WAS v8.5 > Secure applications > Authenticate users > Select a registry or repository > Manage the realm in a federated repository configuration > Configure the user registry bridge for federated repositories using wsadmin.sh
User registry bridge for federated repositories
The user registry bridge is a read-only adapter that provides an interface between federated repositories and an underlying user registry implementation, which can be either a local operating system user registry or a custom user registry implementation.
The user registry bridge enables IBM WebSphere Application Server applications to use the user registry implementation. It can work with any user registry that implements the com.ibm.websphere.security.UserRegistry interface, without knowing the details of its implementation. This capability makes the bridge versatile and allows it to connect to, and use, various registries.
The user registry bridge allows access to the same repository information without any platform-specific implementation. Thus, it eliminates the need to have a specialized user registry bridge for each operating system.
We can federate and configure the local operating system user registry, a custom user registry, or both, as a federated repository. The user registry bridge handles user registry-related requests from federated repositories, makes appropriate calls to the underlying user registry implementation, and returns data that is formatted according to the federated repositories specifications.
Therefore, to use the user registry bridge configure the user registry under federated repositories. This configuration can map the properties in the underlying user registry to the properties for the federated repository. We can also configure any user registry specific information, if required. For information about how to configure the user registry bridge, see Configuring the user registry bridge for federated repositories using wsadmin.sh.
The following figure illustrates the difference between configuring a federated repository user registry with and without the user registry bridge.
Figure 1. Configuring a federated repository user registry without the user registry bridge
Figure 2. Configuring a federated repository user registry with the user registry bridge
As shown in the previous figure, using the same adapter, which is the user registry bridge, we can configure multiple user registries under federated repositories. For example, we can configure a local operating system user registry and one or more custom user registries.
Limitations
The following limitations exist:
- We can use the user registry bridge only for read-only operations, such as authentication and search functions. We cannot perform write operations such as create, delete, or modify users and groups. An attempt to perform write operations results in an exception, which notifies the user the operation is not supported by the bridge. This limitation exists because the user registry bridge does not have direct access to the repository. Instead, the bridge uses an underlying existing user registry implementation that is read-only; hence, it might not be able to fulfill requests for certain properties that exist in the federated repositories.
- The user registry bridge does not support a stand-alone LDAP user registry. LDAP repositories are supported as a standard federated repositories adapter with read and write capabilities.
- Some of the properties that are placed
in control data objects are not relevant to the user registry bridge as they are not applicable
in the underlying repository.
- The properties ignored for GroupMembershipControl and GroupMemberControl data objects are searchBases, timeLimit, treeView, expression, and level.
- The properties ignored for SearchControl data objects are searchBases and timeLimit. The property part of the expression, such as uid and mail, is ignored as we can search WAS user registry entities with security names only. The expression is parsed to get the entity type and the pattern with which the search must be performed.
Supported user registries
WAS applications can access the user registry properties of the following user registry implementations as a read-only repository:
- Local operating system user registry
- Custom user registry
Related
Configure the user registry bridge for federated repositories using wsadmin.sh