Federated repositories limitations


Federated repositories in an environment with V6.1.x and V5.x or 6.0.x nodes

Configure only one LDAP repository under federated repositories, and the repository must be supported by V5.x or 6.0.x.

Specify a realm name that is compatible with prior versions only. The host name and the port number represent the realm for the LDAP server in a mixed-version nodes cell. For example...

If you configure a stand-alone LDAP registry, LDAP information in both the stand-alone and federated repositories must match. During node synchronization, the LDAP information from the stand-alone LDAP registry propagates to the V5.x or 6.0.x nodes.

Before node synchronization, verify that Federated repositories is identified in the Current realm definition field. If Federated repositories is not identified, select Federated repositories from the Available realm definitions field and click Set as current. Do not set the stand-alone LDAP registry as the current realm definition.

We cannot configure an entry mapping repository or a property extension repository in a mixed-version dmgr cell.

 

Set LDAP servers in a federated repository

The LDAP connection connectTimeout default value is 20 seconds. If we cannot connect to the LDAP within this time, verify the LDAP is running.

A connection error displays at the top of the LDAP configuration panel when the connection timeout exceeds 20 seconds.

 

Coexisting with Tivoli Access Manager

Configure only one LDAP repository under federated repositories, and that LDAP repository configuration must match the LDAP server configuration under Tivoli Access Manager.

The distinguished name for the realm base entry must match the LDAP distinguished name (DN) of the base entry within the repository. In WAS, TAM recognizes the LDAP uid and LDAP DN for both authentication and authorization. The federated repositories configuration does not include additional mappings for the LDAP uid and DN.

The federated repositories functionality does not recognize the metadata specified by TAM. When users and groups are created under user and group management, they are not formatted using the TAM metadata. The users and groups must be manually imported into TAM before you use them for authentication and authorization.

 

Limitation for changing the realm name for federated repositories in a multiple security domain environment

Configure the realm name for a federated repository before assigning the federated repository to any domains.

After assigning federated repository to a security domain, you cannot change the realm name using the admin console because the change only reflects in security.xml and not in domain-security.xml. This situation results in two different realm names that are used by the same registry.

To change the realm name for the federated repository in domain-security.xml after it has been assigned to a security domain, use...





 

Related tasks

Manage the realm in a federated repository configuration
Standalone LDAP registry settings
IdMgrRealmConfig