Users Repositories


User repositories are required to store James user information and authentication data

Consult usersrepository.xml in GIT to get some examples and hints.

A user has two attributes: username and password. A valid user should satisfy these criteria:

  • username and password cannot be null or empty
  • username should not be longer than 255 characters
  • username can not contain '/'
  • username can not contain multiple domain delimiter('@')
  • A username can have only a local part when virtualHosting is disabled. E.g.'myUser'
  • When virtualHosting is enabled, a username should have a domain part, and the domain part should be concatenated after a domain delimiter('@'). E.g. ''

A user is always considered as lower cased, so 'myUser' and 'myuser' are the same user, and can be used as well as recipient local part than as login for different protocols.

General configuration

All Users Repositories provide at least these three options

true or false. Add domain support for users (default: false, except for Cassandra Users Repository)
user's name. Allow a user to access to the impersonation command, acting on the behalf of any user.
2, 2s, 2000ms, default 0s (disabled). Delay after a failed authentication attempt with an invalid user name or password.

JPA Users Repository

JPA (database via OpenJPA) based user repository. This is the default implementation.

The usersrepository tag as 2 attributes: name="LocalUsers" and class="org.apache.james.user.file.UsersFileRepository"> The class tag should be specified for Spring, but is not taken into acount by Guice.

Algorithm to hash passwords. Supported password algorithm are: MD5, SHA-256, SHA-512, NONE(then SHA-1 will be used), `PBKDF2`, `PBKDF2-SHA512` (default).
Note: When using `PBKDF2` or `PBKDF2-SHA512` one can specify the iteration count and the key size in bytes. You can specify it as part of the algorithm. EG: `PBKDF2-SHA512-2000-512` will use 2000 iterations with a key size of 512 bytes.
MD5 and SHA-1 are deprecated.
true (default) or false. Defines if the usernames must (true) or may not contain (false) a domain part (user@domain.tld).

LDAP Users Repository

Read-Only LDAP based UsersRepository


<repository name="LocalUsers" class="org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository" ldapHost="ldap://myldapserver:389"
    principal="uid=ldapUser,ou=system" credentials="password" userBase="ou=People,,ou=system" userIdAttribute="uid"/>