WebSphere

 

Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

 

User registries

This section describes user registries and user repositories.

A user registry holds user account information, such as a user ID and password that can be accessed during authentication. IBM® WebSphere® Application Server and IBM WebSphere Portal Express support three types of user registries:

If security is enabled, WebSphere Portal Express shares the same authentication registry as WebSphere Application Server.

A datastore that is used to store user account information is called a user registry. A datastore that is used to store user profile and preference information is called a user repository. Two different terms (user registry and user repository) are used because it is possible for the datastores to be different. However, it is also possible for a user registry and a user repository to be based on the same underlying datastore. For example, an LDAP directory typically contains user ID and password information but can also store additional profile information such as e-mail addresses and telephone numbers of users. Therefore, the LDAP directory is both a user registry and a user repository.

In the LDAP configuration of WebSphere Portal Express, an LDAP directory is used as both a user registry and a user repository. However, there are the following use cases where the LDAP directory cannot or should not be used to store all the profile information:

In these cases, you can use the Member Manager database as a database user repository for storing additional profile information; this is referred to as an LDAP with Lookaside.

The Lookaside database attributes must be defined prior to running the enable security task. The Member Manager database is used as both a user registry and a user repository.

In the customer-supplied custom user registry configuration, the custom registry is used as a user registry. It can also be used as a user repository and is typically used in a read-only manner. The WebSphere Portal Express database can be used as a database user registry for storing additional profile information that cannot be stored in the custom registry.

The LDAP configuration is recommended for an enterprise that prefers to adhere to its existing LDAP structure. Installation of this authentication model requires an LDAP directory, preferably on a separate machine from WebSphere Portal Express. IBM Tivoli® Directory Server is packaged with WebSphere Portal Express. For additional supported LDAP directories, refer to the Supported hardware and software section.

The database user registry is a production-ready, out-of-the-box environment that requires little configuration to implement. No additional server or software is required.

WebSphere Application Server Global Security offers full support to this configuration as a Custom User Registry provided by WebSphere Portal Express. When users log in, WebSphere Application Server authenticates them through the WebSphere Portal Express-provided Custom User Registry.

Use a customer-supplied custom user registry if a special, non-supported third-party user registry is connected to WebSphere Portal Express for authentication and User and Group management.

To enable WebSphere Portal Express to work with an LDAP server or a database user registry configuration, run the appropriate configuration task. For all cases, the configuration parameters must be set in the wpconfig.properties file.

The supported authentication registries and corresponding WebSphere Application Server and WebSphere Portal Express settings are summarized in the following table:

Member Manager configuration WebSphere Application Server Authentication registry Description
LDAP (includes LDAP with an optional database user registry) LDAP user registry

or

Custom registry for WebSphere Application Server provided by WebSphere Portal Express

When the authentication registry is an LDAP server, Member Manager supports creating new user entries in the authentication registry and updating the user ID and password in the registry. User profile information is split between LDAP and a database, based on XML files that configure the Member Manager component. See Member Manager configuration for details on working with these XML files.

This configuration is possible either with the WebSphere Application Server LDAP registry or a custom user registry implementation for an LDAP user registry provided by WebSphere Portal Express. The custom registry has the advantage of supporting the realms notion required for different user populations with virtual portal.

non-LDAP, database user registry Custom user registry for WebSphere Application Server provided by WebSphere Portal Express WebSphere Portal Express provides a custom user registry implementation for the internal WebSphere Portal Express database. Under this configuration, the authentication registry is part of the Member Manager, and user profile information is stored in the same database. Member Manager supports creating new user entries in the database registry and updating the user ID and password in the registry.
Other (non-LDAP, non-database) Customer-supplied Custom User Registry

or

Custom User Registry for WebSphere Application Server provided by WebSphere Portal Express

When the authentication registry is some custom datastore, Member Manager must be configured as well to connect to this custom datastore to be able to create new user entries or update existing user entries in the authentication registry.

Implementing a custom user registry is a software development effort. Please contact IBM Support for further details regarding the configuration of a custom user registry with WebSphere Portal Express.

 

Related information

 

Parent topic:

Authentication