Remote agent properties¶
The following table provides descriptions of the key properties to apply in deployment.toml file to configure the agent and the user store that you need to connect.
Tip
Asgardeo now offers an optimized remote user store connection designed for high scalability and performance. Currently this version only allows connecting a read-only user store with the remote user authentication and attribute retrieval.
The new connection is continuously evolving to support more use cases in the future. For extended capabilities like read-write user stores, the classic remote user store remains available.
| Configuration name | Description | Example |
|---|---|---|
| System configurations | ||
idle_connections(optional) |
Number of connections the remote agent opens with the server.
The default is 10. Max allowed is 50. |
idle_connections = 10 |
connection_retry_count(optional) |
The number of times the system retries a connection when an attempt fails.
Set -1 to try indefinitely. |
connection_retry_count = 5 |
connection_retry_interval(optional) |
The interval (in seconds) between consecutive connection retry attempts. | connection_retry_interval = 5 |
periodic_ping_interval(optional) |
The interval (in seconds) at which the agent sends a heartbeat or ping request to ensure the connection remains active.
The default is 10. |
periodic_ping_interval = 10 |
| User store connection configurations | ||
type |
Type of the user store you are trying to connect to. You can update the type parameter as ldap
if you are using LDAP (Lightweight Directory Access Protocol) and active_directory
if you are using an Active Directory user store.
|
type = "ldap" |
connection_url |
Connection URL to the user store server. | connection_url = "ldap://localhost:389" |
connection_name |
The username used to connect to the user store and perform various operations. This user does not have to be an administrator in the user store, but this user MUST have permission to read the user list and users' attributes and to perform search operations on the user store. The value you specify is used as the DN ( Distinguish Name ) attribute of the user. | connection_name = "uid=admin,ou=system" |
connection_password |
Password for the ConnectionName user. | connection_password = "password" |
connection_timeout(optional) |
Timeout in making the initial user store connection. This is configured in milliseconds.
The default is 5000. |
connection_timeout = 5000 |
connection_retry_count(optional) |
The maximum number of retries for establishing the connection to the user store if the first attempt fails.
Set -1 to try indefinitely. |
connection_retry_count = -1 |
connection_pool_size(optional) |
The number of connections to be created in the user store connection pool. The default is 10. |
connection_pool_size = 10 |
max_result_size(optional) |
The maximum number of entries that can be returned in a single search result. Set 0 or remove the config to try indefinitely. | max_result_size = 100 |
request_timeout(optional) |
The timeout (in seconds) for a user store request to return the result. Set 0 or remove the config to wait indefinitely. | request_timeout = 15 |
enable_tls(optional) |
Whether TLS (Transport Layer Security) should be used for secure connections to the user store. | enable_tls = true |
use_start_tls(optional) |
Whether the connection should be upgraded to TLS using the STARTTLS command.
This configuration requires setting enable_tls to false.
|
use_start_tls = true |
tls_cert_paths(optional) |
List of absolute paths to the user store certificates. | tls_cert_paths = ["path/to/the/cert.pem"] |
server_name(optional) |
Server name in the user store certificate. Requires only when the certificate is issued for a different cn. | server_name = "ldap.wso2.com" |
ca_cert_paths(optional) |
Paths to the CA (Certificate Authority) certificates for verifying the user store certificate. Requires only when the user store is using an unknown CA. | ca_cert_paths = ["path/to/the/ca-certificates.crt"] |
skip_server_cert_verification(optional) |
Whether to skip verifying the server's certificate during connection establishment.
