User registry considerations
A user registry or repository authenticates a user and retrieves information about users and groups to do security-related functions, including authorization. User registries store user account information, such as user ID and password, that can be accessed during authentication. User repositories store user profiles and preference information. A user registry or repository is used to:
- Authenticate a user by using basic authentication, identity assertion, or client certificates
- Retrieve user and group information to do security-related administrative functions such as mapping users and groups to security roles
By default, HCL WebSphere Portal is installed with a federated repository with a built-in file-based repository. The federated repository allows us to add various user registries, realm support for virtual portals, and/or property extensions to create a single, working unit. The available user registries that we can add to the federated repository are LDAP user registries, database user registries, and custom user registries. Using the built-in file-based repository is not recommended in a production environment.
Based on the federated repository, HCL WebSphere Portal allows us to create a user base that can be federated over multiple repositories: LDAP, DB, and/or custom user registry. It also allows us to define additional attributes in a separate store if your corporate LDAP directory is read-only.
For a federated repository, plan on where to store new users and groups. By default, new users and groups are stored in the default file-based repository. If we use multiple LDAP user registries and database user registries, figure out which user registry to define as the default user registry where new users and groups are stored. After adding all user registries to the federated repository, run the wp-set-entitytypes task to set a specific user registry as the default location.
Combine multiple user registries
Limitations:
- Distinguished names must be unique for a realm over all registries. For example, if uid=wpsadmin,o=myco exists in LDAP1, it must not exist in LDAP2, LDAP3, or DB1.
- The short name, for example wpsadmin, should be unique for a realm over all registries.
- The base distinguished names for all registries that are used within a realm must not overlap; for example, if LDAP1 is c=us,o=myco, LDAP2 must not be o=myco.
- Do not leave the base entry blank for any of the registries used within a realm.
- If HCL Domino is one of the user registries in a multiple registry configuration and shares a realm with another user registry, ensure that the groups are stored in a hierarchical format in the Domino Directory as opposed to the default flat-naming structure. For example, the flat-naming convention is cn=groupName and the hierarchical format is cn=groupName,o=root.
- The user must exist in a user registry and not within the property extension configuration; otherwise, the user cannot be a member of the realm.
See: