Federated repositories
Federated repositories allow us to use multiple repositories with WebSphere Application Server. These repositories, which can be file-based repositories, LDAP repositories, or a sub-tree of an LDAP repository, are defined and theoretically combined under a single realm. All of the user repositories that are configured under the federated repository functionality are invisible to WebSphere Application Server.
When we use the federated repositories functionality, all of the configured repositories, which we specify as part of the federated repository configuration, become active. It is required that the user ID, and the distinguished name (DN) for an LDAP repository, be unique in multiple user repositories configured under the same federated repository configuration. For example, there might be three different repositories configured for the federated repositories configuration: Repository A, Repository B, and Repository C. When user1 logs in, the federated repository adapter searches each of the repositories for all of the occurrences of that user. If multiple instances of that user are found in the combined repositories, an error message displays.
In addition, the federated repositories functionality in WebSphere Application Server supports the logical joining of entries across multiple user repositories when the Application Server searches and retrieves entries from the repositories. For example, when an application calls for a sorted list of people whose age is greater than twenty, WebSphere Application searches all of the repositories in the federated repositories configuration. The results are combined and sorted before the Application Server returns the results to the application.
Unlike the local operating system, stand-alone LDAP registry, or custom registry options, federated repositories provide user and group management with read and write capabilities. When we configure federated repositories, we can use one of the following methods to add, create, and delete users and groups:
If we configure multiple repositories under the federated repositories realm, we must also configure supported entity types and specify a base entry for the default parent. The base entry for the default parent determines the repository location where entities of the specified type are placed on write operations by user and group management.
- Use the user management API. For more information, refer to articles under Developing with virtual member manager in this information center.
- Use the administrative console. To manage users and groups within the administrative console, click...
Users and Groups > Manage Users
...or...
Users and Groups > Manage Groups
To manage users and groups for a specific domain in a multiple security domain environment, click...
Security > Global security > Security Domains > domain_name > Security Attributes > User Realm > Customize for this domain
Select the Realm type as Federated repositories. Click Apply and Save to the master configuration. On Security domains panel that appears, click the domain_name again to go to the domain configuration panel. Under User realm, click the Manage users or Manager Groups links displayed now. These links to manage users and groups for a specific domain are displayed only after saving the federated repositories configuration for the domain.
- Use the wsadmin commands. See WIMManagementCommands .topic.
If we do not configure the federated repositories functionality or do not enable federated repositories as the active repository, we cannot use the user management capabilities associated with federated repositories. We can configure an LDAP server as the active user registry and configure the same LDAP server under federated repositories, but not select federated repositories as the active user repository. With this scenario, authentication takes place using the LDAP server, and we can use the user management functionality for the LDAP server available for federated repositories.
The following table compares the federated repository functionality that is available in WebSphere Application Server v9.0 with the registry functionality that remains unchanged from previous versions of the Application Server.
Federated repositories User registry Supports multiple types of repositories such as file-based, LDAP, database, and custom. File-based and LDAP repositories are supported by the administrative console. Federated repositories functionality does not support local operating system implementations. With this service release, the federated repositories functionality supports local operating system implementations. For database and custom repositories, we can use the wsadmin command-line interface or the configuration API. Supports multiple types of registries such as the local operating system, a stand-alone LDAP registry, and a stand-alone custom registry. Supports multiple repositories in a realm within a cell. Supports one registry only in a realm within a cell. Provide read and write capabilities for the repositories defined in the federated repository configuration. Provide read only capability for the registries. Provide account and password policy support as defined by the registry type. However, this support is not provided by the federated repository functionality. Provide account and password policy support as defined by the registry type. Supports identity profiles. Does not support identity profiles. Uses the custom UserRegistry implementation. Uses the custom UserRegistry implementation.
Related:
Manage the realm in a federated repository configuration WIMManagementCommands