The default value is false.
|
skip_server_cert_verification = false |
| User store properties | ||
user_search_base |
DN of the context or object under which the user entries are stored in the user store. In this case, it is the "users" container. When the user store searches for users, it will start from this location of the directory. | user_search_base = "ou=Users,dc=example,dc=org" |
user_entry_object_class |
The object class used to construct user entries. | user_entry_object_class = "inetOrgperson" |
user_id_attribute |
The attribute used for uniquely identifying a user entry. The value of the attribute is considered as the unique user Id. | user_id_attribute = "objectGuid" |
user_name_attribute |
The attribute used for uniquely identifying a user entry. Users can be authenticated using their email address, UID, etc. The name of the attribute is considered as the username. | user_name_attribute = "cn" |
user_search_filter |
Filtering criteria used to search for a particular user entry. The user search operation only returns objects created from this class. | user_search_filter = "(&(objectClass=user)(?=?))" |
user_list_filter |
Filtering criteria for listing all the user entries in the user store. This query or filter is used when doing search operations on users. The user list operation only returns objects created from this class. | user_list_filter = "(objectClass=user)" |
multi_attribute_separator |
This property is used to define a character to separate multiple attributes. This ensures that it will not appear as part of a claim value. By default “,” is used to separate multiple attributes. You can define ",,," or "..." or a similar character sequence. | multi_attribute_separator = "," |
read_groups |
Specifies whether groups should be read from the user store. If this is disabled by
setting it to false, none of the groups in the user store can be read, and the
following group configurations are NOT mandatory: group_search_base, group_entry_object_class,
group_search_filter, group_list_filter, group_name_attribute or membership_attribute.
|
read_groups = "true" |
group_search_base |
DN of the context under which group entries are stored in the user store. | group_search_base = "ou=Groups,dc=example,dc=org" |
group_entry_object_class |
The object class used to construct group entries. | group_entry_object_class = "groupOfNames" |
group_search_filter |
Filtering criteria used to search for a particular group entry. The group search operation only returns objects created from this class. | group_search_filter = "(&(objectClass=groupOfNames)(?=?))" |
group_list_filter |
Filtering criteria for listing all the group entries in the user store. The group list operation only returns objects created from this class. | group_list_filter = "(objectClass=groupOfNames)" |
group_name_attribute |
Attribute used for uniquely identifying a group entry. This attribute is treated as the group name. | group_name_attribute = "cn" |
group_id_attribute |
The attribute used for uniquely identifying a group entry. The value of the attribute is considered as the unique group id. | group_id_attribute = "gid" |
group_created_date_attribute |
The attribute that contains the group created timestamp. | group_created_date_attribute = "whenCreated" |
group_last_modified_date_attribute |
The attribute that contains the group modified timestamp. | group_last_modified_date_attribute = "whenChanged" |
membership_attribute |
The attribute that contains the distinguished names (DN) of user objects that are in a group. | membership_attribute = "member" |
memberof_attribute |
The attribute that contains the distinguished names (DN) of group objects that a user
is assigned to. Only requires to define either membership_attribute or memberof_attribute.
|
memberof_attribute = "memberOf" |
binary_attributes |
Comma-separated list of binary attributes. Requires only if you have binary attributes in the user store. | binary_attributes = "objectGUID" |
timestamp_attributes |
Comma-separated list of timestamp attributes. Requires only if you need to retrieve timestamp attributes. | timestamp_attributes = "whenCreated,whenChanged" |
| Configuration name | Description | Example |
|---|---|---|
type |
Type of the user store you are trying to connect. You can update the type parameter as ldap
if you are using LDAP (Lightweight Directory Access Protocol) and active_directory if you are
using an Active Directory user store.
