User registries

A user registry holds user account information, such as a user ID and password, that can be accessed during authentication. WAS and WebSphere Portal support three types of user registries:

In the LDAP and custom registry configurations, WebSphere Portal shares the same authentication registry as WAS.

A datastore that is used to store user account information is called a user registry. A datastore that is used to store user profile and preference information is called a user repository. Two different terms (user registry and user repository) are used because it is possible for the datastores to be different. However, it is also possible for a user registry and a user repository to be based on the same underlying datastore. For example, an LDAP directory typically contains user ID and password information but can also store additional profile information such as e-mail addresses and telephone numbers of users. Therefore, the LDAP directory is both a user registry and a user repository.

In the LDAP configuration of WebSphere Portal, an LDAP directory is used as both a user registry and a user repository. However, if the LDAP directory cannot store all the profile information, the WebSphere Portal database can be used as a Lookaside database for storing additional profile information. In the Member Manager database-only configuration, the WebSphere Portal database is used as both a user registry and a user repository.

In the customer-supplied custom user registry configuration, the custom registry is used as a user registry. It can also be used as a user repository and is typically used in a read-only manner. The WebSphere Portal database can be used as a Lookaside database for storing additional profile information that cannot be stored in the custom registry.

The LDAP configuration is recommended for an enterprise that prefers to adhere to its existing LDAP structure. Installation of this authentication model requires an LDAP directory, preferably on a separate machine from WebSphere Portal. IBM Directory Server is packaged with WebSphere Portal. For additional supported LDAP directories, refer to the Supported hardware and software section.

In a non-LDAP configuration, WAS serves as the challenge mechanism for WebSphere Portal, and a database registry holds user account information. WAS Global Security offers full support to this configuration as a Custom User Registry provided by WebSphere Portal. When users log in, WAS authenticates them through the WebSphere Portal-provided Custom User Registry.

Member Manager is a component of WebSphere Portal that manages data for users and groups. If the user is not found in the authentication registry, authentication fails. The lookup must succeed for the user to successfully log in to WebSphere Portal. This is a production-ready, out-of-the-box environment that requires little configuration to implement.

To enable WebSphere Portal to work with an LDAP server or a Member Manager database-only configuration, run the appropriate configuration task. Refer to Configuring WebSphere Portal for LDAP or Configuring security with a Member Manager database-only configuration for more information. For both cases, the configuration parameters must be set in the wpconfig.properties file. See the External Security Managers section for more information about configuring third-party authentication.

The supported authentication registries and corresponding WAS and WebSphere Portal settings are summarized in the following table:

authentication registries" border="1">
WebSphere Portal Member Manager configuration WAS Authentication registry Description
LDAP (includes LDAP with an optional Lookaside database) LDAP When the authentication registry is an LDAP server, Member Manager supports creating new user entries in the authentication registry and updating the user ID and password in the registry. User profile information is split between LDAP and a database, based on XML files that configure the Member Manager component. See Member Manager configuration for details on working with these XML files.
non-LDAP, Member Manager database-only WebSphere Portal-supplied Custom User Registry WebSphere Portal provides a custom UserRegistry implementation for the internal WebSphere Portal database. Under this configuration, the authentication registry is part of the Member Manager, and user profile information is stored in the same database. Member Manager supports creating new user entries in the database registry and updating the user ID and password in the registry.
Other (non-LDAP, non-database) Customer-supplied Custom User Registry When the authentication registry is some other datastore that is unknown to Member Manager, Member Manager does not create new user entries or update existing user entries in the authentication registry. In this case, manually configure WAS security and install the custom user registry. WebSphere Portal cannot configure WAS Global Security in this case. User profile information is held in the database and in the custom user registry.

Instructions for configuring WebSphere Portal with a custom user registry are not available at this time. This information is scheduled to be published on the WebSphere Portal support page at http://www.ibm.com/software/genservers/portalexpress/support/.

 

See also