In LDAP user object contains different attributes such as uid, cn , email and so on. Some of the attributes can be unique. As an example normally uid and email can be unique attributes for user.
Once you connect your LDAP with an application, application can use one of unique attribute in LDAP to authenticate the user (as the user name of user). It can be uid or mail attribute. Also in some cases, application can uses both attributes. It means, end users can use both uid or mail to authenticate.
WSO2 Identity Server can be deployed with any LDAP based server and it can expose authentication via Web Service API, SAML, OAuth, OpenID and more… By default, Identity Server has been configured to authenticate with only one user attribute in the LDAP. Let see how can extend it for more than one attribute.
Assume, we need that users could be authenticated with both uid and mail attribute in the LDAP.
Step1. Configure LDAP user store related configurations using user-mgt.xml file which can be found at IS_HOME/repository/conf
1. Configure UserNameSearchFilter that helps to search user object using both mail and uid.
<Property name="UserNameSearchFilter">(&(objectClass=person)(|(mail=?)(uid=?)))</Property>
2. Disable UserDNPattern property, If it is already enabled.
<!--Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property-->
3. (Optional) Only if you are using the mail attribute, You need to open carbon.xml file which can be found at IS_HOME/repository/conf and uncomment. You can find more about using email usernames properly in WSO2 products from here
<EnableEmailUserName>true</EnableEmailUserName>
Step2. Verification. You can restart the Identity Server and try to login to management console by providing both mail and uid with same password. You could login… Also, you can use SSO login with multiple attributes. You can configure WSO2IS as SAML2 SSO IDP or OpenId-Connect Authorization Server and use for SSO.