|
type = "ldap" |
connection_url |
Connection URL to the user store server. | connection_url = "ldap://localhost:389" |
connection_name |
The username used to connect to the user store and perform various operations. This user does not have to be an administrator in the user store, but this user MUST have permission to read the user list and users' attributes and to perform search operations on the user store. The value you specify is used as the DN ( Distinguish Name ) attribute of the user. This property is mandatory. | connection_name = "uid=admin,ou=system" |
connection_password |
Password for the ConnectionName user. | connection_password = "password" |
ldap_connection_timeout |
Timeout in making the initial LDAP connection. This is configured in milliseconds. | ldap_connection_timeout = 2000 |
base_dn |
The starting point the directory server uses when searching for users authentication within your Directory. | base_dn = "dc=example,dc=org" |
user_search_base |
DN of the context or object under which the user entries are stored in the user store. In this case, it is the "users" container. When the user store searches for users, it will start from this location of the directory. | user_search_base = "ou=Users,dc=example,dc=org" |
user_name_list_filter |
Filtering criteria for listing all the user entries in the user store. This query or filter is used when doing search operations on users. In this case, the search operation only provides the objects created from the specified class. This query is the same as listing out all the available users in the management console. | user_name_list_filter = "(objectClass=user)" |
user_name_attribute |
The attribute used for uniquely identifying a user entry. Users can be authenticated using their email address, UID, etc. The name of the attribute is considered as the username. | user_name_attribute = "cn" |
user_name_search_filter |
Filtering criteria are used to search for a particular user entry. | user_name_search_filter = "(&(objectClass=user)(cn=?))" |
user_entry_object_class |
The object class is used to construct user entries. | user_entry_object_class = "inetOrgperson" |
user_id_attribute |
The attribute used for uniquely identifying a user entry. The value of the attribute is considered as the unique user ID. | user_id_attribute = "objectGuid" |
user_id_search_filter |
Filtering criteria used to search for a particular user entry using the user id attribute. | user_id_search_filter = "(&(objectClass=user)(objectGuid=?))" |
password_hash_method |
Specifies the Password Hashing Algorithm uses the hash the password before storing in the user store.
Possible values:
SHA - Uses SHA digest method. SHA-1, SHA-256
MD5 - Uses MD 5 digest method.
PLAIN_TEXT - Plain text passwords.(Default)
|
password_hash_method = "PLAIN_TEXT" |
read_groups |
Specifies whether groups should be read from the user store. If this is disabled by setting it to false, none of the groups in the user store can be read, and the following group configurations are NOT mandatory: group_search_base, group_name_list_filter, group_name_search_filter, or group_name_attribute. | read_groups = "true" |
group_search_base |
DN of the context under which group entries are stored in the user store. | group_search_base = "ou=Groups,dc=example,dc=org" |
group_entry_object_class |
The object class is used to construct group entries. | group_entry_object_class = "groupOfNames" |
group_name_attribute |
Attribute used for uniquely identifying a group entry. This attribute is to be treated as the group name. | group_name_attribute = "cn" |
group_name_search_filter |
Filtering criteria used to search for a particular group entry. | group_name_search_filter = "(&(objectClass=groupOfNames)(cn=?))" |
group_name_list_filter |
Filtering criteria for listing all the group entries in the user store. The group search operation only returns objects created from this class. | group_name_list_filter = "(objectClass=groupOfNames)" |
group_id_enabled |
Whether the unique groupid is enabled or not. | group_id_enabled = "true" |
group_id_attribute |
The attribute used for uniquely identifying a group entry. The value of the attribute is considered as the unique group ID. | group_id_attribute = "gid" |
membership_attribute |
Attribute used to define members of groups. | membership_attribute = "member" |
group_created_date_attribute |
This attribute is to be treated as the group created timestamp. | group_created_date_attribute = "whenCreated" |
multi_attribute_separator |
This property is used to define a character to separate multiple attributes. This ensures that it will not appear as part of a claim value. Normally “,” is used to separate multiple attributes, but you can define ",,," or "..." or a similar character sequence | multi_attribute_separator = "," |
case_insensitive_user_name |
Enables the case-insensitivity of the user's username. The default value is true for this configuration.
Eg: If a user's username is test, that user can also use the username as TEST. |
case_insensitive_user_name = "true" |
immutable_attributes |
This property is used to define a list of attributes that are considered unchangeable attributes in the user store.
This property needs to be configured only for user stores with Read/Write access. |
immutable_attributes = "whenCreated,whenChanged,location" |