This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


WSO2 products allow configuring multiple user stores to your system that are used to store users and their roles (Groups). Out of the box WSO2 products support JDBC, LDAP and Active Directory user stores with the capability of configuring custom user stores. There are different user store adapters called User store managers, which are used to connect with these users store types.

There are two types of user stores - Primary User store (Mandatory) and Secondary user stores (Optional). All the supported users stores user stores can be configured under these two types.

Primary User Store (



This is the main user store that is shared among all the tenants in the system. Only one user store should be configured as the primary user store and it is configured in the <PRODUCT_HOME>/repository/conf/user-mgt.xml file. By default, the embedded H2 database (JDBC) that is shipped with WSO2 products is configured as the primary user store, except for WSO2 Identity Server, which has an embedded LDAP as its primary user store. It is recommended to change this default configuration in the production system.

Secondary User Store(s) (Optional)

Any number of secondary user stores can be easily set up for your system and these user stores are specific to the created tenant, and they are not shared among multiple tenants.
You can use the management console to create secondary user stores or you can create them manually. These will be stored as an XML file in the file system and use the same XML format that is used to configure primary user store.


User StoreUser Store Manager ClassDescription


org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManagerUsed to do read-only operations for external LDAP or ActiveDirectory user stores
LDAPorg.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManagerUsed for external LDAP user stores to do both read and write operations.This is the default primary user store configuration in user-mgt.xml file for WSO2 Identity Server.
ActiveDirectoryorg.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManagerUsed to configure an Active Directory Domain Service (AD DS) or Active Directory Lightweight Directory Service (AD LDS). This can be used only for read/write operations. If you need to use AD Active Directory as read-only, you must use org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.
JDBCorg.wso2.carbon.user.core.jdbc.JDBCUserStoreManagerUsed for JDBC user stores. This is the default primary user store configuration in user-mgt.xml file for all WSO2 Servers, except WSO2 Identity Server.

The permissions attached to roles are always stored in an RDBMS. With the default configurations, permissions are stored in the embedded H2 database. For information on how to set up a RDBMS repository for storing permission, seeConfiguring the Authorization Manager