Federated repositories
Overview
Multiple repositories can be defined and combined under a single realm in a federated repository. These repositories, can be file, LDAP, or a sub-tree of an LDAP repository,
The user ID, and the distinguished name (DN) for an LDAP repository must be unique in the federated repository. For example, with repositories A, B, and C, when user1 logs in, the federated repository adapter searches each of the repositories for all of the occurrences of that user. If multiple instances of that user are found in the combined repositories, an error message displays.
Federated repositories functionality in WAS supports the logical joining of entries across multiple user repositories when the Application Server searches and retrieves entries from the repositories. For example, when an application calls for a sorted list of people whose age is greater than twenty, WAS searches all of the repositories in the federated repositories configuration. The results are combined and sorted before the Application Server returns the results to the application.
Unlike the local operating system, stand-alone LDAP registry, or custom registry options, federated repositories provide user and group management with read and write capabilities.
Important: If we configure multiple repositories under the federated repositories realm, we must also configure supported entity types, and specify a base entry for the default parent. The base entry for the default parent determines the repository location where entities of the specified type are placed on write operations by user and group management.
- Use the user management APIs.
- Use the console...
Users and Groups | Manage Users
...or...
Users and Groups | Manage Groups
For information on user and group management, click the Help link that displays in the upper right corner of the window. Click Users and Groups. To manage users and groups for a specific domain in a multiple security domain environment, click...
Security | Global security | Security Domains > domain_name | Security Attributes | User Realm | Customize for this domain
...and click... Select the Realm type as Federated repositories.
Click Apply and Save to the master configuration. On Security domains panel that appears, click the domain_name again to go to the domain configuration panel. Under User realm, click the Manage users or Manager Groups links that are displayed now. These links to manage users and groups for a specific domain are displayed only after you save the federated repositories configuration for the domain.
- Use the wsadmin commands. For more information, see the WIMManagementCommands (AdminTask) topic.
If we do not configure the federated repositories functionality or do not enable federated repositories as the active repository, we cannot use the user management capabilities associated with federated repositories. We can configure an LDAP server as the active user registry and configure the same LDAP server under federated repositories, but not select federated repositories as the active user repository. With this scenario, authentication takes place using the LDAP server, and we can use the user management functionality for the LDAP server that is available for federated repositories.
The following table compares the federated repository functionality that is available in WAS v8.5 with the registry functionality that remains unchanged from previous versions of the Application Server
Federated repositories User registry Supports multiple types of repositories such as file-based, LDAP, database, and custom. In WAS V8.5, file-based and LDAP repositories are supported by the console. However, the federated repositories functionality does not support local operating system implementations. With this service release, the federated repositories functionality supports local operating system implementations.
For database and custom repositories, we can use wsadmin-line interface or the configuration APIs.
Supports multiple types of registries such as the local operating system, a stand-alone LDAP registry, and a stand-alone custom registry. Supports multiple repositories in a realm within a cell. Supports one registry only in a realm within a cell. Provides read and write capabilities for the repositories defined in the federated repository configuration. Provides read only capability for the registries. Provides account and password policy support as defined by the registry type. However, this support is not provided by the federated repository functionality. Provides account and password policy support as defined by the registry type. Supports identity profiles. Does not support identity profiles. Uses the custom UserRegistry implementation. Uses the custom UserRegistry implementation.
Related tasks
Example: Multiple AD realms with portal
Manage the realm in federated repository
WIMManagementCommands (AdminTask)