2 products support for JDBC, LDAP and Active Directory user stores with the capability of configuring custom user store. There are different user store adapters called User store managers, which are used to connect with these users store types.There are two types of user stores named Primary User store (Mandatory) and Secondary user stores (Optional), all the supported users stores can be configured under these two types.


The following table lists the available implementations and their usage.

User StoreUser Store Manager ClassDescription


org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManagerUse to do read-only operations for external LDAP or ActiveDirectory user stores
LDAPorg.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManagerUse for external LDAP user stores to do both read and write operations.This is the default primary user store configuration in user-mgt.xml file for WSO2 Identity Server.
ActiveDirectoryorg.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManagerUse to configure an Active Directory Domain Service (AD DS) or Active Directory Lightweight Directory Service (AD LDS). This can be used only for read/write operations. If you need to use AD as read-only, you must use org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.
JDBCorg.wso2.carbon.user.core.jdbc.JDBCUserStoreManagerUse for JDBC user stores. This is the default primary user store configuration in user-mgt.xml file for all WSO2 Servers, except WSO2 Identity Server.

The permissions attached to roles are always stored in an RDBMS. With the default configurations permissions are stored in the embedded H2 database. For information on how to set up a RDBMS repository for storing permission, seeConfiguring the Authorization Manager