A user store is the database where information about the users and user roles is stored, including log-in name, password, first name, last name, and e-mail address. The user stores of all WSO2 Carbon-based products are embedded H2 databases except for WSO2 Identity Server, which has an embedded LDAP as its user store. In Carbon, permissions are stored in a separate database called the User Management database. The default User Management database is H2, but you can connect to external user stores as well.
Recommendations regarding user stores
For enterprise production environments, we do not recommend the embedded H2 database for use as a user store.
Also, WSO2 Identity Server is shipped with a default embedded ApacheDS. However, in a production environment, it is recommended to use an LDAP like OpenLDAP, due to scalability issues that exist with Apache DS.
The user stores of Carbon products can be configured to operate in read/write mode, in which it reads data and also writes data to the user store, and read-only mode, in which it does not modify any data. Carbon maintains roles and permissions in the Carbon database, but it can read users and roles from the configured user store.
About read/write and read only mode
If the user store is operating in "Read/Write" mode, the user can:
- Add, modify, or remove user accounts
- Reset user passwords
- Manage user roles
- Build "import users" from other User Stores
If the user store is operating in "Read Only" mode, the user can:
- View user accounts
In addition to the primary user store, you can configure additional, secondary user stores.
WSO2 Identity Server allows you to manage users and their roles with the single-user-store and multiple-user-store options. Single-user-store option allows you to manage users and their roles in a single centralized data store whereas in the multiple-user-store option, the user and their roles are stored in more than one data store. In other words, one specific user can be attached to multiple user-stores.
In order to be available, the multiple-user-store option's domain name property must be attached to each user-store section in the user-mgt.xml file. e.g.,
The following provides a brief overview of what you can expect to find regarding user stores in this section.
User management in WSO2 products
User management is available by default in all WSO2 Carbon-based products. It includes the following functionality.
- A primary user store, either the embedded (internal) user store or an external store (JDBC, LDAP, or Active Directory).
- Ability to configure additional user stores as secondary user stores.
- Ability to operate in read-only or read-write mode on your company's LDAP user stores.
- Ability to work with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) in read/write mode.
- Ability to read roles from external user stores.
For complete information, see About User Management.
Configuring user management
The complete configuration for user management (referred to as the realm) is in the
user-mgt.xml file in the
<PRODUCT_HOME>/repository/conf/ directory. You can also configure users and roles through the management console, as described in the User Management topic.
Customizing user management
You can create a custom implementation of the user management functionality and use it in WSO2 products. See Writing a Custom User Store Manager for more information on how to do this.