Skip to content

Remote user store properties

The following table provides descriptions of the key properties to apply in deployment.toml file to configure the user store that you need to connect.

Configuration name Description
type Type of the user store you are trying to connect. You can update the type parameter as ldap if you are using LDAP (Lightweight Directory Access Protocol) and active_directory if you are using an Active Directory user store.

Example: type = "ldap"
connection_url Connection URL to the user store server.

Example: connection_url = "ldap://localhost:389"
connection_name The username used to connect to the user store and perform various operations. This user does not have to be an administrator in the user store, but this user MUST have permission to read the user list and users' attributes and to perform search operations on the user store. The value you specify is used as the DN ( Distinguish Name ) attribute of the user. This property is mandatory.

Example: connection_name = "uid=admin,ou=system"
connection_password Password for the ConnectionName user.

Example: connection_password = "password"
ldap_connection_timeout Timeout in making the initial LDAP connection. This is configured in milliseconds.

Example: ldap_connection_timeout = 2000
base_dn The starting point the directory server uses when searching for users authentication within your Directory.

Example: base_dn = "dc=example,dc=org"
user_search_base DN of the context or object under which the user entries are stored in the user store. In this case, it is the "users" container. When the user store searches for users, it will start from this location of the directory.

Example: user_search_base = "ou=Users,dc=example,dc=org"
user_name_list_filter Filtering criteria for listing all the user entries in the user store. This query or filter is used when doing search operations on users. In this case, the search operation only provides the objects created from the specified class. This query is the same as listing out all the available users in the management console.

Example: user_name_list_filter = "(objectClass=user)"
user_name_attribute The attribute used for uniquely identifying a user entry. Users can be authenticated using their email address, UID, etc. The name of the attribute is considered as the username.

Example: user_name_attribute = "cn"
user_name_search_filter Filtering criteria are used to search for a particular user entry.

Example: user_name_search_filter = "(&(objectClass=user)(cn=?))"
user_entry_object_class The object class is used to construct user entries.

Example: user_entry_object_class = "inetOrgperson"
user_id_attribute The attribute used for uniquely identifying a user entry. The value of the attribute is considered as the unique user ID.

Example: user_id_attribute = "objectGuid"
user_id_search_filter Filtering criteria used to search for a particular user entry using the user id attribute.

Example: user_id_search_filter = "(&(objectClass=user)(objectGuid=?))"
password_hash_method Specifies the Password Hashing Algorithm uses the hash the password before storing in the user store. Possible values:
SHA - Uses SHA digest method. SHA-1, SHA-256
MD5 - Uses MD 5 digest method.
PLAIN_TEXT - Plain text passwords.(Default)

Example: password_hash_method = "PLAIN_TEXT"
read_groups Specifies whether groups should be read from the user store. If this is disabled by setting it to false, none of the groups in the user store can be read, and the following group configurations are NOT mandatory: group_search_base, group_name_list_filter, group_name_search_filter, or group_name_attribute.

Example: read_groups = "true"
group_search_base DN of the context under which group entries are stored in the user store.

Example: group_search_base = "ou=Groups,dc=example,dc=org"
group_entry_object_class The object class is used to construct group entries.

Example: group_entry_object_class = "groupOfNames"
group_name_attribute Attribute used for uniquely identifying a group entry. This attribute is to be treated as the group name.

Example: group_name_attribute = "cn"
group_name_search_filter Filtering criteria used to search for a particular group entry.

Example: group_name_search_filter = "(&(objectClass=groupOfNames)(cn=?))"
group_name_list_filter Filtering criteria for listing all the group entries in the user store. The group search operation only returns objects created from this class.

Example: group_name_list_filter = "(objectClass=groupOfNames)"
group_id_enabled Whether the unique groupid is enabled or not.

Example: group_id_enabled = "true"
group_id_attribute The attribute used for uniquely identifying a group entry. The value of the attribute is considered as the unique group ID.

Example: group_id_attribute = "gid"
membership_attribute Attribute used to define members of groups.

Example: membership_attribute = "member"
group_created_date_attribute This attribute is to be treated as the group created timestamp.

Example: group_created_date_attribute = "whenCreated"
multi_attribute_separator This property is used to define a character to separate multiple attributes. This ensures that it will not appear as part of a claim value. Normally “,” is used to separate multiple attributes, but you can define ",,," or "..." or a similar character sequence

Example: multi_attribute_separator = ","
case_insensitive_user_name Enables the case-insensitivity of the user's username. The default value is true for this configuration.
Eg: If a user's username is test, that user can also use the username as TEST.

Example: case_insensitive_user_name = "true"
immutable_attributes This property is used to define a list of attributes that are considered unchangeable attributes in the user store.
This property needs to be configured only for user stores with Read/Write access.

Example: immutable_attributes = "whenCreated,whenChanged,location"