WAS v8.5 > Reference > Administrator best practicesFederated repositories limitations
This topic outlines known limitations and important information for configuring federated repositories.
Configure federated repositories in a mixed-version environment
In a mixed-version deployment manager cell containing both v6.1.x and v5.x or 6.0.x nodes, the following limitations apply for configuring federated repositories:
- We can configure only one LDAP repository under federated repositories, and the repository must be supported by v5.x or 6.0.x.
- We can specify a realm name that is compatible with prior versions only. The host name and the port number represent the realm for the LDAP server in a mixed-version nodes cell. For example, machine1.austin.ibm.com:389.
- You must configure a stand-alone LDAP registry; the LDAP information in both the stand-alone LDAP registry and the LDAP repository under the federated repositories configuration must match. During node synchronization, the LDAP information from the stand-alone LDAP registry propagates to the v5.x or 6.0.x nodes.
Before node synchronization, verify that Federated repositories is identified in the Current realm definition field. If Federated repositories is not identified, select Federated repositories from the Available realm definitions field and click Set as current. Do not set the stand-alone LDAP registry as the current realm definition.
- We cannot configure an entry mapping repository or a property extension repository in a mixed-version deployment manager cell.
Configure LDAP servers in a federated repository
The LDAP connection connectTimeout default value is 20 seconds. LDAP should respond within 20 seconds for any request from WebSphere Application Server. If we cannot connect to the LDAP within this time, verify the LDAP is running. A connection error displays at the top of the LDAP configuration panel when the connection timeout exceeds 20 seconds.
Coexisting with Tivoli Access Manager
For Tivoli Access Manager to coexist with a federated repositories configuration, the following limitations apply:
- We can configure only one LDAP repository under federated repositories, and that LDAP repository configuration must match the LDAP server configuration under Tivoli Access Manager.
- The distinguished name for the realm base entry must match the LDAP distinguished name (DN) of the base entry within the repository. In WAS, Tivoli Access Manager recognizes the LDAP user ID and LDAP DN for both authentication and authorization. The federated repositories configuration does not include additional mappings for the LDAP user ID and DN.
- The federated repositories functionality does not recognize the metadata specified by Tivoli Access Manager. When users and groups are created under user and group management, they are not formatted using the Tivoli Access Manager metadata. The users and groups must be manually imported into Tivoli Access Manager before we use them for authentication and authorization.
Limitation for configuring active directories with their own federated repository realms
To use the dmgr console to perform a wildcard search for all available users on two Active Directories, and to prevent multiple entries exceptions with all built-in IDs, first configure each Active Directory with it's own federated repository realm.
However, we cannot use the dmgr console to configure each Active Directory with it's own federated repository realm. We can instead use a wsadmin script similar to the following:
$AdminTask createIdMgrRealm {-name AD1realm} $AdminTask addIdMgrRealmBaseEntry {-name AD1realm -baseEntry o=AD1} $AdminTask createIdMgrRealm {-name AD2realm} $AdminTask addIdMgrRealmBaseEntry {-name AD2realm -baseEntry o=AD2} $AdminConfig save
Limitation for repository ID in federated repositories configuration
In a federated repositories configuration, the repository ID must not exceed a length of 36 characters. If the repository ID exceeds 36 characters, an error may occur while retrieving or storing data, especially if the property extension repository is configured.
z/OS LDAP server with RACF not supported
WAS federated repositories DO NOT support a z/OS LDAP server with an SDBM backend (resource access control facility (RACF)).
Related
Manage the realm in a federated repository configuration
Reference:
Standalone LDAP registry settings
IdMgrRealmConfig command group for AdminTask