Identity management is about authenticating and authorizing users so they can access a system or application. A user store is the database where information about the users and user roles is stored, including log-in name, password, first name, last name, and e-mail address. The user stores of all WSO2 Carbon-based products are embedded H2 databases except for WSO2 Identity Server, which has an embedded LDAP as its user store. Therefore, user stores play an important role when it comes to identity management.
WSO2 products allow to configure multiple user stores to your system that are used to store users and their roles (Groups). Out of the box WSO2 products support for JDBC, LDAP and Active Directory user stores with the capability of configuring custom user store. There are different user store adapters called User store managers, which are used to connect with these users store types.There are two types of user stores named Primary User store (Mandatory) and Secondary user stores (Optional), all the supported users stores can be configured under these two types.
Primary User Store (Mandetory)
This is the main user store in the system and shared among all the tenants in the system. Only one user store should be configured as the primary user store and it is configured in the
<PRODUCT_HOME>/repository/conf/user-mgt.xml file. By default, the embedded H2 database (JDBC) that is shipped with WSO2 products is configured as the primary user store, except for WSO2 Identity Server, which has an embedded LDAP as its primary user store. It is recommended to change this default configuration in the production system.
Secondary User Store (Optional)
Any number of Secondary User Stores can be easily set up for your system and these user stores are specific to the created tenant, and they are not shared among multiple tenants.
You can use management console to create secondary user stores or you can create them manually. These will be stored as a XML file in the file system and use the same XML format, that is used to configure primary user store.
User Store Manager
Adapters used to connect with different users stores are called User Store Managers. By default there are user store managers for JDBC, LDAP and Active Directory user stores. If you need to add new user store implementation see Writing a Custom User Store Manager. When you configure the user store, you have to set the user store manager class name.
The following table lists the available implementations and their usage.
|User Store||User Store Manager Class||Description|
|org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager||Use to do read-only operations for external LDAP or ActiveDirectory user stores|
|LDAP||org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager||Use for external LDAP user stores to do both read and write operations.This is the default primary user store configuration in user-mgt.xml file for WSO2 Identity Server.|
|ActiveDirectory||org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager||Use to configure an Active Directory Domain Service (AD DS) or Active Directory Lightweight Directory Service (AD LDS). This can be used only for read/write operations. If you need to use AD as read-only, you must use org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.|
|JDBC||org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager||Use for JDBC user stores. This is the default primary user store configuration in user-mgt.xml file for all WSO2 Servers, except WSO2 Identity Server.|
The permissions attached to roles are always stored in an RDBMS. With the default configurations permissions are stored in the embedded H2 database. For information on how to set up a RDBMS repository for storing permission, see Configuring the Authorization Manager
The following topics include instructions on setting up user stores: